Re: Rootkit detection

[Graham North]

Hi Spyridon:

Thank you for your replies.   I was able to install the chkrootkit port 
and it seems to show the system as clean.
To all other replies, thank you for your help also.
Cheers,  Graham/

SPYRIDON PAPADOPOULOS wrote:

Hi again,

Well check this....
the message in my /var/log/messages is:
"kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on 
rl0"

So Hmm now that i am thinking of it again:

"server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 
192.168.0.102"  

This also looks like an IP conflict!! And it is not similar to mine, even if it 
can be the same...
Someone more experienced maybe can make this clear. To be honest i haven't seen 
the output you posted before...

Sorry for the inconvenience if i was wrong before..

Spiros


 

-----Original Message-----
From: Graham North <[EMAIL PROTECTED]>
To: freebsd-questions@freebsd.org
Date: Sun, 15 Jan 2006 12:23:08 -0800
Subject: Rootkit detection
   


 

I would like to determine if my server has had >rootkit installed by a 
hacker.
FBSD 4.11.   Main entrances are only http, ssh and >also webmin.
   


 

My server went down sometime recently.   When I went >investigate there 
was a somewhat nasty message saying:
   


 

"server /kernel: arp 00:11:43:4a:8d:18 is using my
IP address 
192.168.0.102"  
   


 

The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware.
("server" is a pseudonymn for this email but is the >machine name for the 
server on my home network - 192.68.0.102 is the LAN >addr on my router)
   


 

The auth log files have been rolled over several >times in the last few 
weeks and I have not unzipped them yet to see if any >entries were 
accepted but the most recent one is filled with >unsuccessful attacks to 
sshd on high port numbers, ie sshd[86417].
My biggest concern is the message at the top of this >email "server 
/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it 
sounds scary.
   


 

Can someone give please me some guidance as to how >to determine whether 
my machine is comprimised?
Thanks,  Graham/
   


 

--
Kindness can be infectious - try it.
   


 

Graham North
Vancouver, BC
www.soleado.ca
   




 


--
Kindness can be infectious - try it.

Graham North
Vancouver, BC
www.soleado.ca


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"