From owner-freebsd-questions@FreeBSD.ORG Mon Jan 16 08:20:22 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03BD016A425 for ; Mon, 16 Jan 2006 08:20:22 +0000 (GMT) (envelope-from northg@shaw.ca) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A43C43D4C for ; Mon, 16 Jan 2006 08:20:20 +0000 (GMT) (envelope-from northg@shaw.ca) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IT600KL2F5VV280@l-daemon> for freebsd-questions@freebsd.org; Mon, 16 Jan 2006 01:20:19 -0700 (MST) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IT600FXPF5V5FM0@pd3mr1so.prod.shaw.ca> for freebsd-questions@freebsd.org; Mon, 16 Jan 2006 01:20:19 -0700 (MST) Received: from [192.168.0.100] ([24.85.154.162]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IT600EV5F5V58E0@l-daemon> for freebsd-questions@freebsd.org; Mon, 16 Jan 2006 01:20:19 -0700 (MST) Received: from 127.0.0.1 (AVG SMTP 7.1.371 [267.14.18/230]); Mon, 16 Jan 2006 00:20:22 -0800 Date: Mon, 16 Jan 2006 00:20:21 -0800 From: Graham North In-reply-to: <1137361628.1a94f60SP373@student.apu.ac.uk> To: SP373@student.apu.ac.uk Message-id: <43CB5745.7030904@shaw.ca> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew)" X-Accept-Language: en-us, en References: <1137361628.1a94f60SP373@student.apu.ac.uk> User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Rootkit detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 08:20:22 -0000 --Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew) Content-type: text/plain; charset=UTF-8; format=flowed Content-transfer-encoding: 7BIT Hi Spyridon: Thank you for your replies. I was able to install the chkrootkit port and it seems to show the system as clean. To all other replies, thank you for your help also. Cheers, Graham/ SPYRIDON PAPADOPOULOS wrote: >Hi again, > >Well check this.... >the message in my /var/log/messages is: >"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0" > >So Hmm now that i am thinking of it again: > >"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address >192.168.0.102" > >This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same... >Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before... > >Sorry for the inconvenience if i was wrong before.. > >Spiros > > > > >>-----Original Message----- >>From: Graham North >>To: freebsd-questions@freebsd.org >>Date: Sun, 15 Jan 2006 12:23:08 -0800 >>Subject: Rootkit detection >> >> > > > >>I would like to determine if my server has had >rootkit installed by a >>hacker. >>FBSD 4.11. Main entrances are only http, ssh and >also webmin. >> >> > > > >>My server went down sometime recently. When I went >investigate there >>was a somewhat nasty message saying: >> >> > > > >>"server /kernel: arp 00:11:43:4a:8d:18 is using my >>IP address >>192.168.0.102" >> >> > > > >>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware. >>("server" is a pseudonymn for this email but is the >machine name for the >>server on my home network - 192.68.0.102 is the LAN >addr on my router) >> >> > > > >>The auth log files have been rolled over several >times in the last few >>weeks and I have not unzipped them yet to see if any >entries were >>accepted but the most recent one is filled with >unsuccessful attacks to >>sshd on high port numbers, ie sshd[86417]. >>My biggest concern is the message at the top of this >email "server >>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it >>sounds scary. >> >> > > > >>Can someone give please me some guidance as to how >to determine whether >>my machine is comprimised? >>Thanks, Graham/ >> >> > > > >>-- >>Kindness can be infectious - try it. >> >> > > > >>Graham North >>Vancouver, BC >>www.soleado.ca >> >> > > > > > -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca --Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew) Content-type: text/plain; x-avg=cert; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline Content-description: "AVG certification" No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006 --Boundary_(ID_mF4KDYSkIME4jbXRIl9+Ew)--