Date: Mon, 16 Jan 2006 00:20:21 -0800 From: Graham North <northg@shaw.ca> To: SP373@student.apu.ac.uk Cc: freebsd-questions@freebsd.org Subject: Re: Rootkit detection Message-ID: <43CB5745.7030904@shaw.ca> In-Reply-To: <1137361628.1a94f60SP373@student.apu.ac.uk> References: <1137361628.1a94f60SP373@student.apu.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew) Content-type: text/plain; charset=UTF-8; format=flowed Content-transfer-encoding: 7BIT Hi Spyridon: Thank you for your replies. I was able to install the chkrootkit port and it seems to show the system as clean. To all other replies, thank you for your help also. Cheers, Graham/ SPYRIDON PAPADOPOULOS wrote: >Hi again, > >Well check this.... >the message in my /var/log/messages is: >"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0" > >So Hmm now that i am thinking of it again: > >"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address >192.168.0.102" > >This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same... >Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before... > >Sorry for the inconvenience if i was wrong before.. > >Spiros > > > > >>-----Original Message----- >>From: Graham North <northg@shaw.ca> >>To: freebsd-questions@freebsd.org >>Date: Sun, 15 Jan 2006 12:23:08 -0800 >>Subject: Rootkit detection >> >> > > > >>I would like to determine if my server has had >rootkit installed by a >>hacker. >>FBSD 4.11. Main entrances are only http, ssh and >also webmin. >> >> > > > >>My server went down sometime recently. When I went >investigate there >>was a somewhat nasty message saying: >> >> > > > >>"server /kernel: arp 00:11:43:4a:8d:18 is using my >>IP address >>192.168.0.102" >> >> > > > >>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware. >>("server" is a pseudonymn for this email but is the >machine name for the >>server on my home network - 192.68.0.102 is the LAN >addr on my router) >> >> > > > >>The auth log files have been rolled over several >times in the last few >>weeks and I have not unzipped them yet to see if any >entries were >>accepted but the most recent one is filled with >unsuccessful attacks to >>sshd on high port numbers, ie sshd[86417]. >>My biggest concern is the message at the top of this >email "server >>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it >>sounds scary. >> >> > > > >>Can someone give please me some guidance as to how >to determine whether >>my machine is comprimised? >>Thanks, Graham/ >> >> > > > >>-- >>Kindness can be infectious - try it. >> >> > > > >>Graham North >>Vancouver, BC >>www.soleado.ca >> >> > > > > > -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca --Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew) Content-type: text/plain; x-avg=cert; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline Content-description: "AVG certification" No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006 --Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew)--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43CB5745.7030904>