Rootkit detection

Graham North northg at shaw.ca
Mon Jan 16 00:20:22 PST 2006 

Hi Spyridon:

Thank you for your replies.   I was able to install the chkrootkit port 
and it seems to show the system as clean.
To all other replies, thank you for your help also.
Cheers,  Graham/


SPYRIDON PAPADOPOULOS wrote:

>Hi again,
>
>Well check this....
>the message in my /var/log/messages is:
>"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0"
>
>So Hmm now that i am thinking of it again:
>
>"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 
>192.168.0.102"  
>
>This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same...
>Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before...
>
>Sorry for the inconvenience if i was wrong before..
>
>Spiros
>
>
>  
>
>>-----Original Message-----
>>From: Graham North <northg at shaw.ca>
>>To: freebsd-questions at freebsd.org
>>Date: Sun, 15 Jan 2006 12:23:08 -0800
>>Subject: Rootkit detection
>>    
>>
>
>  
>
>>I would like to determine if my server has had >rootkit installed by a 
>>hacker.
>>FBSD 4.11.   Main entrances are only http, ssh and >also webmin.
>>    
>>
>
>  
>
>>My server went down sometime recently.   When I went >investigate there 
>>was a somewhat nasty message saying:
>>    
>>
>
>  
>
>>"server /kernel: arp 00:11:43:4a:8d:18 is using my
>>IP address 
>>192.168.0.102"  
>>    
>>
>
>  
>
>>The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
>>("server" is a pseudonymn for this email but is the >machine name for the 
>>server on my home network - 192.68.0.102 is the LAN >addr on my router)
>>    
>>
>
>  
>
>>The auth log files have been rolled over several >times in the last few 
>>weeks and I have not unzipped them yet to see if any >entries were 
>>accepted but the most recent one is filled with >unsuccessful attacks to 
>>sshd on high port numbers, ie sshd[86417].
>>My biggest concern is the message at the top of this >email "server 
>>/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it 
>>sounds scary.
>>    
>>
>
>  
>
>>Can someone give please me some guidance as to how >to determine whether 
>>my machine is comprimised?
>>Thanks,  Graham/
>>    
>>
>
>  
>
>>-- 
>>Kindness can be infectious - try it.
>>    
>>
>
>  
>
>>Graham North
>>Vancouver, BC
>>www.soleado.ca
>>    
>>
>
>
>
>  
>

-- 
Kindness can be infectious - try it.

Graham North
Vancouver, BC
www.soleado.ca


-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006

More information about the freebsd-questions mailing list