From owner-freebsd-questions@FreeBSD.ORG Sun Jan 15 21:29:37 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B141316A422 for ; Sun, 15 Jan 2006 21:29:37 +0000 (GMT) (envelope-from SP373@student.apu.ac.uk) Received: from mailhub-out.apu.ac.uk (mailhub-out.apu.ac.uk [193.63.55.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id B420643D6B for ; Sun, 15 Jan 2006 21:29:29 +0000 (GMT) (envelope-from SP373@student.apu.ac.uk) Received: from smtp.cam.apu.ac.uk ([193.63.55.9]:53242) by mailhub.anglia.ac.uk with esmtp (Exim 4.50) id 1EyFRE-0000Cg-BZ for freebsd-questions@freebsd.org; Sun, 15 Jan 2006 21:29:24 +0000 Received: from cam-netmail.netware.anglia.ac.uk ([194.83.45.141]:8911 helo=student.apu.ac.uk) by boswell.cam.apu.ac.uk with esmtp (Exim 4.50) id 1EyFO5-0004VR-S6 for freebsd-questions@freebsd.org; Sun, 15 Jan 2006 21:26:09 +0000 Received: from SP373 [172.200.200.202] by student.apu.ac.uk with NetMail ModWeb Module; Sun, 15 Jan 2006 21:26:04 +0000 From: "SPYRIDON PAPADOPOULOS" To: northg@shaw.ca Date: Sun, 15 Jan 2006 21:26:04 +0000 X-Mailer: NetMail ModWeb Module X-Sender: SP373 MIME-Version: 1.0 Message-ID: <1137360364.1a943c0SP373@student.apu.ac.uk> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-ARU-HELO: smtp.cam.apu.ac.uk X-ARU-sender-host: smtp.cam.apu.ac.uk [193.63.55.9]:53242 X-ARU-MailScanner-Info: see http://www.apu.ac.uk/mail-problems X-ARU-MailScanner: Found to be clean X-ARU-SpamCheck: not spam, SpamAssassin (score=-5.243, required 6, autolearn=not spam, ARU_FROM_AC_UK -4.00, AWL 1.22, BAYES_00 -2.60, FORGED_RCVD_HELO 0.14) X-ARU-MailScanner-From: sp373@student.apu.ac.uk X-APU-MailFilter: message scanned X-ARU-MailFilter: message scanned Cc: freebsd-questions@freebsd.org Subject: Re: Rootkit detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SP373@student.apu.ac.uk List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 21:29:37 -0000 Hi there, Graham North wrote: >-----Original Message----- >From: Graham North >To: freebsd-questions@freebsd.org >Date: Sun, 15 Jan 2006 12:23:08 -0800 >Subject: Rootkit detection >I would like to determine if my server has had >rootkit installed by a=20 >hacker. >FBSD 4.11. Main entrances are only http, ssh and >also webmin. >My server went down sometime recently. When I went >investigate there=20 >was a somewhat nasty message saying: >"server /kernel: arp 00:11:43:4a:8d:18 is using my >IP address=20 >192.168.0.102" =20 This message is suspicious! This is a message that appears after a succesfu= l ARP poisoning attack which can then lead to a MITM (Man in the middle <= -- type this in google for more info) attack. If this is the case then all your unencrypted data to/from this host was av= ailable to the attacker in a human legible format (plain text). "Informat= ion leakage" is cover by Data Protection Laws (depending in the country y= our pc is). If the man in the middle attack was succesful..then all your unencrypted pa= sswords, e-mails, chats, searched strings in google, were available to su= ch an attacker. If this is the case then there is no need for installed software of any kin= d, in your computer. There are more chances that is someone from inside. First ask your self if = it is possible for people to connect laptops or other machines without yo= ur permission, to your LAN? Maybe this is why you don't know this MAC add= ress. Also if you announce this event to everyone using your Network(is i= t a LAN we are talking about, behind the server?) you decrease the chance= s to catch the leaker. I have tried such tools before but in my -->LAN<-- only, not against hosts = in the internet. So i don't really know if this can occur and with what t= ools, but i find it very possible.. Also In order not to panic, have in mind that data to/from your bank's acco= unt [online], for example, are/must be (almost for sure) encrypted with T= LSv1/SSLv3 128bit encryption which is probably safe (hopefully) at the mo= ment. Of course some older encryption techniques can be decrypted with the right = tools.=20 I am not expert in cryptography and decryption, but please check: http://et= tercap.sourceforge.net=20 to see what i mean. >The mac address 00:11:43:4a:8d:18 does not belong to >any of my hardware. >("server" is a pseudonymn for this email but is the >machine name for the= =20 >server on my home network - 192.68.0.102 is the LAN >addr on my router) >The auth log files have been rolled over several >times in the last few=20 >weeks and I have not unzipped them yet to see if any >entries were=20 >accepted but the most recent one is filled with >unsuccessful attacks to= =20 >sshd on high port numbers, ie sshd[86417]. >My biggest concern is the message at the top of this >email "server=20 >/kernel: arp 00:11:43:4a:8d:18 is using my IP >address 192.168.0.102", it= =20 >sounds scary. It is cool...! >Can someone give please me some guidance as to how >to determine whether= =20 >my machine is comprimised? >Thanks, Graham/ >-- >Kindness can be infectious - try it. >Graham North >Vancouver, BC >www.soleado.ca 8"server" is a pseudonymn for this email but is the >machine name for the >server on my home network - 192.68.0.102 is the LAN >addr on my router) >The auth log files have been rolled over several >times in the last few >weeks and I have not unzipped them yet to see if any >entries were >accepted but the most recent one is filled with