Recently, my website suddenly became slow to access, and after opening it, the antivirus software immediately prompted that it contained a * virus.
I was wondering why the virus prompts have appeared recently when the website that has been running for 4 years. Because of professional habits, I opened the source code of the website to view it. It turned out that a <iframe> nested frame web page was added to the head of the web page source code, and the web page executed a * program...
According to common sense, I felt cold in my heart: I guess the server was captured, and all the file codes were added with this line of code, so I went up to FTP, download the file and checked it but there was no code.
So he asked the server administrator and smiled. When he heard this, he said, "It was a virus attack caused by ARP spoofing."
So what is "ARP fraud"?
First of all, ARP means Address Resolution Protocol, which is a low-level protocol located in the TCP/IP protocol stack, responsible for resolving a certain IP address into the corresponding MAC address.
From the perspective of ways that affect network connections, ARP spoofing is divided into two types: one is spoofing the router's ARP table; the other is gateway spoofing the intranet PC.
The first ARP spoofing principle is to intercept gateway data. It notifies the router of a series of wrong intranet MAC addresses and continues to proceed at a certain frequency, so that the real address information cannot be saved in the router through updates. As a result, all data of the router can only be sent to the wrong MAC address, causing normal PCs to fail to receive the information.
The second principle of ARP spoofing is to forge gateways. Its principle is to establish a fake gateway, so that the PC that is deceived by it sends data to the fake gateway, rather than surfing the Internet through normal router channels. In the eyes of PC, it just can't access the Internet, and "the network is disconnected."
ARP spoofing *s only need to successfully infect one computer, which may cause the entire LAN to be unable to access the Internet, and in severe cases may even cause the entire network to be paralyzed.
This time, a server in the same LAN network of the hosting computer room where my website server is located was infected with the ARP spoofing *, which affected other servers in the entire computer room. As a result, thousands of virtual host websites in the server were all affected, and the number of visits to the site of * growers also increased sharply. This is still a trivial matter. In addition to causing other users in the same LAN to intermittently access the Internet, the user's password will also be stolen. Such as stealing QQ passwords, stealing various online game passwords and accounts to do money transactions, stealing online bank accounts to do illegal transactions, etc., these are the usual tricks of *s, which cause great inconvenience and huge economic losses to users.
How to check whether the machine is infected with ARP spoofing * virus
The "CTRL" + "ALT" + "DELETE" keys open the "Windows Task Manager" window to check whether there is a "" process. If so, it means that you are poisoned and you need to "end the process" immediately.
How to check computers infected with ARP spoofing * virus in LAN
"Start" menu "Run" and "cmd" open the MSDOS window, enter "ipconfig" to get the "Default Gateway" default gateway.
Continue to execute the command "arp -a" to view the "Physical Address" value corresponding to the default gateway IP. When the network is normal, this is the correct physical address of the gateway. When the network is affected by "ARP spoofing" * and abnormal, it is the physical address of the network card of the computer where the * is located. You can also scan all IP addresses in the subnet and then check the ARP table. If there is an IP corresponding to the same physical address as the gateway, then this IP address and physical address are the IP address and network card physical address of the poisoned computer.
How to prevent computers from being cheated by ARP
1. Don’t build your network security trust relationship on IP or Mac (Rarp also has the problem of deception), ideal relationships should be based on IP+Mac.
2. Set the static mac-->ip corresponding table, and do not let the host refresh the conversion table you set.
3. Unless it is very necessary, stop using ARP and save ARP as a permanent entry in the corresponding table.
4. Use an ARP server. Search for its own ARP conversion table through this server to respond to ARP broadcasts of other machines. Make sure this ARP server is not hacked.
5. Use "proxy" to proxy IP transmission.
6. Use hardware to block the host. Set up your route to ensure that the IP address can reach the legal path. (Static configuration routing ARP entry), note that using switch hubs and bridges cannot prevent ARP spoofing.
7. The administrator regularly obtains a rarp request from the response IP package and then checks the authenticity of the ARP response.
8. The administrator regularly polls to check the ARP cache on the host.
9. Use a firewall to continuously monitor the network. Note that when using SNMP, ARP spoofing may lead to the loss of trap packets.
Recommended tools: Xinxiang ARP tools, including a very comprehensive ARP prevention function. (This includes WinPcap_3_0., please be sure to install this software first) Download address:/
ARP solution/tool + genuine and fake ARP prevention and distinction method + ARP ultimate solution
/
ARP Attack Prevention and Solution Topic
/s/arp/
I was wondering why the virus prompts have appeared recently when the website that has been running for 4 years. Because of professional habits, I opened the source code of the website to view it. It turned out that a <iframe> nested frame web page was added to the head of the web page source code, and the web page executed a * program...
According to common sense, I felt cold in my heart: I guess the server was captured, and all the file codes were added with this line of code, so I went up to FTP, download the file and checked it but there was no code.
So he asked the server administrator and smiled. When he heard this, he said, "It was a virus attack caused by ARP spoofing."
So what is "ARP fraud"?
First of all, ARP means Address Resolution Protocol, which is a low-level protocol located in the TCP/IP protocol stack, responsible for resolving a certain IP address into the corresponding MAC address.
From the perspective of ways that affect network connections, ARP spoofing is divided into two types: one is spoofing the router's ARP table; the other is gateway spoofing the intranet PC.
The first ARP spoofing principle is to intercept gateway data. It notifies the router of a series of wrong intranet MAC addresses and continues to proceed at a certain frequency, so that the real address information cannot be saved in the router through updates. As a result, all data of the router can only be sent to the wrong MAC address, causing normal PCs to fail to receive the information.
The second principle of ARP spoofing is to forge gateways. Its principle is to establish a fake gateway, so that the PC that is deceived by it sends data to the fake gateway, rather than surfing the Internet through normal router channels. In the eyes of PC, it just can't access the Internet, and "the network is disconnected."
ARP spoofing *s only need to successfully infect one computer, which may cause the entire LAN to be unable to access the Internet, and in severe cases may even cause the entire network to be paralyzed.
This time, a server in the same LAN network of the hosting computer room where my website server is located was infected with the ARP spoofing *, which affected other servers in the entire computer room. As a result, thousands of virtual host websites in the server were all affected, and the number of visits to the site of * growers also increased sharply. This is still a trivial matter. In addition to causing other users in the same LAN to intermittently access the Internet, the user's password will also be stolen. Such as stealing QQ passwords, stealing various online game passwords and accounts to do money transactions, stealing online bank accounts to do illegal transactions, etc., these are the usual tricks of *s, which cause great inconvenience and huge economic losses to users.
How to check whether the machine is infected with ARP spoofing * virus
The "CTRL" + "ALT" + "DELETE" keys open the "Windows Task Manager" window to check whether there is a "" process. If so, it means that you are poisoned and you need to "end the process" immediately.
How to check computers infected with ARP spoofing * virus in LAN
"Start" menu "Run" and "cmd" open the MSDOS window, enter "ipconfig" to get the "Default Gateway" default gateway.
Continue to execute the command "arp -a" to view the "Physical Address" value corresponding to the default gateway IP. When the network is normal, this is the correct physical address of the gateway. When the network is affected by "ARP spoofing" * and abnormal, it is the physical address of the network card of the computer where the * is located. You can also scan all IP addresses in the subnet and then check the ARP table. If there is an IP corresponding to the same physical address as the gateway, then this IP address and physical address are the IP address and network card physical address of the poisoned computer.
How to prevent computers from being cheated by ARP
1. Don’t build your network security trust relationship on IP or Mac (Rarp also has the problem of deception), ideal relationships should be based on IP+Mac.
2. Set the static mac-->ip corresponding table, and do not let the host refresh the conversion table you set.
3. Unless it is very necessary, stop using ARP and save ARP as a permanent entry in the corresponding table.
4. Use an ARP server. Search for its own ARP conversion table through this server to respond to ARP broadcasts of other machines. Make sure this ARP server is not hacked.
5. Use "proxy" to proxy IP transmission.
6. Use hardware to block the host. Set up your route to ensure that the IP address can reach the legal path. (Static configuration routing ARP entry), note that using switch hubs and bridges cannot prevent ARP spoofing.
7. The administrator regularly obtains a rarp request from the response IP package and then checks the authenticity of the ARP response.
8. The administrator regularly polls to check the ARP cache on the host.
9. Use a firewall to continuously monitor the network. Note that when using SNMP, ARP spoofing may lead to the loss of trap packets.
Recommended tools: Xinxiang ARP tools, including a very comprehensive ARP prevention function. (This includes WinPcap_3_0., please be sure to install this software first) Download address:/
ARP solution/tool + genuine and fake ARP prevention and distinction method + ARP ultimate solution
/
ARP Attack Prevention and Solution Topic
/s/arp/