From owner-freebsd-questions@FreeBSD.ORG Sun Jan 15 22:14:43 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A50916A41F for ; Sun, 15 Jan 2006 22:14:43 +0000 (GMT) (envelope-from chris@i13i.com) Received: from admin.i13i.com (admin.i13i.com [66.90.92.83]) by mx1.FreeBSD.org (Postfix) with SMTP id 2C77A43D48 for ; Sun, 15 Jan 2006 22:14:42 +0000 (GMT) (envelope-from chris@i13i.com) Received: (qmail 16966 invoked from network); 15 Jan 2006 22:36:11 -0000 Received: from unknown (HELO webmail.i13i.com) (208.53.187.133) by admin.i13i.com with SMTP; 15 Jan 2006 22:36:11 -0000 Received: from 195.139.252.5 (proxying for 62.92.188.12) (SquirrelMail authenticated user chris@i13i.com) by webmail.i13i.com with HTTP; Sun, 15 Jan 2006 16:36:11 -0600 (CST) Message-ID: <48440.195.139.252.5.1137364571.squirrel@webmail.i13i.com> In-Reply-To: <1137361628.1a94f60SP373@student.apu.ac.uk> References: <1137361628.1a94f60SP373@student.apu.ac.uk> Date: Sun, 15 Jan 2006 16:36:11 -0600 (CST) From: chris@i13i.com To: SP373@student.apu.ac.uk User-Agent: SquirrelMail/1.4.5 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org, northg@shaw.ca Subject: Re: Rootkit detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 22:14:43 -0000 Some NSP's which are network service providers use private ip's and will tend to give you those type of arp msg's if your are part of the network i would say if nothing seem different either format and reinstall the damn thing or fix it as to what i see your dont have a root kit as root kits dont change your ip they just make a hole for a remote person to login mostly if you are too concerned try adding ipfw,pf or a router to your home network and format the bsd machine as ou ben asking here for some time. > Hi again, > > Well check this.... > the message in my /var/log/messages is: > "kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to > 00:11:2f:0c:b1:0a on rl0" > > So Hmm now that i am thinking of it again: > > "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address > 192.168.0.102" > > This also looks like an IP conflict!! And it is not similar to mine, even > if it can be the same... > Someone more experienced maybe can make this clear. To be honest i haven't > seen the output you posted before... > > Sorry for the inconvenience if i was wrong before.. > > Spiros > > >>-----Original Message----- >>From: Graham North >>To: freebsd-questions@freebsd.org >>Date: Sun, 15 Jan 2006 12:23:08 -0800 >>Subject: Rootkit detection > >>I would like to determine if my server has had >rootkit installed by a >>hacker. >>FBSD 4.11. Main entrances are only http, ssh and >also webmin. > >>My server went down sometime recently. When I went >investigate there >>was a somewhat nasty message saying: > >>"server /kernel: arp 00:11:43:4a:8d:18 is using my >>IP address >>192.168.0.102" > >>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware. >>("server" is a pseudonymn for this email but is the >machine name for the >>server on my home network - 192.68.0.102 is the LAN >addr on my router) > >>The auth log files have been rolled over several >times in the last few >>weeks and I have not unzipped them yet to see if any >entries were >>accepted but the most recent one is filled with >unsuccessful attacks to >>sshd on high port numbers, ie sshd[86417]. >>My biggest concern is the message at the top of this >email "server >>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it >>sounds scary. > >>Can someone give please me some guidance as to how >to determine whether >>my machine is comprimised? >>Thanks, Graham/ > >>-- >>Kindness can be infectious - try it. > >>Graham North >>Vancouver, BC >>www.soleado.ca > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >