遭遇ARP欺骗

van_zaya

今天女朋友考试，于是背着小黑陪她到学校。
没事儿干就跑到俺们学校图书馆插根网线儿上网。结果没一会儿，我还没登外网呢（俺们学校上外网要花钱）小红伞就开始弹警告。
什么ads.jpg.exe，这个是在IE临时文件夹里。另一些就是三位数字的.exe文件，在系统目录windows下，我晕，感情咱这么一下子就中病毒了？赶紧狂查，msconfig启动项，服务中，没有可疑项，开机的程序也没有可疑项。哦，感情这病毒还是绿色的，没事儿，自己不自动启动，得，哥们我重启下，结果一会儿只要用IE上网就又下载一堆子这些，我晕，IE的ADD-on里面也什么可疑项都没有啊，于是开opera，下载了个hijackthis查了查，还是什么都没有看到可疑的，中间还让校外一个哥们上我们学校网页，没有问题啊
这个时候就断网了
我晕，怎么会是，旁边的别人都好好得啊。我改个IP试一试，哟嗬，一改，好了，又能上了。突然想起来，嗯，这不是传说中的ARP欺骗么？病毒或者是我同子网的某人运行的程序伪装ARP包发送给大家，让大家都以他的电脑为网关上网，然后再html里面加上点儿貌似jpg的.exe文件，嗯，应该是这样的，嘿嘿。
大家给分析分析，应该是吧哈？

van_zaya

附上hijackthis的log给高手们看看：
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:53:09, on 2008-1-2
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Workstation\avguard.exe
C:\Program Files\Avira\AntiVir Workstation\sched.exe
C:\Program Files\Avira\AntiVir Workstation\avesvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Workstation\avmailc.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Workstation\avgnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\ctfmon.exe
D:\GreenPrograms\TM\TMDlls\TM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\GreenPrograms\IpMsg\ipmsg.exe
C:\Program Files\Opera 9\Opera.exe
C:\Documents and Settings\Freelancer\Desktop\HiJackThis_v2.exe

O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Workstation\avgnt.exe" /min
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\GreenPrograms\BC\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\GreenPrograms\BC\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\GreenPrograms\BC\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by Gigaget - D:\GreenPrograms\GigaGet\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - D:\GreenPrograms\GigaGet\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{48BB4ABD-A1F0-438F-8F8E-4F5A7483DFA7}: NameServer = 210.31.198.65
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Windows Workstation MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\avmailc.exe
O23 - Service: AntiVir Windows Workstation Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\sched.exe
O23 - Service: AntiVir Windows Workstation Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AntiVir Windows Workstation MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir Workstation\avesvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6159 bytes

sheds

既然是ARP的话发这记录就没什么可看的了

大手大脚

是arp网关欺骗

jandee

开始运行 cmd 输入 arp -d 就可以了

van_zaya

第一次真实的碰到这种ARP‘网关”欺骗，比较新鲜，

edreamer

这个在单位，学校里杀伤力很强的

aikiu

受过伤

		自动登录	找回密码
密码			注册

遭遇ARP欺骗

铜牌荣誉勋章(注册8年以上会员)