Date: Sun, 15 Jan 2006 21:26:04 +0000 From: "SPYRIDON PAPADOPOULOS" <SP373@student.apu.ac.uk> To: northg@shaw.ca Cc: freebsd-questions@freebsd.org Subject: Re: Rootkit detection Message-ID: <1137360364.1a943c0SP373@student.apu.ac.uk>
next in thread | raw e-mail | index | archive | help
Hi there, Graham North wrote: >-----Original Message----- >From: Graham North <northg@shaw.ca> >To: freebsd-questions@freebsd.org >Date: Sun, 15 Jan 2006 12:23:08 -0800 >Subject: Rootkit detection >I would like to determine if my server has had >rootkit installed by a=20 >hacker. >FBSD 4.11. Main entrances are only http, ssh and >also webmin. >My server went down sometime recently. When I went >investigate there=20 >was a somewhat nasty message saying: >"server /kernel: arp 00:11:43:4a:8d:18 is using my >IP address=20 >192.168.0.102" =20 This message is suspicious! This is a message that appears after a succesfu= l ARP poisoning attack which can then lead to a MITM (Man in the middle <= -- type this in google for more info) attack. If this is the case then all your unencrypted data to/from this host was av= ailable to the attacker in a human legible format (plain text). "Informat= ion leakage" is cover by Data Protection Laws (depending in the country y= our pc is). If the man in the middle attack was succesful..then all your unencrypted pa= sswords, e-mails, chats, searched strings in google, were available to su= ch an attacker. If this is the case then there is no need for installed software of any kin= d, in your computer. There are more chances that is someone from inside. First ask your self if = it is possible for people to connect laptops or other machines without yo= ur permission, to your LAN? Maybe this is why you don't know this MAC add= ress. Also if you announce this event to everyone using your Network(is i= t a LAN we are talking about, behind the server?) you decrease the chance= s to catch the leaker. I have tried such tools before but in my -->LAN<-- only, not against hosts = in the internet. So i don't really know if this can occur and with what t= ools, but i find it very possible.. Also In order not to panic, have in mind that data to/from your bank's acco= unt [online], for example, are/must be (almost for sure) encrypted with T= LSv1/SSLv3 128bit encryption which is probably safe (hopefully) at the mo= ment. Of course some older encryption techniques can be decrypted with the right = tools.=20 I am not expert in cryptography and decryption, but please check: http://et= tercap.sourceforge.net=20 to see what i mean. >The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware. >("server" is a pseudonymn for this email but is the >machine name for the= =20 >server on my home network - 192.68.0.102 is the LAN >addr on my router) >The auth log files have been rolled over several >times in the last few=20 >weeks and I have not unzipped them yet to see if any >entries were=20 >accepted but the most recent one is filled with >unsuccessful attacks to= =20 >sshd on high port numbers, ie sshd[86417]. >My biggest concern is the message at the top of this >email "server=20 >/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it= =20 >sounds scary. It is cool...! >Can someone give please me some guidance as to how >to determine whether= =20 >my machine is comprimised? >Thanks, Graham/ >-- >Kindness can be infectious - try it. >Graham North >Vancouver, BC >www.soleado.ca 8"server" is a pseudonymn for this email but is the >machine name for the >server on my home network - 192.68.0.102 is the LAN >addr on my router) >The auth log files have been rolled over several >times in the last few >weeks and I have not unzipped them yet to see if any >entries were >accepted but the most recent one is filled with
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1137360364.1a943c0SP373>