chris at i13i.com
chris at i13i.com
Sun Jan 15 14:14:43 PST 2006
Some NSP's which are network service providers use private ip's and will
tend to give you those type of arp msg's if your are part of the network i
would say if nothing seem different either format and reinstall the damn
thing or fix it as to what i see your dont have a root kit as root kits
dont change your ip they just make a hole for a remote person to login
mostly if you are too concerned try adding ipfw,pf or a router to your
home network and format the bsd machine as ou ben asking here for some
> Hi again,
> Well check this....
> the message in my /var/log/messages is:
> "kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to
> 00:11:2f:0c:b1:0a on rl0"
> So Hmm now that i am thinking of it again:
> "server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
> This also looks like an IP conflict!! And it is not similar to mine, even
> if it can be the same...
> Someone more experienced maybe can make this clear. To be honest i haven't
> seen the output you posted before...
> Sorry for the inconvenience if i was wrong before..
>>From: Graham North <northg at shaw.ca>
>>To: freebsd-questions at freebsd.org
>>Date: Sun, 15 Jan 2006 12:23:08 -0800
>>Subject: Rootkit detection
>>I would like to determine if my server has had >rootkit installed by a
>>FBSD 4.11. Main entrances are only http, ssh and >also webmin.
>>My server went down sometime recently. When I went >investigate there
>>was a somewhat nasty message saying:
>>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>>("server" is a pseudonymn for this email but is the >machine name for the
>>server on my home network - 126.96.36.199 is the LAN >addr on my router)
>>The auth log files have been rolled over several >times in the last few
>>weeks and I have not unzipped them yet to see if any >entries were
>>accepted but the most recent one is filled with >unsuccessful attacks to
>>sshd on high port numbers, ie sshd.
>>My biggest concern is the message at the top of this >email "server
>>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it
>>Can someone give please me some guidance as to how >to determine whether
>>my machine is comprimised?
>>Kindness can be infectious - try it.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions