How to eradicate Campus Network Viruses

The author has been responsible for the network maintenance of the Education Network Information Center for many years. at ordinary times, he is mainly responsible for the network troubleshooting, security prevention, and technical support of primary and secondary schools, in daily work, we often encounter remote detection and removal of Network viruses for schools. In the face of Campus Network viruses, I also have a set of solutions. Today I will explain how to eradicate Campus Network viruses to IT168 readers from examples, it is hoped that this article will help more school network management Teachers maintain the internal network of the school with half the effort and completely sweep the virus out of the school gate.

1. Campus Network Viruses:

Generally, there are many computers in the school. With the establishment of the campus network, students in the school room can smoothly connect to the network and connect to the Internet through server or router forwarding. In terms of virus infection, most of them are network-type viruses. In general file-type, it is difficult for a single virus to completely break out in the internal network of the school. Even if the outbreak only affects one computer and two computers, in most cases, the network administrator can recover the system directly.

Therefore, in general, the virus infected by schools is mostly network-type, especially worm-type, which is very powerful in transmission. Although each public school has bought genuine anti-virus software according to the requirements of the Beijing Municipal Education Commission, however, readers who know about network security and system security know that only anti-virus software is far from enough. Let alone anti-virus software's anti-virus capabilities, even if it can be thoroughly scanned and killed, if your system's corresponding vulnerabilities are not promptly installed and compensated, they will be intruded by the Vulnerability virus sooner or later. This is especially evident in the school network, and the most dangerous infections are vulnerability-type viruses.

Based on the above two aspects, the most active virus on the campus network is the vulnerability-type worm. On the one hand, its outbreak will completely paralyze the whole school network, and on the other hand, it is very difficult to scan and kill such viruses. Vulnerability Viruses need to install system patches or software updates for each computer in the school. Worms need to detect each computer in the school to find the root cause of the virus, in reality, multiple computers often become sources of drugs that frequently send virus data packets, affecting other computers.

2. The instance explains the whole process of virus removal on the campus network:

Coincidentally, I recently met a network management instructor for help. I hope that I can remotely scan and detect the Intranet, the internal network of the school is as follows: all the teachers and computer in the computer room except the server cannot access the Internet smoothly, and the network in the school is interrupted. The author can remotely log on to the school server and start detecting and scanning the Intranet from the server.

Step 1: Disable the access control list on the routing switch device and remotely connect to the faulty school server from the zone information center. (1)

Step 2: The best way to Detect Intranet faults is through the sniffer tool. I decided to use kelai> network analysis system to solve the problem, because the server can access the Internet, I download the system installation package and specify to monitor network card 1. (2)

Step 3: scan and monitor all data packets, search for data packets on the left and view ARP information according to the protocol, because the most common occurrence in school is ARP spoofing worm, in addition, the school's fault symptom is that the computer in the school cannot access the Internet, which may be caused by a false gateway. Under the ARP packet, I checked the information under the "diagnosis" label. here we can see that many ARP REQUEST packets were sent to the host corresponding to several MAC addresses, but no response was received. (3)

TIPS:

Because packets infected with the ARP spoofing virus frequently send broadcast packets and spof packets to the Intranet, the destination address is all the IP addresses in the intranet, therefore, when the IP address does not correspond to an active host, no response is generated, which is a notable feature of ARP spoofing virus.

Step 4: record too many arp request packets and fail to get the source address of the responding computer-MAC address. I found three such computers in total. The MAC addresses are respectively 001e8c0218a3 and 001d60fca3da, 001d60fca01c.

Step 5: Find the host corresponding to the three MAC addresses on the left and view the traffic information of a single host. After query, it is found that packets sent by each host are mostly ARP packets, the specific content is to tell the target address 58.129.91.126 that the MAC address corresponding to this IP address is the preceding three MAC addresses. We need to know That 58.129.91.126 is the gateway address of this school, so we can determine that the three machines send ARP spoofing packets, so that other hosts can confuse the host's MAC address information, the data packets that should have been sent to the gateway are sent to the three computers, resulting in a problem that the Internet is not accessible. (4)

Step 6: Run ipconfig again on the server to confirm that the gateway address is 58.129.91.126. (5)

Step 7: Run arp-a on the server that is connected to the Internet to query ARP cache information. The actual MAC address corresponding to the gateway address 58.129.91.126 should be 00e0fc297759, instead of the three MAC addresses mentioned above. (6)

Step 8: after determining the problematic host, the author can query the correct computer's ARP cache information, query the lease relationship in the DHCP address pool, or view the IP addresses corresponding to the three MAC addresses obtained by the school's previous filing, after the three addresses are disconnected from the Internet for antivirus purposes or the system is re-installed, the school network becomes normal. (7)

Iii. Summary:

The worm virus is the most common problem in the school. 90% of the security problems I encountered during my work are caused by the worm. For ARP spoofing worms, we should prevent them from being unburned, when the network is normal, record the MAC address, IP address, host and physical location information of each machine in a timely manner, and bind the client MAC address and client MAC address to the gateway through two-way binding) to achieve ARP spoofing immunity, so as to ensure the security of the School Intranet.