In Win2000, the static ARP entry set by the ARP-s command is often used by ARP spoofing. Recently, the ARP-s of win2003 can finally lock ARP items and no longer be afraid of such software by cyber law enforcement officers.
This virus attack is characterized by the fact that a computer that is poisoned may forge the MAC address of a computer. If the counterfeit address is the address of the gateway server, it will affect the entire Internet cafe, users often experience transient disconnection when accessing the Internet.
1. Enter a command prompt (or MS-DOS mode) on any client and run the ARP-a command to view:
C: \ winnt \ system32> ARP-
Interface: 192.168.0.193 on interface 0x1000003
Internet address physical address type
192.168.0.1 00-50-00008a-62-2c dynamic
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.0.24 00-50-00008a-62-2c dynamic
192.168.0.25 00-05-5d-ff-a8-87 dynamic
192.168.0.200 00-50-ba-fa-59-fe dynamic
The two machines have the same MAC address, so the actual check result is
00-50-00008a-62-2c is the MAC address of 192.168.0.24, and the actual MAC address of 192.168.0.1 is 00-02-ba-0b-04-32. We can determine that 192.168.0.24 is actually a virus-infected machine, and it spoofs the MAC address of 192.168.0.1.
2. Enter the command prompt (or MS-DOS mode) on 192.168.0.24 and run the ARP-a command to view:
C: \ winnt \ system32> ARP-
Interface: 192.168.0.24 on interface 0x1000003
Internet address physical address type
192.168.0.1 00-02-ba-0b-04-32 dynamic
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.0.25 00-05-5d-ff-a8-87 dynamic
192.168.0.193 00-11-2f-b2-9d-17 dynamic
192.168.0.200 00-50-ba-fa-59-fe dynamic
We can see that the MAC address displayed on the machine with viruses is correct, and the machine runs slowly. This should be caused by forwarding of all traffic on the second layer through the machine, after the machine is restarted, all computers in the internet cafe cannot access the Internet. It is normal only after ARP refreshes the MAC address, generally around 2 or 3 minutes.
3. If the host can enter the DOS window, run the ARP-a command to see a phenomenon similar to the following:
C: \ winnt \ system32> ARP-
Interface: 192.168.0.1 on interface 0x1000004
Internet address physical address type
192.168.0.23 00-50-00008a-62-2c dynamic
192.168.0.24 00-50-00008a-62-2c dynamic
192.168.0.25 00-50-00008a-62-2c dynamic
192.168.0.193 00-50-00008a-62-2c dynamic
192.168.0.200 00-50-00008a-62-2c dynamic
when the virus does not attack, the address displayed on the proxy server is as follows:
C: \ winnt \ system32> ARP-A
interface: 192.168.0.1 on interface 0x1000004
Internet address physical address type
192.168.0.23 multicast dynamic
192.168.0.24 00-50-00008a-62-2c dynamic
192.168.0.25 multicast dynamic
192.168.0.193 multicast dynamic
192.168.0.200 00-50-ba-fa-59-fe dynamic
when a virus attack occurs, you can see that the MAC addresses of all IP addresses are changed to 00-50-00008a-62-2c. Normally, the MAC addresses are not the same.
solution:
1. Use static ARP binding on the client and gateway server.
1. Static ARP binding of the gateway server on all client machines.
check the MAC address of the local machine on the gateway server (proxy host)
C: \ winnt \ system32> ipconfig/all
Ethernet Adapter local connection 2:
connection-specific DNS suffix.:
description ...........: Intel? Pro/100b PCI
adapter (TX)
physical address .........: 00-02-ba-0b-04-32
DHCP enabled ...........: No
ip address ............: 192.168.0.1
subnet mask ...........: 255.255.255.0
then perform static ARP binding under the doscommand of the client machine
C: \ winnt \ system32> ARP-s 192.168.0.1 00-02-ba-0b-04-32
note: we recommend that you bind the IP address and MAC address of all other clients on the client.
2. Perform ARP static binding on the client's computer on the gateway server (proxy host)
First, view the IP address and MAC address on all client machines. The command is as follows.
Then, perform static ARP binding on all client servers on the proxy host. For example:
C: \ winnt \ system32> ARP-s 192.168.0.23 00-11-2f-43-81-8b
C: \ winnt \ system32> ARP-s 192.168.0.24 00-50-00008a-62-2c
C: \ winnt \ system32> ARP-s 192.168.0.25 00-05-5d-ff-a8-87
.........
3. The static binding of ARP above is finally made into a Windows self-starting file, so that the computer can perform the above operations as soon as it is started to ensure that the configuration is not lost.
2. Conditional Internet cafes can bind IP addresses to MAC addresses in vswitches.
3. After binding an IP address and a MAC address, you need to re-bind the network adapter. Therefore, we recommend that you install anti-virus software on the client to solve this problem: the virus detected in the internet cafe is carried by the variable speed gear 2.04b.ProgramIn
Http://www.wgwang.com/list/3007.html can be downloaded:
1. Kav (Kaspersky) can remove the virus. The virus is named trojandropper. win32.juntador. C.
Anti-Virus Information: 07.02.2005 10:48:00 c: \ Documents ents and
Settings \ Administrator \ Local Settings \ Temporary Internet
Files \ content. ie5 \ b005z0k9 \ gear_setup00001).exe infected
Trojandropper. win32.juntador. c
2. Rising stars can remove the virus. The virus is named trojandropper. win32.juntador. f.
3,
In addition, the names of Kingsoft drug overlord and rising star are reported in other cities: "password assistant" trojan virus (win32.troj. mir2) or win32.troj. zyps%33952.
Appendix: "password assistant" virus and trojandropper. win32.juntador. C virus introduction address:
Http://db.kingsoft.com/c/2004/11/22/152800.shtml
Http://www.pestpatrol.com/pest_info/zh/t/t..._juntador_c.asp