Date: Mon, 16 Jan 2006 00:20:21 -0800 From: Graham North <northg@shaw.ca> To: SP373@student.apu.ac.uk Cc: freebsd-questions@freebsd.org Subject: Re: Rootkit detection Message-ID: <43CB5745.7030904@shaw.ca> In-Reply-To: <1137361628.1a94f60SP373@student.apu.ac.uk> References: <1137361628.1a94f60SP373@student.apu.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew)
Content-type: text/plain; charset=UTF-8; format=flowed
Content-transfer-encoding: 7BIT
Hi Spyridon:
Thank you for your replies. I was able to install the chkrootkit port
and it seems to show the system as clean.
To all other replies, thank you for your help also.
Cheers, Graham/
SPYRIDON PAPADOPOULOS wrote:
>Hi again,
>
>Well check this....
>the message in my /var/log/messages is:
>"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0"
>
>So Hmm now that i am thinking of it again:
>
>"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
>192.168.0.102"
>
>This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same...
>Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before...
>
>Sorry for the inconvenience if i was wrong before..
>
>Spiros
>
>
>
>
>>-----Original Message-----
>>From: Graham North <northg@shaw.ca>
>>To: freebsd-questions@freebsd.org
>>Date: Sun, 15 Jan 2006 12:23:08 -0800
>>Subject: Rootkit detection
>>
>>
>
>
>
>>I would like to determine if my server has had >rootkit installed by a
>>hacker.
>>FBSD 4.11. Main entrances are only http, ssh and >also webmin.
>>
>>
>
>
>
>>My server went down sometime recently. When I went >investigate there
>>was a somewhat nasty message saying:
>>
>>
>
>
>
>>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>>IP address
>>192.168.0.102"
>>
>>
>
>
>
>>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>>("server" is a pseudonymn for this email but is the >machine name for the
>>server on my home network - 192.68.0.102 is the LAN >addr on my router)
>>
>>
>
>
>
>>The auth log files have been rolled over several >times in the last few
>>weeks and I have not unzipped them yet to see if any >entries were
>>accepted but the most recent one is filled with >unsuccessful attacks to
>>sshd on high port numbers, ie sshd[86417].
>>My biggest concern is the message at the top of this >email "server
>>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it
>>sounds scary.
>>
>>
>
>
>
>>Can someone give please me some guidance as to how >to determine whether
>>my machine is comprimised?
>>Thanks, Graham/
>>
>>
>
>
>
>>--
>>Kindness can be infectious - try it.
>>
>>
>
>
>
>>Graham North
>>Vancouver, BC
>>www.soleado.ca
>>
>>
>
>
>
>
>
--
Kindness can be infectious - try it.
Graham North
Vancouver, BC
www.soleado.ca
--Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew)
Content-type: text/plain; x-avg=cert; charset=us-ascii
Content-transfer-encoding: 7BIT
Content-disposition: inline
Content-description: "AVG certification"
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006
--Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew)--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43CB5745.7030904>