遭遇ARP欺骗
今天女朋友考试,于是背着小黑陪她到学校。没事儿干就跑到俺们学校图书馆插根网线儿上网。结果没一会儿,我还没登外网呢(俺们学校上外网要花钱)小红伞就开始弹警告。
什么ads.jpg.exe,这个是在IE临时文件夹里。另一些就是三位数字的.exe文件,在系统目录windows下,我晕,感情咱这么一下子就中病毒了?赶紧狂查,msconfig启动项,服务中,没有可疑项,开机的程序也没有可疑项。哦,感情这病毒还是绿色的,没事儿,自己不自动启动,得,哥们我重启下,结果一会儿只要用IE上网就又下载一堆子这些,我晕,IE的ADD-on里面也什么可疑项都没有啊,于是开opera,下载了个hijackthis查了查,还是什么都没有看到可疑的,中间还让校外一个哥们上我们学校网页,没有问题啊
这个时候就断网了
我晕,怎么会是,旁边的别人都好好得啊。我改个IP试一试,哟嗬,一改,好了,又能上了。突然想起来,嗯,这不是传说中的ARP欺骗么?病毒或者是我同子网的某人运行的程序伪装ARP包发送给大家,让大家都以他的电脑为网关上网,然后再html里面加上点儿貌似jpg的.exe文件,嗯,应该是这样的,嘿嘿。
大家给分析分析,应该是吧哈? 附上hijackthis的log给高手们看看:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:53:09, on 2008-1-2
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Workstation\avguard.exe
C:\Program Files\Avira\AntiVir Workstation\sched.exe
C:\Program Files\Avira\AntiVir Workstation\avesvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Workstation\avmailc.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Workstation\avgnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\ctfmon.exe
D:\GreenPrograms\TM\TMDlls\TM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\GreenPrograms\IpMsg\ipmsg.exe
C:\Program Files\Opera 9\Opera.exe
C:\Documents and Settings\Freelancer\Desktop\HiJackThis_v2.exe
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O4 - HKLM\..\Run: tp4serv.exe
O4 - HKLM\..\Run: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"-osboot
O4 - HKLM\..\Run: "C:\Program Files\Avira\AntiVir Workstation\avgnt.exe" /min
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: Narrator.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\GreenPrograms\BC\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\GreenPrograms\BC\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\GreenPrograms\BC\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by Gigaget - D:\GreenPrograms\GigaGet\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - D:\GreenPrograms\GigaGet\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{48BB4ABD-A1F0-438F-8F8E-4F5A7483DFA7}: NameServer = 210.31.198.65
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Windows Workstation MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\avmailc.exe
O23 - Service: AntiVir Windows Workstation Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\sched.exe
O23 - Service: AntiVir Windows Workstation Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AntiVir Windows Workstation MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\avesvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6159 bytes 既然是ARP的话 发这记录就没什么可看的了 ^c^ 是arp网关欺骗 开始运行cmd输入arp -d就可以了 第一次真实的碰到这种ARP‘网关”欺骗,比较新鲜,:) 这个在单位,学校里杀伤力很强的 受过伤
页:
[1]