Rootkit detection

[SPYRIDON PAPADOPOULOS]

Hi there,

Graham North wrote:

>-----Original Message-----
>From: Graham North <northg at shaw.ca>
>To: freebsd-questions at freebsd.org
>Date: Sun, 15 Jan 2006 12:23:08 -0800
>Subject: Rootkit detection

>I would like to determine if my server has had >rootkit installed by a 
>hacker.
>FBSD 4.11.   Main entrances are only http, ssh and >also webmin.

>My server went down sometime recently.   When I went >investigate there 
>was a somewhat nasty message saying:

>"server /kernel: arp 00:11:43:4a:8d:18 is using my >IP address 
>192.168.0.102"  

This message is suspicious! This is a message that appears after a succesful ARP poisoning attack which can then lead to a MITM (Man in the middle <--  type this in google for more info) attack.
If this is the case then all your unencrypted data to/from this host was available to the attacker in a human legible format (plain text). "Information leakage" is cover by Data Protection Laws (depending in the country your pc is).
If the man in the middle attack was succesful..then all your unencrypted passwords, e-mails, chats, searched strings in google, were available to such an attacker.
If this is the case then there is no need for installed software of any kind, in your computer.

There are more chances that is someone from inside. First ask your self if it is possible for people to connect laptops or other machines without your permission, to your LAN? Maybe this is why you don't know this MAC address. Also if you announce this event to everyone using your Network(is it a LAN we are talking about, behind the server?) you decrease the chances to catch the leaker.

I have tried such tools before but in my -->LAN<-- only, not against hosts in the internet. So i don't really know if this can occur and with what tools, but i find it very possible..

Also In order not to panic, have in mind that data to/from your bank's account [online], for example, are/must be (almost for sure) encrypted with TLSv1/SSLv3 128bit encryption which is probably safe (hopefully) at the moment.
Of course some older encryption techniques can be decrypted with the right tools. 
I am not expert in cryptography and decryption, but please check: http://ettercap.sourceforge.net 
to see what i mean.

>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>("server" is a pseudonymn for this email but is the >machine name for the 
>server on my home network - 192.68.0.102 is the LAN >addr on my router)

>The auth log files have been rolled over several >times in the last few 
>weeks and I have not unzipped them yet to see if any >entries were 
>accepted but the most recent one is filled with >unsuccessful attacks to 
>sshd on high port numbers, ie sshd[86417].
>My biggest concern is the message at the top of this >email "server 
>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it 
>sounds scary.

It is cool...!

>Can someone give please me some guidance as to how >to determine whether 
>my machine is comprimised?
>Thanks,  Graham/

>-- 
>Kindness can be infectious - try it.

>Graham North
>Vancouver, BC
>www.soleado.ca



8"server" is a pseudonymn for this email but is the >machine name for the 
>server on my home network - 192.68.0.102 is the LAN >addr on my router)

>The auth log files have been rolled over several >times in the last few 
>weeks and I have not unzipped them yet to see if any >entries were 
>accepted but the most recent one is filled with