Rootkit detection

[SPYRIDON PAPADOPOULOS]

Hi again,

Well check this....
the message in my /var/log/messages is:
"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0"

So Hmm now that i am thinking of it again:

"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 
192.168.0.102"  

This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same...
Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before...

Sorry for the inconvenience if i was wrong before..

Spiros


>-----Original Message-----
>From: Graham North <northg at shaw.ca>
>To: freebsd-questions at freebsd.org
>Date: Sun, 15 Jan 2006 12:23:08 -0800
>Subject: Rootkit detection

>I would like to determine if my server has had >rootkit installed by a 
>hacker.
>FBSD 4.11.   Main entrances are only http, ssh and >also webmin.

>My server went down sometime recently.   When I went >investigate there 
>was a somewhat nasty message saying:

>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>IP address 
>192.168.0.102"  

>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>("server" is a pseudonymn for this email but is the >machine name for the 
>server on my home network - 192.68.0.102 is the LAN >addr on my router)

>The auth log files have been rolled over several >times in the last few 
>weeks and I have not unzipped them yet to see if any >entries were 
>accepted but the most recent one is filled with >unsuccessful attacks to 
>sshd on high port numbers, ie sshd[86417].
>My biggest concern is the message at the top of this >email "server 
>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it 
>sounds scary.

>Can someone give please me some guidance as to how >to determine whether 
>my machine is comprimised?
>Thanks,  Graham/

>-- 
>Kindness can be infectious - try it.

>Graham North
>Vancouver, BC
>www.soleado.ca