From owner-freebsd-questions@FreeBSD.ORG Sun Jan 15 20:23:24 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACA5D16A420 for ; Sun, 15 Jan 2006 20:23:24 +0000 (GMT) (envelope-from northg@shaw.ca) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9FD743D7B for ; Sun, 15 Jan 2006 20:23:09 +0000 (GMT) (envelope-from northg@shaw.ca) Received: from pd5mr5so.prod.shaw.ca (pd5mr5so-qfe3.prod.shaw.ca [10.0.141.181]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IT500133HYKD7C0@l-daemon> for freebsd-questions@freebsd.org; Sun, 15 Jan 2006 13:23:08 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd5mr5so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IT5002ZMHYKCS10@pd5mr5so.prod.shaw.ca> for freebsd-questions@freebsd.org; Sun, 15 Jan 2006 13:23:08 -0700 (MST) Received: from [192.168.0.100] ([24.85.154.162]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IT500M5DHYKFZ50@l-daemon> for freebsd-questions@freebsd.org; Sun, 15 Jan 2006 13:23:08 -0700 (MST) Received: from 127.0.0.1 (AVG SMTP 7.1.371 [267.14.18/230]); Sun, 15 Jan 2006 12:23:08 -0800 Date: Sun, 15 Jan 2006 12:23:08 -0800 From: Graham North To: freebsd-questions@freebsd.org Message-id: <43CAAF2C.4080005@shaw.ca> MIME-version: 1.0 Content-type: multipart/mixed; boundary="=======AVGMAIL-43CAAF2C5134=======" X-Accept-Language: en-us, en User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Rootkit detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 20:23:24 -0000 --=======AVGMAIL-43CAAF2C5134======= Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I would like to determine if my server has had rootkit installed by a hacker. FBSD 4.11. Main entrances are only http, ssh and also webmin. My server went down sometime recently. When I went investigate there was a somewhat nasty message saying: "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102" The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware. ("server" is a pseudonymn for this email but is the machine name for the server on my home network - 192.68.0.102 is the LAN addr on my router) The auth log files have been rolled over several times in the last few weeks and I have not unzipped them yet to see if any entries were accepted but the most recent one is filled with unsuccessful attacks to sshd on high port numbers, ie sshd[86417]. My biggest concern is the message at the top of this email "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102", it sounds scary. Can someone give please me some guidance as to how to determine whether my machine is comprimised? Thanks, Graham/ -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca --=======AVGMAIL-43CAAF2C5134======= Content-Type: text/plain; x-avg=cert; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Content-Description: "AVG certification" No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006 --=======AVGMAIL-43CAAF2C5134=======--