Re: Rootkit detection
Hi Spyridon: Thank you for your replies. I was able to install the chkrootkit port and it seems to show the system as clean. To all other replies, thank you for your help also. Cheers, Graham/ SPYRIDON PAPADOPOULOS wrote: Hi again, Well check this the message in my /var/log/messages is: kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0 So Hmm now that i am thinking of it again: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same... Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before... Sorry for the inconvenience if i was wrong before.. Spiros -Original Message- From: Graham North [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Date: Sun, 15 Jan 2006 12:23:08 -0800 Subject: Rootkit detection I would like to determine if my server has had rootkit installed by a hacker. FBSD 4.11. Main entrances are only http, ssh and also webmin. My server went down sometime recently. When I went investigate there was a somewhat nasty message saying: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware. (server is a pseudonymn for this email but is the machine name for the server on my home network - 192.68.0.102 is the LAN addr on my router) The auth log files have been rolled over several times in the last few weeks and I have not unzipped them yet to see if any entries were accepted but the most recent one is filled with unsuccessful attacks to sshd on high port numbers, ie sshd[86417]. My biggest concern is the message at the top of this email server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102, it sounds scary. Can someone give please me some guidance as to how to determine whether my machine is comprimised? Thanks, Graham/ -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Rootkit detection
I would like to determine if my server has had rootkit installed by a hacker. FBSD 4.11. Main entrances are only http, ssh and also webmin. My server went down sometime recently. When I went investigate there was a somewhat nasty message saying: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware. (server is a pseudonymn for this email but is the machine name for the server on my home network - 192.68.0.102 is the LAN addr on my router) The auth log files have been rolled over several times in the last few weeks and I have not unzipped them yet to see if any entries were accepted but the most recent one is filled with unsuccessful attacks to sshd on high port numbers, ie sshd[86417]. My biggest concern is the message at the top of this email server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102, it sounds scary. Can someone give please me some guidance as to how to determine whether my machine is comprimised? Thanks, Graham/ -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 1/14/2006 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Rootkit detection
Hi there, Graham North wrote: -Original Message- From: Graham North [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Date: Sun, 15 Jan 2006 12:23:08 -0800 Subject: Rootkit detection I would like to determine if my server has had rootkit installed by a hacker. FBSD 4.11. Main entrances are only http, ssh and also webmin. My server went down sometime recently. When I went investigate there was a somewhat nasty message saying: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 This message is suspicious! This is a message that appears after a succesful ARP poisoning attack which can then lead to a MITM (Man in the middle -- type this in google for more info) attack. If this is the case then all your unencrypted data to/from this host was available to the attacker in a human legible format (plain text). Information leakage is cover by Data Protection Laws (depending in the country your pc is). If the man in the middle attack was succesful..then all your unencrypted passwords, e-mails, chats, searched strings in google, were available to such an attacker. If this is the case then there is no need for installed software of any kind, in your computer. There are more chances that is someone from inside. First ask your self if it is possible for people to connect laptops or other machines without your permission, to your LAN? Maybe this is why you don't know this MAC address. Also if you announce this event to everyone using your Network(is it a LAN we are talking about, behind the server?) you decrease the chances to catch the leaker. I have tried such tools before but in my --LAN-- only, not against hosts in the internet. So i don't really know if this can occur and with what tools, but i find it very possible.. Also In order not to panic, have in mind that data to/from your bank's account [online], for example, are/must be (almost for sure) encrypted with TLSv1/SSLv3 128bit encryption which is probably safe (hopefully) at the moment. Of course some older encryption techniques can be decrypted with the right tools. I am not expert in cryptography and decryption, but please check: http://ettercap.sourceforge.net to see what i mean. The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware. (server is a pseudonymn for this email but is the machine name for the server on my home network - 192.68.0.102 is the LAN addr on my router) The auth log files have been rolled over several times in the last few weeks and I have not unzipped them yet to see if any entries were accepted but the most recent one is filled with unsuccessful attacks to sshd on high port numbers, ie sshd[86417]. My biggest concern is the message at the top of this email server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102, it sounds scary. It is cool...! Can someone give please me some guidance as to how to determine whether my machine is comprimised? Thanks, Graham/ -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca 8server is a pseudonymn for this email but is the machine name for the server on my home network - 192.68.0.102 is the LAN addr on my router) The auth log files have been rolled over several times in the last few weeks and I have not unzipped them yet to see if any entries were accepted but the most recent one is filled with ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Rootkit detection
Hi again, Well check this the message in my /var/log/messages is: kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0 So Hmm now that i am thinking of it again: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same... Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before... Sorry for the inconvenience if i was wrong before.. Spiros -Original Message- From: Graham North [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Date: Sun, 15 Jan 2006 12:23:08 -0800 Subject: Rootkit detection I would like to determine if my server has had rootkit installed by a hacker. FBSD 4.11. Main entrances are only http, ssh and also webmin. My server went down sometime recently. When I went investigate there was a somewhat nasty message saying: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware. (server is a pseudonymn for this email but is the machine name for the server on my home network - 192.68.0.102 is the LAN addr on my router) The auth log files have been rolled over several times in the last few weeks and I have not unzipped them yet to see if any entries were accepted but the most recent one is filled with unsuccessful attacks to sshd on high port numbers, ie sshd[86417]. My biggest concern is the message at the top of this email server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102, it sounds scary. Can someone give please me some guidance as to how to determine whether my machine is comprimised? Thanks, Graham/ -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Rootkit detection
Some NSP's which are network service providers use private ip's and will tend to give you those type of arp msg's if your are part of the network i would say if nothing seem different either format and reinstall the damn thing or fix it as to what i see your dont have a root kit as root kits dont change your ip they just make a hole for a remote person to login mostly if you are too concerned try adding ipfw,pf or a router to your home network and format the bsd machine as ou ben asking here for some time. Hi again, Well check this the message in my /var/log/messages is: kernel: arp: 192.168.2.34 moved from 00:13:8f:4c:1b:41 to 00:11:2f:0c:b1:0a on rl0 So Hmm now that i am thinking of it again: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 This also looks like an IP conflict!! And it is not similar to mine, even if it can be the same... Someone more experienced maybe can make this clear. To be honest i haven't seen the output you posted before... Sorry for the inconvenience if i was wrong before.. Spiros -Original Message- From: Graham North [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Date: Sun, 15 Jan 2006 12:23:08 -0800 Subject: Rootkit detection I would like to determine if my server has had rootkit installed by a hacker. FBSD 4.11. Main entrances are only http, ssh and also webmin. My server went down sometime recently. When I went investigate there was a somewhat nasty message saying: server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102 The mac address 00:11:43:4a:8d:18 does not belong to any of my hardware. (server is a pseudonymn for this email but is the machine name for the server on my home network - 192.68.0.102 is the LAN addr on my router) The auth log files have been rolled over several times in the last few weeks and I have not unzipped them yet to see if any entries were accepted but the most recent one is filled with unsuccessful attacks to sshd on high port numbers, ie sshd[86417]. My biggest concern is the message at the top of this email server /kernel: arp 00:11:43:4a:8d:18 is using my IP address 192.168.0.102, it sounds scary. Can someone give please me some guidance as to how to determine whether my machine is comprimised? Thanks, Graham/ -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
