When an arp virus attack occurs, the computer that is poisoned may forge the MAC address of a computer. if the address is the address of the gateway server, the entire network may be affected, users often experience transient disconnection when accessing the Internet.
The IP addresses in this example are assumed. For the correct IP addresses, query or join the group 13770791.
1. Enter a command prompt (or MS-DOS mode) on any client and run the arp-a command to view:
C: WINNTsystem32> arp-
Interface: 192.168.100.93 on Interface 0x1000003
Internet Address Physical Address Type
192.168.100.1 00-50-00008a-62-2c dynamic
192.168.100.23 00-11-2f-43-81-8b dynamic
192.168.100.24 00-50-00008a-62-2c dynamic
192.168.100.25 00-05-5d-ff-a8-87 dynamic
192.168.100.200 00-50-ba-fa-59-fe dynamic
We can see that there are two machines with the same MAC address, so the actual check result is 00-50-00008a-62-2c is the MAC address of 192.168.0.24, and the actual MAC address of 192.168.100.1 is 00-02-ba-0b-04-32, we can determine that 192.168.100.24 is actually a virus-infected machine. It spoofs the MAC address of 192.168.100.1.
2. Enter the command prompt (or MS-DOS mode) on 192.168.100.24 and run the arp-a command to view:
C: WINNTsystem32> arp-
Port: 192.168.100.24 on Interface 0x1000003
Internet Address Physical Address Type
192.168.100.1 00-02-ba-0b-04-32 dynamic
192.168.100.23 00-11-2f-43-81-8b dynamic
192.168.100.25 00-05-5d-ff-a8-87 dynamic
192.168.100.193 00-11-2f-b2-9d-17 dynamic
192.168.100.200 00-50-ba-fa-59-fe dynamic
We can see that the MAC address displayed on the machine with viruses is correct, and the machine runs slowly. This should be caused by forwarding of all traffic on the second layer through the machine, after the machine is restarted, no computer can access the Internet. It is normal only after arp refreshes the MAC address, generally 2 or 3 minutes.
3. If the host can enter the dos window, run the arp-a command to see a phenomenon similar to the following:
C: WINNTsystem32> arp-
Port: 192.168.100.1 on Interface 0x1000004
Internet Address Physical Address Type
192.168.100.23 00-50-00008a-62-2c dynamic
192.168.100.24 00-50-00008a-62-2c dynamic
192.168.100.25 00-50-00008a-62-2c dynamic
192.168.100.193 00-50-00008a-62-2c dynamic
192.168.100.200 00-50-00008a-62-2c dynamic
When the virus does not attack, the address displayed on the proxy server is as follows:
C: WINNTsystem32> arp-
Port: 192.168.100.1 on Interface 0x1000004
Internet Address Physical Address Type
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.100.24 00-50-00008a-62-2c dynamic
192.168.100.25 00-05-5d-ff-a8-87 dynamic
192.168.100.193 00-11-2f-b2-9d-17 dynamic
192.168.100.200 00-50-ba-fa-59-fe dynamic
During the virus attack, we can see that the mac addresses of all IP addresses are changed to 00-50-00008a-62-2c. Normally, we can see that the MAC addresses are not the same.
Solution:
1. Use static ARP binding on the client and gateway server.
1. Perform ARP static binding on all client machines on the gateway server.
First, check the MAC address of the local machine on the computer of the gateway server (proxy host ).
C: WINNTsystem32> ipconfig/all
Ethernet adapter local connection 2:
Connection-specific DNS Suffix .:
Description ......: Intel (R) PRO/100B PCI Adapter (TX)
Physical Address ......: 00-02-ba-0b-04-32
Dhcp Enabled...
IP Address ......: 192.168.100.1
Subnet Mask ......: 255.255.255.0
Then, perform static ARP binding under the doscommand of the client machine.
C: WINNTsystem32> arp-s 192.168.100.1 00-02-ba-0b-04-32
Note: We recommend that you bind the IP address and MAC address of all other clients on the client.
2. Perform ARP static binding on the client's computer on the gateway server (proxy host)
First, view the IP address and MAC address on all client machines. The command is as follows.
Then, perform static ARP binding on all client servers on the proxy host. For example:
C: winntsystem32> arp-s 192.168.0.23 00-11-2f-43-81-8b
C: winntsystem32> arp-s 192.168.0.24 00-50-4408a-62-2c
C: winntsystem32> arp-s 192.168.0.25 00-05-5d-ff-a8-87
.........
3. The static binding of ARP above is finally made into a windows self-starting file, so that the computer can perform the above operations as soon as it is started to ensure that the configuration is not lost.
2. Conditional Internet cafes can bind IP addresses to MAC addresses in vswitches.
3. After binding an IP address and a MAC address, you need to re-bind the network adapter. Therefore, we recommend that you install anti-virus software on the client to solve this problem: the virus found is in the 4B variable speed gear, virus programs can be downloaded in the http://www.wgwang.com/list/3007.html:
1. KAV (Kaspersky), which can be used to remove the virus. The virus is named TrojanDropper. antivirus information: 07.02.2005 10:48:00 c: Documents and other SettingsTemporary Internet infected TrojanDropper. Win32.Juntador. C.
2. Rising stars can remove the virus. The virus is named TrojanDropper. Win32.Juntador. f.
3. In addition, the names of Kingsoft drug overlord and rising star are reported in other cities: "password assistant" trojan virus (Win32.Troj. Mir2) or Win32.Troj. zyps%33952.
Appendix: "password assistant" virus and TrojanDropper. Win32.Juntador. c virus introduction address:
Http://db.kingsoft.com/c/2004/11/22/152800.shtml
Asp> http://www.pestpatrol.com/pest_info/zh/t/trojandropper_win32_juntador_c.asp