northg at shaw.ca
Sun Jan 15 12:23:24 PST 2006
I would like to determine if my server has had rootkit installed by a
FBSD 4.11. Main entrances are only http, ssh and also webmin.
My server went down sometime recently. When I went investigate there
was a somewhat nasty message saying:
"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware.
("server" is a pseudonymn for this email but is the machine name for the
server on my home network - 18.104.22.168 is the LAN addr on my router)
The auth log files have been rolled over several times in the last few
weeks and I have not unzipped them yet to see if any entries were
accepted but the most recent one is filled with unsuccessful attacks to
sshd on high port numbers, ie sshd.
My biggest concern is the message at the top of this email "server
/kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102", it
Can someone give please me some guidance as to how to determine whether
my machine is comprimised?
Kindness can be infectious - try it.
-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006
More information about the freebsd-questions