Rootkit detection

chris at chris at
Sun Jan 15 14:14:43 PST 2006

Some NSP's which are network service providers use private ip's and will
tend to give you those type of arp msg's if your are part of the network i
would say if nothing seem different either format and reinstall the damn
thing or fix it as to what i see your dont have a root kit as root kits
dont change your ip they just make a hole for a remote person to login
mostly if you are too concerned try adding ipfw,pf or a router to your
home network and format the bsd machine as ou ben asking here for some
> Hi again,
> Well check this....
> the message in my /var/log/messages is:
> "kernel: arp: moved from 00:13:8f:4c:1b:41 to
> 00:11:2f:0c:b1:0a on rl0"
> So Hmm now that i am thinking of it again:
> "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
> This also looks like an IP conflict!! And it is not similar to mine, even
> if it can be the same...
> Someone more experienced maybe can make this clear. To be honest i haven't
> seen the output you posted before...
> Sorry for the inconvenience if i was wrong before..
> Spiros
>>-----Original Message-----
>>From: Graham North <northg at>
>>To: freebsd-questions at
>>Date: Sun, 15 Jan 2006 12:23:08 -0800
>>Subject: Rootkit detection
>>I would like to determine if my server has had >rootkit installed by a
>>FBSD 4.11.   Main entrances are only http, ssh and >also webmin.
>>My server went down sometime recently.   When I went >investigate there
>>was a somewhat nasty message saying:
>>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>>IP address
>>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>>("server" is a pseudonymn for this email but is the >machine name for the
>>server on my home network - is the LAN >addr on my router)
>>The auth log files have been rolled over several >times in the last few
>>weeks and I have not unzipped them yet to see if any >entries were
>>accepted but the most recent one is filled with >unsuccessful attacks to
>>sshd on high port numbers, ie sshd[86417].
>>My biggest concern is the message at the top of this >email "server
>>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address", it
>>sounds scary.
>>Can someone give please me some guidance as to how >to determine whether
>>my machine is comprimised?
>>Thanks,  Graham/
>>Kindness can be infectious - try it.
>>Graham North
>>Vancouver, BC
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list