The website source file is injected with Lt; iframegt; Code-ARP spoofing Trojan attack

Recently, my website suddenly experienced slow access, and the anti-virus software immediately prompts that the website contains a trojan virus.

I was wondering how virus prompts appeared recently when my website has been running well for four years. For reasons of professional habitsSource codeView, originally in the web page sourceCodeThe <IFRAME> nested framework web page is added to the header of the web page to execute Trojans.Program......

According to common sense, my heart is cold: it is estimated that the server is attacked, and all the file code is added with this code, so the FTP goes up and downloads the file to view it without this code.

Then he asked the server administrator to smile and said, "It's a virus attack of ARP spoofing ".

So what is "ARP spoofing?

First, ARP refers to Address Resolution Protocol (Address Resolution Protocol), which is a low-layer protocol located in the TCP/IP protocol stack and is responsible for parsing an IP address into a corresponding MAC address.

From the perspective of Affecting Network Connection smoothness, there are two types of ARP spoofing: one is spoofing on the ARP table of the router, and the other is spoofing on the gateway of the Intranet PC.

The first principle of ARP spoofing is to intercept gateway data. It notifies the vro of a series of incorrect Intranet MAC addresses and keeps running at a certain frequency, so that the real address information cannot be updated and saved in the vro, as a result, all the data of the router can only be sent to the wrong MAC address, so that the normal PC cannot receive the information.

The second principle of ARP spoofing is to forge a gateway. The principle is to establish a false gateway to send data to a spoofed PC, rather than accessing the Internet through a normal router. In the PC's view, the network cannot be connected, and the network is disconnected ".

ARP spoofing Trojans only need to successfully infect a computer, which may lead to the failure of the entire LAN to access the Internet, seriously or even paralyze the entire network.

This time, a server in the same LAN of the hosting machine room where my website server is located is infected with an ARP spoofing Trojan, which affects other servers in the entire machine room, as a result, thousands of web hosting websites on the server are all suffering, and the access volume of Trojan growers is also soaring. This is a trivial matter, in addition to the intermittent disconnection of other users in the same LAN, the trojan also steals the user password. Such as stealing QQ passwords, stealing various online game passwords and accounts for money transactions, and stealing online bank accounts for illegal transaction activities. This is a conventional Trojan Horse trick, it causes great inconvenience and economic losses to users.

How to check whether the local machine is infected with the ARP spoofing Trojan

Press CTRL + ALT + Delete to open the windows Task Manager window and check if there are any mir0.dat processes, you need to "End the process" immediately ".

How to check computers infected with ARP spoofing Trojans in the LAN

Click "start"> "run" and "cmd" to open the msdos window. Enter "ipconfig" to obtain the default gateway.

Run the "ARP-a" command to check the "physical address" value corresponding to the default gateway IP address. If the network is normal, this is the correct physical address of the gateway, when the network is affected by the "ARP spoofing" Trojan, it is the physical address of the computer where the trojan resides. You can also scan all IP addresses in the subnetwork and then check the ARP table. If the physical address of an IP address is the same as that of the gateway, the IP address and physical address are the IP address of the computer infected with viruses and the physical address of the network card.

How to prevent computer ARP Spoofing

1. Do not establish your network security trust relationship on the basis of IP or Mac (RARP also has the problem of spoofing). The ideal relationship should be on the basis of IP + Mac.
2. Set a static Mac --> ip address table. Do not refresh the conversion table you set on the host.
3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.
4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.
5. Use the proxy IP address for transmission.
6. Use hardware to shield hosts. Set your route so that the IP address can reach a valid path. (Configure route ARP entries statically). Note that using the exchange hub and bridge cannot prevent ARP spoofing.
7. The Administrator periodically obtains an RARP request from the response IP packet and checks the authenticity of the ARP response.
8. The Administrator regularly polls and checks the ARP cache on the host.
9. Use the firewall to continuously monitor the network. Note that when SNMP is used, ARP spoofing may cause the loss of trap packets.

Recommended tools: Xin Xiang ARP tools, including comprehensive ARP defense functions. (Including winpcap_3_0., please be sure to install this software first): http://www.nuqx.com/downcenter.asp

ARP solution/tool + true/false ARP defense difference + ARP Ultimate Solution
Http://www.txwm.com/BBS384837.vhtml

Special Topics On ARP attack prevention and Solutions
Http://www.luxinjie.com/s/arp/