On Sat, 30 Mar 2002, Joe Warner wrote:
> I'm running FreeBSD 4.5-STABLE and I recently noticed some
> unknown ARP activity on my Cable connection when I wasn't
> running any programs or even logged into X.
>
> I checked all the usual files for modification:
>
> /etc/inetd.conf
> /etc/rc.conf
> /etc/crontab
> /usr/local/etc/rc.d/
>
> ..and didn't see anything unusual.
Nice try. But if the rootkit is any good you hve been using the rootkit to
find it's presence. And that is something the root kit will hide from you.
The fact that you only have ARP request does not mean a thing. And the
other attachment is DHCP traffic. Which is propably the way you have
configured your internet connection.
So this sounds like a hunting ghosts. And snort is NOT the best way to
trace traffic.
If you suspect your machine is compromised you can not rely on anything at
all from that machine! Boot from clean media (CD or write protected
floppy) and investigate from there.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 16:51:00 PST