From owner-freebsd-questions@FreeBSD.ORG Sun Jan 15 21:47:32 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE4A616A41F for ; Sun, 15 Jan 2006 21:47:32 +0000 (GMT) (envelope-from SP373@student.apu.ac.uk) Received: from mailhub-out.apu.ac.uk (mailhub-out.apu.ac.uk [193.63.55.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8479F43D70 for ; Sun, 15 Jan 2006 21:47:25 +0000 (GMT) (envelope-from SP373@student.apu.ac.uk) Received: from smtp.cam.apu.ac.uk ([193.63.55.9]:53487) by mailhub.anglia.ac.uk with esmtp (Exim 4.50) id 1EyFiZ-00015j-L3 for freebsd-questions@freebsd.org; Sun, 15 Jan 2006 21:47:19 +0000 Received: from cam-netmail.netware.anglia.ac.uk ([194.83.45.141]:9282 helo=student.apu.ac.uk) by boswell.cam.apu.ac.uk with esmtp (Exim 4.50) id 1EyFiU-0004jK-5q for freebsd-questions@freebsd.org; Sun, 15 Jan 2006 21:47:14 +0000 Received: from SP373 [172.200.200.202] by student.apu.ac.uk with NetMail ModWeb Module; Sun, 15 Jan 2006 21:47:08 +0000 From: "SPYRIDON PAPADOPOULOS" To: northg@shaw.ca Date: Sun, 15 Jan 2006 21:47:08 +0000 X-Mailer: NetMail ModWeb Module X-Sender: SP373 MIME-Version: 1.0 Message-ID: <1137361628.1a94f60SP373@student.apu.ac.uk> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-ARU-HELO: smtp.cam.apu.ac.uk X-ARU-sender-host: smtp.cam.apu.ac.uk [193.63.55.9]:53487 X-ARU-MailScanner-Info: see http://www.apu.ac.uk/mail-problems X-ARU-MailScanner: Found to be clean X-ARU-SpamCheck: not spam, SpamAssassin (score=-5.327, required 6, autolearn=not spam, ARU_FROM_AC_UK -4.00, AWL 1.14, BAYES_00 -2.60, FORGED_RCVD_HELO 0.14) X-ARU-MailScanner-From: sp373@student.apu.ac.uk X-APU-MailFilter: message scanned X-ARU-MailFilter: message scanned Cc: freebsd-questions@freebsd.org Subject: Re: Rootkit detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SP373@student.apu.ac.uk List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 21:47:32 -0000 Hi again, Well check this.... the message in my /var/log/messages is: "kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0= a on rl0" So Hmm now that i am thinking of it again: "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address=20 192.168.0.102" =20 This also looks like an IP conflict!! And it is not similar to mine, even i= f it can be the same... Someone more experienced maybe can make this clear. To be honest i haven't = seen the output you posted before... Sorry for the inconvenience if i was wrong before.. Spiros >-----Original Message----- >From: Graham North >To: freebsd-questions@freebsd.org >Date: Sun, 15 Jan 2006 12:23:08 -0800 >Subject: Rootkit detection >I would like to determine if my server has had >rootkit installed by a=20 >hacker. >FBSD 4.11. Main entrances are only http, ssh and >also webmin. >My server went down sometime recently. When I went >investigate there=20 >was a somewhat nasty message saying: >"server /kernel: arp 00:11:43:4a:8d:18 is using my >IP address >192.168.0.102" >The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware. >("server" is a pseudonymn for this email but is the >machine name for the >server on my home network - 192.68.0.102 is the LAN >addr on my router) >The auth log files have been rolled over several >times in the last few >weeks and I have not unzipped them yet to see if any >entries were >accepted but the most recent one is filled with >unsuccessful attacks to >sshd on high port numbers, ie sshd[86417]. >My biggest concern is the message at the top of this >email "server >/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it >sounds scary. >Can someone give please me some guidance as to how >to determine whether >my machine is comprimised? >Thanks, Graham/ >-- >Kindness can be infectious - try it. >Graham North >Vancouver, BC >www.soleado.ca