Joke Collection Website - News headlines - How to effectively judge which machine in the LAN is infected with arp virus?
How to effectively judge which machine in the LAN is infected with arp virus?
How does LAN query which machine contains arp virus? You can view the number of external network connections for each computer in the router. If there is no BT Thunder, the number of connections will definitely not exceed double digits, and the number of computer connections with ARP virus will be thousands. This method is the fastest, which can quickly investigate and deal with the poisoned computer and disconnect it from the network. General enterprise routers have this function. Another method is more troublesome, that is, check one by one. You only need to see the local connection of each computer (that is, the two small computers at the bottom right of the screen). If the local connection has been sending and receiving data and sending and receiving thousands of data packets at a time (provided that you don't use Thunder BT to download), then this computer must be infected with ARP virus.
Recommend an anti-virus software for you to use, killing Trojan virus first-class for free.
Go to the main switch in the company's computer room and PING the gateway with a computer, for example: PING192.168.0.1-T. If a computer in the local area network is infected with ARP virus, the ping value must be very high and packets are often dropped. If it is normal, the ping value will be less than1ms. Next, you know what to do. Unplug the network cable one by one, try to see which network cable has a normal PING value, and you will find a poisoned computer. Look at your situation. More than one computer is poisoned. Be patient. This is also a way.
How to judge whether your machine is attacked by arp or by a machine in the LAN? How to find the virus host? Is 360 arp easy to use? Remember to ping the gateway first. Just flat.
Then press arp -a a a.
Check the mac address of the gateway again.
At this point, the mac address of the gateway is the mac address of the infected machine.
If you are a network administrator, you can check the routing table on the gateway and check the real IP of the poisoned machine.
If you are not a webmaster. Ping one by one in the intranet and check the mac address.
How does LAN query which machine contains arp virus? Solution of instant disconnection of Huawei 3026E LAN after ARP variant virus attack
In 2006, ARP and LOGO 1 virus were the most harmful to LAN. In the early stage, we generally used the method of two-way containment to solve it.
However, the ARP variant appears at the end of 10, so you may still be worried about the gateway disconnection and think it is a telecom problem. In fact, it is not an ARP virus variant, an OK virus variant, a Trojan dropper, Win32. Juntador.f or TrojanDropper. Win32.Juntador.f
Now this ARP variant virus is more powerful. I'll tell you what I met. If you have these situations, I'm sorry to say "congratulations".
You hit the jackpot, hehe ~ ~
Firstly, understand the characteristics of ARP variant virus:
One: Destroy your ARP bidirectional binding.
Two: the poisoned machine is changed into a proxy server, also called proxy routing.
Third, the MAC address of the gateway that changed the route is the same as the MAC address of the internat gateway.
Virus outbreak: The current ARP variant does not attack the MAC address of the client, but attacks the gateway in the routing network, which changes its principle, which is really admirable.
Do you know what address directly attacks your route? Haha ~ ~ Guess ~ ~ It won't be sold ~ ~ The new variant ARP directly attacks the MAC address and external gateway of your route.
And directly disable the batch file binding IP and MAC. They are all disconnected for a period of time, and some are disconnected for a period of time. and
A computer with ARP will turn it into a proxy server in the intranet to steal numbers and launch attacks. If you find that ARP is not dropped, it means you.
With the latest variant, as long as the computer is restarted with ARP virus, all computers attacked by ARP will be disconnected.
The gateway of the internal network does not lose packets, while the IP and DNS of the external network become crazy, which is also the emergence of ARP variants. Please pay attention.
I will announce the solved cases and related patches at the end. Please read the full text, which may be helpful to you. Don't worry ~ hey hey ~
The characteristic of this virus is that the poisoned machine will forge the MAC address of the computer. If the forged address is the address of the gateway server, it will have an impact on the whole Internet cafe, and users will often be disconnected from the Internet.
First, enter a command prompt (or MS-DOS mode) on any client and use the arp -a command to view:
c:\ WINNT \ system32 & gt; arp -a
Interface:192.168.0.193 on interface 0x100003.
Physical address type between addresses
192.168.0.100-50-da-8a-62-2c dynamic
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.0.24 00-50-da-8a-62-2c dynamic
192. 168.0.25
192.168.0.200 00-50-ba-fa-59-Fe dynamics
It can be seen that there are two machines with the same MAC address, so the actual check result is 00-50-da-8a-62-2c, the MAC address is 192. 168.0.24, and the actual MAC address is192.168. 1。 We can judge that 192. 168.0.24 is actually a virus machine, which forged the MAC address of192.168.0.1
Secondly, enter a command prompt (or MS-DOS mode) on 192. 168.0.24, and use the arp -a command to view:
c:\ WINNT \ system32 & gt; arp -a
Interface: 192. 168.0.24 on interface 0x100003.
Physical address type between addresses
192.168.0.100-02-ba-0b-04-32 dynamic
192.168.0.23 00-11-2f-43-81-8b dynamic
192. 168.0.25
192.168.0.19300-11-2f-B2-9d-17 dynamic
192.168.0.200 00-50-ba-fa-59-Fe dynamics
It can be seen that the MAC address displayed on the machine with the virus is correct, and the execution speed of the machine is very slow, which should be caused by all traffic being forwarded by the machine on the second floor. After restarting the machine, all computers in the Internet cafe can't access the Internet, and it will only be normal after arp rearranges the MAC addresses, usually about 2 or 3 minutes.
Third, if the host can enter the dos window, you can use the arp -a command to see the following phenomena:
c:\ WINNT \ system32 & gt; arp -a
Interface:192.168.0.1
Physical address type between addresses
192.168.0.23 00-50-da-8a-62-2c dynamic
192.168.0.24 00-50-da-8a-62-2c dynamic
192.168.0.25 00-50-da-8a-62-2c dynamic
192.168.0.193 00-50-da-8a-62-2c dynamic
192.168.0.200 00-50-da-8a-62-2c dynamic
When the virus does not break out, the address seen on the proxy server is as follows:
c:\ WINNT \ system32 & gt; arp -a
Interface:192.168.0.1
Physical address type between addresses
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.0.24 00-50-da-8a-62-2c dynamic
192. 168.0.25
192.168.0.19300-11-2f-B2-9d-17 dynamic
192.168.0.200 00-50-ba-fa-59-Fe dynamics
When the virus broke out, you can see that the mac addresses of all ip addresses were changed to 00-50-da-8a-62-2c, but in normal times, you can see that the MAC addresses are different.
Success is the subconscious waiting-there is no end to learning! The weakest is the strongest.
Step by step.
Solution 1:
First, the solution is to use static ARP binding on the client and gateway server.
1. Perform ARP static binding of gateway server on all client machines.
First, check the local MAC address on the gateway server (proxy host) computer.
c:\ WINNT \ system32 & gt; Ipconfig/ all
Ethernet Adapter Local Connection 2:
Connection-specific DNS suffix. :
Description. . . . . . . . . . . : Intel? PRO/ 100B PCI adapter (TX)
Physical address. . . . . . . . . : February 2002 1 day to April 32, 2003
Dhcp is enabled. . . . . . . . . . . : No.
IP address. . . . . . . . . . . . : 192. 168.0. 1
Deputy mask. . . . . . . . . . . : 255.255.255.0
Then the static binding of ARP is carried out under the DOS command of the client.
c:\ WINNT \ system32 & gt; ARP–s 192. 168 . 0 . 1 00-02-ba-0b-04-32
Note: If possible, it is recommended to bind the IP and MAC addresses of all other clients on the client.
2. Carry out ARP static binding of the client machine on the computer of the gateway server (proxy host).
First, check the IP and MAC addresses on all clients. The order is as above.
Then all client servers are statically bound by ARP on the proxy host. For example:
c:\ win nt \ system32 & gt; ARP–s 192. 168 . 0 . 23 00- 1 1-2f-43-8 1-8b
c:\ win nt \ system32 & gt; ARP–s 192. 168 . 0 . 24 00-50-da-8a-62-2c
c:\ win nt \ system32 & gt; ARP–s 192. 168 . 0 . 25 00-05-5d-ff-A8-87
. . . . . . . . .
3. Finally, the static binding of the above ARP is made into a windows startup file, so that the computer can perform the above operations as soon as it is started, ensuring that the configuration is not lost.
Second, conditional Internet cafes can bind IP addresses and MAC addresses in the switch.
3. After 3.IP and MAC are bound, the network card needs to be bound again. It is suggested to install antivirus software on the client to solve this problem: the virus found in this Internet cafe is carried in the speed change gear 2.04B, and the virus program is in wgwang. /list/3007。 It can be downloaded to:
Solution 2:
1: Use static MAC binding for clients on gateway routes. ROUTE OS soft routing users can refer to related tutorials, or select the corresponding items in the ARP list one by one in IP-, right-click and select the "MAKE STATIC" command to create a static copy.
Use firewall to block common virus ports: 134- 139, 445, 500, 6677, 5800, 5900, 593, 1025, 1026, 2745, 3/kloc.
2. statically bind the gateway IP and its MAC on the client, and modify and import the following registry:
(a) prohibit ICMP from redirecting messages.
ICMP redirect messages control whether Windows changes the routing table in response to ICMP redirect messages sent to it by network devices. Although it is convenient for users, it is sometimes used by others to carry out network attacks, which is a very troublesome thing for computer network administrators. By modifying the login file, it is forbidden to respond to ICMP redirection messages, thus making the network more secure.
The modification method is as follows: open the registry editor, find or create a branch of "HKEY _ local _ machine \ system \ current control set \ service \ tcpip \ parameter", and modify the value of the subitem "Enable ICM redirection" (reg _ dword type) to 0 in the right window (0 is a redirection message prohibiting ICMP).
It is forbidden to respond to ICMP routing advertisement messages.
The function of "ICMP route announcement" can make other people's computer network connection abnormal, data being eavesdropped, computers being used for traffic attacks, etc. Therefore, it is recommended to turn off the response ICMP route advertisement message.
The modification method is as follows: open the registry editor, find or create a new branch of "HKEY _ local _ machine \ system \ current control set \ service \ tcpip \ parameters \ interface", and set the sub-item "PerformRouterDiscovery" in the right window. The value of the REG_DWORD type is changed to 0(0 means that it is forbidden to respond to ICMP route advertisement messages, and 2 means that it is allowed to respond to ICMP route advertisement messages). After modification, exit Registry Editor and restart the computer.
(c) Set the arp cache aging time setting.
HKEY _ LOCAL _ MACHINE \ SYSTEM \ current control set \ Services:\ Tcpip \ Parameters
Arpcachelifereg _ dword 0-0xffffffff (seconds, the default value is 120 seconds)
ArpCacheminReferenceLifereg _ dword 0-0xffffffff (seconds, the default value is 600)
Note: if ArpCacheLife is greater than or equal to ArpCacheMinReferencedLife, the referenced or unreferenced ARP is.
Cache entry expires in ArpCacheLife seconds. If ArpCacheLife is less than ArpCacheMinReferencedLife,
Unreferenced items expire after ArpCacheLife seconds, while referenced items expire after ArpCacheMinReferencedLife seconds.
Every time an outbound packet is sent to the IP address of an item, the item in the ARP cache will be referenced.
I saw someone say that as long as the IP-MAC cache is not updated, the correct ARP protocol implementation can be maintained. In this regard, I wonder if it is possible to modify the relevant key values of the registry file to achieve:
By default, the timeout of ARP cache is two minutes, which you can modify in the registry file. There are two key values that can be modified, both of which are located in.
HKEY _ LOCAL _ MACHINE \ SYSTEM \ current control set \ Services \ Tcpip \ Parameters
Modified key value:
Key value 1: arpcachelife, type Dword, unit is seconds, and the default value is 120.
Key value 2: arpcacheminreferencedlife, type Dword, unit is seconds, and default value is 600.
Note: By default, these key values do not exist. If you want to modify them, you must create them yourself. It will take effect after the computer is restarted after modification.
If the value of ArpCacheLife is greater than the value of ArpCacheMinReferencedLife, the timeout of ARP cache is set to the value of ArpCacheLife; If the value of ArpCacheLife does not exist or is less than the value of ArpCacheMinReferencedLife, the timeout is set to 120 seconds for the unused ARP cache; For the ARP cache being used, the timeout is set to the value of ArpCacheMinReferencedLife.
We can set the above key value very large without being forced to update the ARP cache. To prevent viruses from modifying the registry itself, you can restrict the registry.
For small Internet cafes, it is only necessary to record the correct IP-MAC addresses of all machines through any IP-MAC address viewing tool before encountering ARP attacks. When attacked, we can check which machine has a problem, and then usually solve it through violence. The problem may not be very serious. However, there are too many computers in the intranet, and each machine helps to determine all IP-MAC addresses. The workload is huge and must be realized by special software.
Solution 3:
Delete system32\npptools.dll, the Internet cafe I maintained has been deleted for one month, and I have not received ARP virus or adverse reactions. Without the npptools.dll file, ARP virus cannot be executed. All ARP viruses discovered so far will prompt npptools.dll to make an error and cannot be executed.
At present, we have not found a virus that can automatically produce npptools.dll virus. Npptools.dll itself is over 40 K. If a virus has to generate its own execution library, it can't be completed with the size of several tens of K.. If it is bigger, it is not a virus.
Of course, you still need to do ARP -S binding, just bind the machine itself to the route, which can reduce the damage of ARP program to some extent.
Comrades cannot be deleted. Please turn off file protection first. The easiest way is to close it with XPLITE. There are many searches on the Internet.
In addition, again, this method is only effective for ARP virus and only a small part for malware.
Special reminder: don't forget to set the external gateway and MAC. Let me give you an example.
IP: 10. 10. 10. 10
Subnet mask: 255.255.255.255
Gateway:10.10.10.9 [Be sure to bind this gateway address and MAC].
Domain Name System: 222.222.222.222
Alternate DNS: 222.222.221.221.
Personal recommended security tools and patches:
Personally, I think the routing of TP-LINK480T is very good. For details, please refer to the introduction of TP-LINK480T routing.
Small Internet cafes use TP-LINK480T, please upgrade the latest version, this site has been downloaded.
Please bind the gateway address and MAC to use Cisco and Huawei.
Recommended tool: latest version of anti-air sniffer 3
Patch: mAC binder
Vnd8.28 ARP protection patch
Microsoft patch of ARP variant virus
The latest upgrade patch of TP-LINK480T.
You can install online ARP antivirus software and then bind the address in two directions!
Solution of LAN instantly disconnected after being attacked by ARP variant virus Foreword: 2006 is considered to be the year when ARP and LOGO 1 viruses did the most harm to LAN. In the early stage, we usually used the method of two-way containment, but ARP variant appeared at the end of 10. You may still be worried about gateway disconnection and think it is a telecom problem. Actually, it's not. ARP virus variant OK virus variant TrojanDropper. Win32.Juntador.f or TrojanDropper. Win32.Juntador.C Now, this ARP variant virus is more powerful. Let me tell you what I met. If you have these situations, I'm sorry that "Congratulations" won the first prize. Hehe ~ ~ Let's learn about the characteristics of ARP variant virus first: 1. Destroy your ARP bidirectional binding and approve it; 2. The poisoned machine is changed to proxy server, also known as proxy routing; 3. The MAC address of the gateway that changed the route is the same as that of the internal gateway. Virus attack: The current ARP variant does not attack the MAC address of the client, but attacks the gateway in the routing network, which changes its principle. Do you really admire attacking your routing address directly? Haha ~ ~ Guess ~ ~ It is no longer for sale ~ ~ The new variant ARP directly attacks the MAC address of your route and external gateway, and directly disables the batch file binding IP and MAC. They are all disconnected for a period of time, and some are disconnected for a period of time. In addition, a computer with ARP will turn it into a proxy server in the intranet to steal numbers and launch attacks. If you find that ARP has not been discarded, it means that you are in the latest variant. As long as you restart the computer with ARP virus in that computer, all computers attacked by ARP will be disconnected, and the IP and DNS of the external network will be crazy. This is also the emergence of ARP variants. Please pay attention. I will announce the solved cases and related patches at the end. Please read the full text, which may be helpful to you. Don't download it yet ~ hehe ~ The characteristic of this virus is that the poisoned machine will forge the MAC address of the computer. If the forged address is the address of the gateway server, it will affect the whole Internet cafe, and users will often interrupt the Internet. 1. Enter a command prompt (or MS-DOS mode) on any client and use the ARP–A command to view: c: \ winnt \ system32 > Arp -a interface: physical address type between192.168.0.193 addresses on interface 0x100003168. 0。 100-50-da-8a-62-2c dynamic 192. 168。 0。 Then the actual check result is that 00-50-da-8a-62-2c is the MAC address of 192. 168.0.24, and the actual MAC address is 192. 168. 0. 1 is 00-02-ba-0. 2. Enter a command prompt (or MS-DOS mode) on 192. 168.0.24, and use the ARP–A command to view: c: \ winnt \ system32 > Arp -a interface: physical address type between 192. 168.0.24 addresses on interface 0x100003/68.0. 1 00-02-BA-0 B- 0 4-32 dynamic 192. 168。 0。 23 00-65438 should be caused by all the traffic forwarded by the computer on the second floor. After the computer restarts, all computers in the Internet cafe can't surf the Internet, and it will only be normal after arp rearranges MAC addresses. Generally check the original post "; & gt
There is a machine in the LAN that has obtained ARP. What should I do if the network is disconnected? When the network is disconnected, the system will install patches and antivirus software on OKl.
In the local area network, a machine got ARP. How can I check which machine is poisoned without tools? Which expert can see with the naked eye? . .
Our company also won the lottery last month. I found out with 360. If I set up an ARP firewall, I can intercept the attack, so I can find the IP address of the attack.
ARP virus in LAN is constantly being attacked. How to find out which machine has a virus? 1, a relatively simple method.
First, execute the order
B in the command line interface, enter arp -a and press enter.
C, first look at the mac data of your current gateway ip, such as10.16.0.1mac is 00-00-00-00 (confirm whether it is your own gateway mac, if not, it may be attacked by arp), and write down this fake MAC address.
2. Execute the packet capture software for about 30 seconds, and check the captured packets. The mac address with the highest frequency appears in the ARP message. If there is a mac registered as a network, it is believed to be fast to calculate which one.
3. If you are not afraid of trouble, the computers in the network will be patched to limit the function of sending arp packets or enable the user login mode of pppoe network. For some service IPS with large internal data transmission, you can specify a smaller subnet and let them adopt direct routing.
There are ARP viruses in the unit LAN, and there are hundreds of machines. How to find and kill the solution?
Hello! The common processing methods of ARP virus in LAN are as follows:
1. Check whether ARP virus is infected. Symptoms of ARP virus: Internet access is intermittent, and access to neighbors on the network is intermittent, so it is impossible to copy files, which leads to errors; With the rapid increase of ARP packets in LAN, when using ARP to query, you will find that the MAC address is abnormal, or the MAC address corresponds incorrectly, and there will be cases where one MAC address corresponds to multiple IPS.
2. Clear the ARP virus in the LAN. Please refer to: feiying.blog.5 1cto. /230250/428 12.
3. Preventive measures
A. Upgrade the client's operating system and apply patches in time;
Install and update antivirus software.
C if the network is small, try to specify the IP settings manually instead of using DHCP to assign IP addresses.
D. If the switch supports it, bind the MAC address and IP address on the switch (this is not a good idea).
- Related articles
- Monopoly policy slogan
- The original text of Robinson Crusoe
- How to write a slogan with the theme of keeping whole grains healthy?
- What cushion does the car use to keep warm in winter?
- The slogan of the meeting
- Five volunteer service activity plans
- How to introduce isolated breeding for breeding pigs?
- What do Russians like most?
- Beautiful place names
- What are the benefits of offshore trading?