Website source file was injected with <iframe> code-ARP spoofing Trojan virus attack _ virus killing
Source: Internet
Author: User
Recently my site suddenly appeared to be slow to visit, and after opening antivirus software immediately hint contains Trojan virus.
I am very puzzled, the website that has been running for 4 years has been good recently how to appear virus hint. Professional reasons to open the site's source code to view, originally in the source of the Web page of the head was added to the <iframe> nested frames page, the Web page to execute Trojan program ...
According to the common sense of my heart a cold: estimated that the server was captured, all the file code was added this line of code, so ftp up, download files down to view but not the code.
Then asked the Server Manager smiled, he said: "Is the ARP spoofing virus attack."
So what is "ARP spoofing"?
First, ARP means address resolution PROTOCOL, a low-level protocol located in the TCP/IP protocol stack, which resolves an IP address into a corresponding MAC address.
From the way of affecting the smooth network connection, ARP spoofing is divided into two kinds, one is the deception of the Router ARP table, the other is the gateway spoofing of the Intranet PC.
The first principle of ARP spoofing is intercepting gateway data. It informs the router a series of wrong intranet MAC address, and according to a certain frequency constantly, so that the real address information can not be saved through the update in the router, the result of all the data router can only send to the wrong MAC address, resulting in the normal PC can not receive information.
The second principle of ARP spoofing is to forge a gateway. The idea is to set up a fake gateway so that the PC it cheats on sends data to a fake gateway, rather than using the normal router route to get online. In the PC's view, is not on the net, "network off the line."
ARP Spoofing Trojan only successfully infected with a computer, it may cause the entire LAN can not access the Internet, serious and even may bring the entire network paralysis.
And this time my Web server in the host computer room of the same LAN in a server that is infected with ARP cheat Trojan, so it affected the entire engine room of other servers, so the server thousands of virtual host site all suffer, Trojan growers site visits are also soaring, this is still small, The Trojan attack in addition to the same LAN will lead to other users on the Internet appear when the phenomenon of intermittent, but also steal user password. such as stealing QQ password, stealing a variety of network game passwords and accounts to do money transactions, theft of online bank account to do illegal trading activities, this is a Trojan trick, to users caused great inconvenience and huge economic losses.
How to check if this machine is in the ARP spoofing trojan virus
The "CTRL" + "ALT" + "DELETE" key opens the Windows Task Manager window to see if there are any "MIR0.dat" processes, which, if any, indicate poisoning and need to "end the process" immediately.
How to check for computers infected with ARP spoofing trojan virus in LAN
The Start menu runs "cmd" to open the Msdos window and enter "ipconfig" to obtain the default gateway.
Continue to execute command "ARP-A", see the default gateway IP corresponding "Physical address" value, when the network is normal, this is the gateway of the correct physical addresses, in the network by the "ARP spoofing" Trojan impact and not normal, it is the Trojan computer network card Physical address. You can also scan the entire IP address in the Web, and then check the ARP table. If there is an IP corresponding physical address and the same gateway, then this IP address and physical address is poisoned the computer's IP address and network card physical address.
How to protect your computer from ARP spoofing
1, do not put your network security trust relationship based on the IP or on the basis of the Mac (Rarp also have the problem of deception), the ideal relationship should be based on Ip+mac.
2, set the static mac-->ip corresponding table, do not let the host refresh you set the conversion table.
3, unless it is necessary, otherwise stop using ARP, the ARP as a permanent entry to save in the corresponding table.
4, use the ARP server. The server finds its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure the ARP server is not hacked.
5, the use of "proxy" proxy IP transmission.
6, the use of hardware shielding host. Set your route and make sure the IP address is reachable to the right path. (statically configured to route ARP entries), note that using a swap hub and a network bridge cannot prevent ARP spoofing.
7, the administrator periodically in response to the IP packet to obtain a RARP request, and then check the authenticity of the ARP response.
8. The administrator periodically polls to check the ARP cache on the host.
9, the use of continuous firewall monitoring network. Note that the use of SNMP in the case of ARP spoofing may cause the trap packet to be lost.
Recommendation tool: Xin to ARP tools, including a very comprehensive ARP protection function. (including Winpcap_3_0., please be sure to install this software first) download address: http://www.nuqx.com/downcenter.asp
ARP solution/Tools + True and false Arp guard against the difference method +arp Ultimate Solution
Http://www.txwm.com/BBS384837.vhtml
ARP Attack prevention and solution project
http://www.luxinjie.com/s/arp/
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.