Rootkit detection
Graham North
northg at shaw.ca
Sun Jan 15 12:23:24 PST 2006
I would like to determine if my server has had rootkit installed by a
hacker.
FBSD 4.11. Main entrances are only http, ssh and also webmin.
My server went down sometime recently. When I went investigate there
was a somewhat nasty message saying:
"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
192.168.0.102"
The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware.
("server" is a pseudonymn for this email but is the machine name for the
server on my home network - 192.68.0.102 is the LAN addr on my router)
The auth log files have been rolled over several times in the last few
weeks and I have not unzipped them yet to see if any entries were
accepted but the most recent one is filled with unsuccessful attacks to
sshd on high port numbers, ie sshd[86417].
My biggest concern is the message at the top of this email "server
/kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102", it
sounds scary.
Can someone give please me some guidance as to how to determine whether
my machine is comprimised?
Thanks, Graham/
--
Kindness can be infectious - try it.
Graham North
Vancouver, BC
www.soleado.ca
-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006
More information about the freebsd-questions
mailing list