Rootkit detection

Sun Jan 15 13:47:32 PST 2006

Hi again,

Well check this....
the message in my /var/log/messages is:
"kernel: arp: moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0"

So Hmm now that i am thinking of it again:

"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address"  

This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same...
Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before...

Sorry for the inconvenience if i was wrong before..


>-----Original Message-----
>From: Graham North <northg at>
>To: freebsd-questions at
>Date: Sun, 15 Jan 2006 12:23:08 -0800
>Subject: Rootkit detection

>I would like to determine if my server has had >rootkit installed by a 
>FBSD 4.11.   Main entrances are only http, ssh and >also webmin.

>My server went down sometime recently.   When I went >investigate there 
>was a somewhat nasty message saying:

>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>IP address 

>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>("server" is a pseudonymn for this email but is the >machine name for the 
>server on my home network - is the LAN >addr on my router)

>The auth log files have been rolled over several >times in the last few 
>weeks and I have not unzipped them yet to see if any >entries were 
>accepted but the most recent one is filled with >unsuccessful attacks to 
>sshd on high port numbers, ie sshd[86417].
>My biggest concern is the message at the top of this >email "server 
>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address", it 
>sounds scary.

>Can someone give please me some guidance as to how >to determine whether 
>my machine is comprimised?
>Thanks,  Graham/

>Kindness can be infectious - try it.

>Graham North
>Vancouver, BC

More information about the freebsd-questions mailing list