Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iframe And Arp Spoofing


  • Please log in to reply
4 replies to this topic

#1 fatiha

fatiha

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 21 October 2007 - 03:15 PM

Description of my problem:
We determine in our local network an instability, this is due to spread of malware through in it.
The malware uses the method of attack based ARP to the local network Gateway (192.168.1.1).
Indeed machine "A" owner of the MAC address "MacA" send packages ARP broadcast on the network indicating that the bridge is the machine A (192.168.1.1(the right address of Gateway) is at "MacA"), so many machines in our network used a wrong ARP i(I mean MACA of infected machines by this malware)

After a long check on them to identify this malware. we found : these machines were infected by:
svchost.exe" (175 KO, 179200 Bytes) uses the DLL Packet.dll and wpcap.dll and wanpacket.dll ... \ drivers \ npf.sys.
- There realize a scan of all networks 192.168- and 172.16- and 10.0-
- It has a "80-port insert" in the svchost paquet
-at last we have another problem; when we open web page (as IE or Firefox) before we get the response and taking two or three seconds, the page displays a little gray bare (even we use windows or Linux system) and the view page source return this hxxp://218.75.91.248/iframe and this are included in the svchost.exe paquet but it was crypted.

- Can somebody help me and explain me haw can we resolve this and clean our local network from this malwre?

Thank's in advance

Edited by quietman7, 23 October 2007 - 02:30 PM.


BC AdBot (Login to Remove)

 


#2 fatiha

fatiha
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 23 October 2007 - 03:24 AM

Please can somebody help me, nobody has an idea about this problem ? :thumbsup:

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 PM

Posted 23 October 2007 - 02:31 PM

Files like wpcap.dll, packet.dll and wanpacket.dll are used by malware (Trojans, Bots, etc).

Examples:
Troj/Agent-BTS
Troj/PWS-ANG
Troj/RtKit-11
BackDoor-ASW

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure of the spelling. If it is scvhost.exe, then that is Trojan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 fatiha

fatiha
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 October 2007 - 09:13 AM

Files like wpcap.dll, packet.dll and wanpacket.dll are used by malware (Trojans, Bots, etc).

Examples:
Troj/Agent-BTS
Troj/PWS-ANG
Troj/RtKit-11
BackDoor-ASW

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure of the spelling. If it is scvhost.exe, then that is Trojan.


In the first, I want to say Thank you for replying me

i know you'll say this problem must be in forum "Networking", you are right, but the real problem that all my LAN are infected, and if i apply this solution at the infected machines, I realize that they have another infected machines wich redo the same procedure and make my LAN slowly

How can I excute this solution at all of my network?
this trojan shows in our web page a gray bare, is that an indication that our request HTTP are replied by this infected machines ?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 PM

Posted 24 October 2007 - 10:36 AM

These types of infections are often accompanied by other types of malware and all the files need to be identified, then removed. I just gave you some examples so we don't know exactly which one you are dealing with. Do you know how many machines are infected? What type of anti-virus are you using?

You can monitor the network to see if a client machine behaves like it is actively online when not in use. If it does, then that could be a sign it is infected with malware. If you don't have any third-party network monitoring tools and are using Windows XP, you can enable the network status light in your system tray. The light will "blink" when there is network activity. To do that go to Start > Control Panel > Network Connections and right-click the network connection you want to monitor. Then choose Properties, select "Show icon in notification area when connected" and click Ok when done.

I would start by disconnecting all machines from the network that are infected and perform a full system scan in safe mode with your anti-virus. Start with the server, then one at a time, do the same for each client machine until you ensure all are cleaned and can be reconnected. I know thats a tedious task, but it ensures each machine gets individual attention and a full system scan of all files and folders. Trying to do things remotely can result in missed detections. If scanning of a mapped drives only scans the mapped folders, it may not include all the folders on the remote computer. Further, if a malware file is detected on the mapped drive, the removal may fail if a program on the remote computer uses that file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users