Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Jan 2006 21:47:08 +0000
From:      "SPYRIDON PAPADOPOULOS" <SP373@student.apu.ac.uk>
To:        northg@shaw.ca
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Rootkit detection
Message-ID:  <1137361628.1a94f60SP373@student.apu.ac.uk>
next in thread | raw e-mail | index | archive | help 
Hi again,

Well check this....
the message in my /var/log/messages is:
"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0=
a on rl0"

So Hmm now that i am thinking of it again:

"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address=20
192.168.0.102" =20

This also looks like an IP conflict!! And it is not similar to mine, even i=
f it can be the same...
Someone more experienced maybe can make this clear. To be honest i haven't =
seen the output you posted before...

Sorry for the inconvenience if i was wrong before..

Spiros


>-----Original Message-----
>From: Graham North <northg@shaw.ca>
>To: freebsd-questions@freebsd.org
>Date: Sun, 15 Jan 2006 12:23:08 -0800
>Subject: Rootkit detection

>I would like to determine if my server has had >rootkit installed by a=20
>hacker.
>FBSD 4.11.   Main entrances are only http, ssh and >also webmin.

>My server went down sometime recently.   When I went >investigate there=20
>was a somewhat nasty message saying:

>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>IP address 
>192.168.0.102"  

>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>("server" is a pseudonymn for this email but is the >machine name for the 
>server on my home network - 192.68.0.102 is the LAN >addr on my router)

>The auth log files have been rolled over several >times in the last few 
>weeks and I have not unzipped them yet to see if any >entries were 
>accepted but the most recent one is filled with >unsuccessful attacks to 
>sshd on high port numbers, ie sshd[86417].
>My biggest concern is the message at the top of this >email "server 
>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it 
>sounds scary.

>Can someone give please me some guidance as to how >to determine whether 
>my machine is comprimised?
>Thanks,  Graham/

>-- 
>Kindness can be infectious - try it.

>Graham North
>Vancouver, BC
>www.soleado.ca

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1137361628.1a94f60SP373>