Rootkit detection
Graham North
northg at shaw.ca
Mon Jan 16 00:20:22 PST 2006
Hi Spyridon:
Thank you for your replies. I was able to install the chkrootkit port
and it seems to show the system as clean.
To all other replies, thank you for your help also.
Cheers, Graham/
SPYRIDON PAPADOPOULOS wrote:
>Hi again,
>
>Well check this....
>the message in my /var/log/messages is:
>"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0"
>
>So Hmm now that i am thinking of it again:
>
>"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address
>192.168.0.102"
>
>This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same...
>Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before...
>
>Sorry for the inconvenience if i was wrong before..
>
>Spiros
>
>
>
>
>>-----Original Message-----
>>From: Graham North <northg at shaw.ca>
>>To: freebsd-questions at freebsd.org
>>Date: Sun, 15 Jan 2006 12:23:08 -0800
>>Subject: Rootkit detection
>>
>>
>
>
>
>>I would like to determine if my server has had >rootkit installed by a
>>hacker.
>>FBSD 4.11. Main entrances are only http, ssh and >also webmin.
>>
>>
>
>
>
>>My server went down sometime recently. When I went >investigate there
>>was a somewhat nasty message saying:
>>
>>
>
>
>
>>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>>IP address
>>192.168.0.102"
>>
>>
>
>
>
>>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>>("server" is a pseudonymn for this email but is the >machine name for the
>>server on my home network - 192.68.0.102 is the LAN >addr on my router)
>>
>>
>
>
>
>>The auth log files have been rolled over several >times in the last few
>>weeks and I have not unzipped them yet to see if any >entries were
>>accepted but the most recent one is filled with >unsuccessful attacks to
>>sshd on high port numbers, ie sshd[86417].
>>My biggest concern is the message at the top of this >email "server
>>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it
>>sounds scary.
>>
>>
>
>
>
>>Can someone give please me some guidance as to how >to determine whether
>>my machine is comprimised?
>>Thanks, Graham/
>>
>>
>
>
>
>>--
>>Kindness can be infectious - try it.
>>
>>
>
>
>
>>Graham North
>>Vancouver, BC
>>www.soleado.ca
>>
>>
>
>
>
>
>
--
Kindness can be infectious - try it.
Graham North
Vancouver, BC
www.soleado.ca
-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006
More information about the freebsd-questions
mailing list