Solution to ARP spoofing attack 16a. us

 
Recently, the local area network is connected to the Internet. Most of the website pages are displayed abnormally. Kabbah will prompt "" Trojan program "when visiting the website.
Trojan-Downloader.JS.Agent.gd file [url] hxxp: // 16a. us /*. js [/url] ", view the HTML source code, there will be an extra line at the top of all the web pages, initially thought it was our unit of website server was mounted with a Trojan, later, I found that accessing other websites is also a problem, including large websites such as China Construction Bank and IT168. So I locked the problem in our local area network and began to find a solution to the problem, all the methods tested have no effect, including:
1. Modify the Hosts file
2. Download the fixed-time software of 360 security guard
3. Upgrade OS Patches
4. Upgrade anti-virus software to the latest virus database.

This morning, I am unwilling to continue searching for answers in the search engine (and this problem must be solved; otherwise, my colleagues in the Organization are basically half paralyzed and most websites are abnormal ), inspired by a post, we think 16a. the us virus phenomenon should be an APR virus spoofing attack. Therefore, we searched for the APR virus spoofing attack solution in Baidu. After testing and demonstration, we solved all the problems on the LAN computer, I am afraid to share the solution with others. I hope I can help other colleagues who are anxious to solve this problem!

The specific steps are as follows (static binding of the gateway's MAC address ):

Step 2: Close all IE browsers and Enter CMD Mode
Step 2: Enter the arp-a command. The IP address and MAC address of the LAN gateway are displayed in the returned results.
Check with the network administrator that the MAC address of the Gateway has been modified in the ARP cache of your computer ).
Step 2: Enter the MAC address of the arp-s gateway IP address gateway. Remember that the MAC address entered here requires the correct MAC address of the gateway.
Step 1: Enter the network attribute. If the IP address is not dynamically obtained, change it to dynamically obtained IP address (if the IP address is already dynamically obtained, then you can fix the network connection again ).
Step 2: Solve the problem. Open IE and test whether the website with the previous problem is normal now.

Note:

1. We recommend that you write the third step as a batch file and add it to the startup Item. Otherwise, the configuration will be lost after each startup.
2. If the MAC address of the DNS server is hijacked, the corresponding DNS server MAC binding will be processed.
3. the above method is only a cure, and there is no cure. We need to work together to find and completely clear 16a as soon as possible. us culprit (that is to say, in the LAN computer, there must be a computer that is indeed poisoned or hung up with a Trojan) method.