Use "ip address conflict" to find the Trojan

For network administrators or users, "ip address conflict" is undesirable, because in a network, each host (strictly speaking, a network interface) should have a unique IP address, if two or more hosts use the same IP address, the IP address conflict is reported in the displayed dialog box.
 

 
This will cause these machines using the same IP address to be unable to access the network normally. However, a few days ago, I used this feature to help me a lot. Why? Listen to me.
 
On October 11, 12th day of this month, I was sent to the customer service department of yuantan building to handle network faults. After preliminary diagnosis, it is found that the network is interrupted at a time. If the gateway is restarted, it will be normal for a while, and it will not work after a while. This is a very simple network: an Internet network cable comes in, connected to a gateway running FreeBSD (for NAT), and another network interface of the gateway machine is connected to a switch, clients are connected to two vswitches, And the Gateway provides DHCP service. All clients use DHCP to automatically obtain the IP address. First, I have to determine where the fault occurred; restart the gateway and find that the client can access the Internet normally, but the gateway immediately prompts an alarm for DHCP request timeout. In addition, there is no clue, go to the client to check the IP address and find that the obtained IP address is normal. Then I suspect that there is a problem with the switch. After a while, I will find that the fault has occurred again. Restart the switch, the network is normal again. Where is the problem? I was dizzy.
 
After sorting out the ideas, I found a client (all the clients are windows). I pinged the gateway and found that the ping failed. I pinged another machine in the network, restarting the gateway and then using the client to ping the gateway is normal. There is no doubt that the ARP spoofing virus is in the network. Go to the system directory and find that there are several abnormal files in c: a file named after this name does not allow the operation. Run the arp-a command to find multiple lines of arp requests, it seems that it is a network congestion fault caused by viruses. Instead of dropping all the machines and network segments, it is imperative that you first find the host that is currently being promoted and then isolate it.
 
How can we identify that the host on the network is very poisoned? There are already many good methods on the Internet. Someone suggested using a packet capture tool, and then analyzed the captured packet information to confirm the host that was poisoned. However, I didn't have any packet capture tools in my hand, so I had to try it myself. After exploration, I have summarized some of the following effective methods for your reference!
 
When a route tracking command such as tracert-d www.2cto.com is run on the client, the first ip address is not the Intranet IP address of the gateway machine, but the ip address of another machine in the CIDR block, the next hop is the Intranet IP address of the gateway. Normally, the first output after route tracing is executed should be the default gateway IP address. Therefore, the host with the non-gateway IP address of the first hop is the culprit.
 
The problem arises again. Because the IP address of the host in the network is automatically obtained through DHCP, how to identify this host is a problem, dozens of machines, you can use ipconfig/all to check whether it is exhausting. What should you do? You have to take shortcuts. Suddenly, a thought came up: Set an IP address that is the same as the detected poisoned host, and then ....., Next, find a client machine and check its automatically obtained IP address. It is not so lucky-this machine is not the IP address to be pulled out, and then cancel the "automatically obtained IP Address" of this host, manually setting the IP address of the machine is the same as the IP address with the virus. After the setting takes effect, a sister shouted, "How does my IP address conflict with others? ", I don't know. I'm looking for you! The sister's host is isolated from the network, and other machines can access the Internet smoothly immediately.
 
I think everyone should have experience dealing with the arp virus, so there will be no more roadles here.
 
To sum up, the main steps are as follows: 1. Run tracert-d www.163.com to find the Host IP address. 2. Set the same IP address as the host, and cause IP address conflict, so that the infected host can be alerted and then find the host.


Author: Xiao Feng king