ARP attack (ARP attack solution)

Source file address: http://www.heibai.net/articles/defense/fangyujiqiao/2010/0929/10229.html

If you find that the network is often disconnected or all pages of your website are infected with Trojans, but you can't find the trojan code when you go to the server and view the page source code, consider whether your machine or other machines in the same IP segment are infected with the ARP virus. In addition to installing the arpfirewall, you can also prevent it by binding the IP address and MAC address of the gateway. This method is applicable to Lan:

There is an ARP virus in your lan. It is disguised as a gateway, and you will access the Internet through the computer that is poisoned, then, it gets out of line to get the account password or something from another machine.
The following is a brief description of the manual processing method:
How to check and handle ARP spoofing Trojans
1. Check the local "ARP spoofing" Trojan infected process
Press ctrl and ALT on the keyboard, press del, select Task Manager, and click the process tab. Check whether there is a process named "mir0.dat. If yes, it indicates that it has been poisoned. Right-click the process and select "End Process ".
2. Check computers infected with Trojans infected with ARP Spoofing
Call the "command prompt" in the "Start"-"program"-"attachment" menu ". Enter and execute the following command:
Ipconfig
Record the IP address of the gateway, that is, the value corresponding to "Default Gateway", for example, "59.66.36.1 ". Run the following command:
ARP-
Find the IP address of the gateway recorded in the previous step under "Internet address" and record the corresponding physical address, that is, the value of "physical address", for example, "00-01-e8-1f-35-54 ". When the network is normal, this is the correct physical address of the Gateway. When the network is affected by the "ARP spoofing" Trojan, it is the physical address of the network card of the computer where the trojan is located.
You can also scan all IP addresses in the subnetwork and then check the ARP table. If the physical address corresponding to an IP address is the same as that of the gateway, the IP address and physical address are the IP address of the computer infected with viruses and the physical address of the network card.
3. Set ARP tables to avoid the impact of ARP spoofing on trojans
This method can reduce the impact of other computers of the Trojan on the machine to some extent. Use the method described above to determine the correct gateway IP address and gateway physical address, and then enter and execute the following command in the "command prompt" window:
ARP-s gateway IP Gateway physical address
4. Static ARP binding Gateway
Step 1:
When you can access the Internet, enter the MS-DOS window, enter the command: ARP-a, view the correct MAC address corresponding to the gateway IP address, and record it.
Note: if you cannot access the Internet, run the command ARP-D to delete the content in the ARP cache. The computer can temporarily restore the Internet (if the attack is not stopped ). Once you can access the Internet, immediately disconnect the network (disable the network adapter or unplug the network adapter), and then run ARP-.
Step 2:
If the computer already has the correct MAC address of the gateway, you only need to manually bind the gateway IP address to the correct MAC address when you cannot access the Internet to prevent computer spoofing attacks.
To manually bind, run the following command in the MS-DOS window:
ARP-s gateway IP Gateway Mac
For example, if the gateway of the computer's network segment is 192.168.1.1 and the local address is 192.168.1.5, run ARP-A on the computer and the output is as follows:
Cocuments and Settings> ARP-
Interface: 192.168.1.5 --- 0x2
Internet address physical address type
192.168.1.1 00-01-02-03-04-05 dynamic
Among them, 00-01-02-04-05 is the MAC address corresponding to the gateway 192.168.1.1, the type is dynamic (dynamic), so it can be changed.
After being attacked, use this command to check whether the Mac has been replaced with the MAC of the attacked machine. If you want to find the target machine and completely eradicate the attack, you can record the MAC at this time to prepare the machine for future search.
Manually bound commands are as follows:
ARP-s 192.168.1.1 00-01-02-03-04-05
After binding, you can use ARP-a to view the ARP cache:
Cocuments and Settings> ARP-
Interface: 192.168.1.5 --- 0x2
Internet address physical address type
192.168.1.1 00-01-02-03-04-05 static
In this case, the type changes to static and will no longer be affected by the attack.
However, it should be noted that the manual binding will expire after the computer is shut down and restarted. You need to re-bind the binding again. However, you can also write a batch for processing and drag it to start. The script is as follows:
@ Echo off
ARP-s192.168.1.1 00-01-02-03-04-05
End
Save the file as *. bat. Put it at startup.
To completely eradicate the attack, only computers infected with viruses in the network segment can be found and the virus can be killed.