[ previous ] [ next ] [ threads ]
 From:  "Mohammed Ismail" <m dash ismail at link dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  malware HackTool.win32.ArpAttacker.3020
 Date:  Wed, 7 May 2008 04:36:13 +0300
I have been using m0n0 wall since 2006 and till now it is relay the best, providing me high
stability and hardware cost effective.
turning 200 MHZ PC into an advanced Router.
now adays i faced a problem, spoofing wrong MAC
my LAN ip is > MAC 00:23:34:43:f4:b1
so when i type arp -a in command under windows xp from any client PC i should get the right mac i
get for instade for example    wr:on:g:ma:ca:dd
now the trojan give wrong MAC
also in ARP cache on m0n0wall i get all MAC addresses of the client are the same!!!
like this>> 00:16:17:ec:9f:b8	   00:16:17:ec:9f:b8	   00:16:17:ec:9f:b8	   00:16:17:ec:9f:b8	 	
so in captive portal i must check on , disable MAC filtering , so thoes clients get internet
there are some applecations that uses winpcap and make statice arp entire on the infected pc
keep telling my mac is xx:xx:xx:xx:xx:xx and keep Gateway Mac as static entry in arp table in
windows xp
sorry for long explainning of the problem, 
now is it possible that i make m0n0wall keep telling clients that M0n0 IP is and MAC is
so it is added in arp table of the client machine as static entery , or keep sending this arp packet
every 1 sec to prevent spoofing of m0n0 mac 
this also will provide security from spoofing.
Note: i am useing 1.3b10
and i have this problem in 7 networks that i dont have easy access to client PCs 
so i need a remote solution. if possible
best regards
Mohammed Abd El Wadoud
Account Manager
Sharm El Sheikh
m dash ismail at link dot net