Date: Sun, 15 Jan 2006 16:36:11 -0600 (CST) From: chris@i13i.com To: SP373@student.apu.ac.uk Cc: freebsd-questions@freebsd.org, northg@shaw.ca Subject: Re: Rootkit detection Message-ID: <48440.195.139.252.5.1137364571.squirrel@webmail.i13i.com> In-Reply-To: <1137361628.1a94f60SP373@student.apu.ac.uk> References: <1137361628.1a94f60SP373@student.apu.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Some NSP's which are network service providers use private ip's and will
tend to give you those type of arp msg's if your are part of the network i
would say if nothing seem different either format and reinstall the damn
thing or fix it as to what i see your dont have a root kit as root kits
dont change your ip they just make a hole for a remote person to login
mostly if you are too concerned try adding ipfw,pf or a router to your
home network and format the bsd machine as ou ben asking here for some
time.
> Hi again,
>
> Well check this....
> the message in my /var/log/messages is:
> "kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to
> 00:11:2f:0c:b1:0a on rl0"
>
> So Hmm now that i am thinking of it again:
>
> "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
> 192.168.0.102"
>
> This also looks like an IP conflict!! And it is not similar to mine, even
> if it can be the same...
> Someone more experienced maybe can make this clear. To be honest i haven't
> seen the output you posted before...
>
> Sorry for the inconvenience if i was wrong before..
>
> Spiros
>
>
>>-----Original Message-----
>>From: Graham North <northg@shaw.ca>
>>To: freebsd-questions@freebsd.org
>>Date: Sun, 15 Jan 2006 12:23:08 -0800
>>Subject: Rootkit detection
>
>>I would like to determine if my server has had >rootkit installed by a
>>hacker.
>>FBSD 4.11. Main entrances are only http, ssh and >also webmin.
>
>>My server went down sometime recently. When I went >investigate there
>>was a somewhat nasty message saying:
>
>>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>>IP address
>>192.168.0.102"
>
>>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>>("server" is a pseudonymn for this email but is the >machine name for the
>>server on my home network - 192.68.0.102 is the LAN >addr on my router)
>
>>The auth log files have been rolled over several >times in the last few
>>weeks and I have not unzipped them yet to see if any >entries were
>>accepted but the most recent one is filled with >unsuccessful attacks to
>>sshd on high port numbers, ie sshd[86417].
>>My biggest concern is the message at the top of this >email "server
>>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it
>>sounds scary.
>
>>Can someone give please me some guidance as to how >to determine whether
>>my machine is comprimised?
>>Thanks, Graham/
>
>>--
>>Kindness can be infectious - try it.
>
>>Graham North
>>Vancouver, BC
>>www.soleado.ca
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48440.195.139.252.5.1137364571.squirrel>