Rootkit detection

Graham North northg at
Sun Jan 15 12:23:24 PST 2006

I would like to determine if my server has had rootkit installed by a 
FBSD 4.11.   Main entrances are only http, ssh and also webmin.

My server went down sometime recently.   When I went investigate there 
was a somewhat nasty message saying:

"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address"  

The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware.
("server" is a pseudonymn for this email but is the machine name for the 
server on my home network - is the LAN addr on my router)

The auth log files have been rolled over several times in the last few 
weeks and I have not unzipped them yet to see if any entries were 
accepted but the most recent one is filled with unsuccessful attacks to 
sshd on high port numbers, ie sshd[86417].
My biggest concern is the message at the top of this email "server 
/kernel: arp 00:11:43:4a:8d:18 is using my IP address", it 
sounds scary.

Can someone give please me some guidance as to how to determine whether 
my machine is comprimised?
Thanks,  Graham/

Kindness can be infectious - try it.

Graham North
Vancouver, BC

-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006

More information about the freebsd-questions mailing list