Date: Sun, 15 Jan 2006 21:47:08 +0000 From: "SPYRIDON PAPADOPOULOS" <SP373@student.apu.ac.uk> To: northg@shaw.ca Cc: freebsd-questions@freebsd.org Subject: Re: Rootkit detection Message-ID: <1137361628.1a94f60SP373@student.apu.ac.uk>
next in thread | raw e-mail | index | archive | help
Hi again, Well check this.... the message in my /var/log/messages is: "kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0= a on rl0" So Hmm now that i am thinking of it again: "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address=20 192.168.0.102" =20 This also looks like an IP conflict!! And it is not similar to mine, even i= f it can be the same... Someone more experienced maybe can make this clear. To be honest i haven't = seen the output you posted before... Sorry for the inconvenience if i was wrong before.. Spiros >-----Original Message----- >From: Graham North <northg@shaw.ca> >To: freebsd-questions@freebsd.org >Date: Sun, 15 Jan 2006 12:23:08 -0800 >Subject: Rootkit detection >I would like to determine if my server has had >rootkit installed by a=20 >hacker. >FBSD 4.11. Main entrances are only http, ssh and >also webmin. >My server went down sometime recently. When I went >investigate there=20 >was a somewhat nasty message saying: >"server /kernel: arp 00:11:43:4a:8d:18 is using my >IP address >192.168.0.102" >The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware. >("server" is a pseudonymn for this email but is the >machine name for the >server on my home network - 192.68.0.102 is the LAN >addr on my router) >The auth log files have been rolled over several >times in the last few >weeks and I have not unzipped them yet to see if any >entries were >accepted but the most recent one is filled with >unsuccessful attacks to >sshd on high port numbers, ie sshd[86417]. >My biggest concern is the message at the top of this >email "server >/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it >sounds scary. >Can someone give please me some guidance as to how >to determine whether >my machine is comprimised? >Thanks, Graham/ >-- >Kindness can be infectious - try it. >Graham North >Vancouver, BC >www.soleado.ca
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1137361628.1a94f60SP373>