Many Computers in the organization suddenly cannot access the Internet. This situation occurs on multiple computers, and many computers are XP
SP2 system, and the firewall is enabled. But after careful observation, we found that most computers have enabled the file and printer sharing service, because the ports 137, 138, 139, and 445 opened by this service are exactly
It is recommended that you do not open the port frequently used by viruses, or disable the port of the service on the firewall settings.
Some of today's users cannot access the Internet, which is different from the previous collective paralysis. The symptoms are not obvious after a period of time with sniffer, which is now a popular ARP spoofing Trojan.
Find a computer that cannot access the Internet, run cmd, enter ARP-a to find multiple addresses, and the Mac corresponding to different IP addresses is the same, therefore, it is basically determined that ARP spoofing is in progress. The following describes how to handle this situation: 1. First enter Command Line Mode 2. Then run the ARP-a command, which is used to view the current ARP table, you can confirm that the gateway and the corresponding MAC address will normally display a message similar to the following: interface: 192.168.1.5 --- 0x2 Internet address physical address type192.168.1.1 00-01-02-03-04-05 dynamic if 192.168.1.1 is a gateway, then 00-01-02-04-05 is the MAC address of the gateway server Nic, check whether the MAC address is the same as the MAC address of the Real Server Nic. If the MAC address is different, it is spoofed and the user cannot access the Internet. However, a computer that has been spoofed may have multiple IP addresses with the same MAC address. Remember to write down the wrong MAC address corresponding to the gateway IP address. This address may be a computer with a Trojan Horse. This will facilitate the subsequent detection and removal. 3. After confirmation, enter the ARP-D command to delete the ARP table of the current computer, so that you can recreate the ARP table. 4. Bind the correct ARP gateway, enter ARP-s 192.168.1.1 00-0e-18-34-0d-56 5, and use ARP-a to View Interface: 192.168.1.5 --- 0x2 Internet address physical address type192.168.1.1 00-0e-18-34-0d-56 static, if the type changes to static, it will not be affected by the attack. Now this computer can access the Internet, but to completely solve the problem, you need to find the computer where the trojan is located (generally the computer that spoofs the MAC of the gateway ), it can be solved only after it is Antivirus
To solve the problem, we recommend that you use Qihoo security guard and Trojan Horse scanning and removal software such as wooden marker, because many anti-virus software cannot find the current Trojan Horse. The specific detection and removal process also involves all system knowledge and Processing
Here, we will not detail the table. Finally, we will introduce ARP spoofing Trojans, which are generally popular game account theft Trojans. The principle is: when a host in the LAN runs ARP spoofing Trojans Program All Hosts and routers in the LAN are spoofed so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once.
After you switch to the virus host to access the Internet, if you have logged on to the legendary server, the virus host will often forge broken line images, so you have to log on to the legendary server again, in this way, the virus host can steal the number.