[ previous ] [ next ] [ threads ]
 From:  "Mohammed Ismail" <m dash ismail at link dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020
 Date:  Wed, 7 May 2008 06:05:21 +0300
all connections are wired Ethernet connections 
ADSL modem <<==>> wan int. m0n0wall LAN int. <<==>> Ethernet wired clients.
all clients OS will be winxp
and I cannot garantee good antivirus or firewalls on those PCs 
so I want m0n0 to keep sending his MAC address to all Clients to maintain connectivity between
clients and m0n0.
the Trojan name was HackTool.win32.ArpAttacker.3020
thanks allot

Are you using a wireless access point to run everyone through captive
portal or are they all wired in via Ethernet port?


Mohammed Ismail wrote:
> I have been using m0n0 wall since 2006 and till now it is relay the best, providing me high
stability and hardware cost effective.
> turning 200 MHZ PC into an advanced Router.
> now adays i faced a problem, spoofing wrong MAC
> my LAN ip is > MAC 00:23:34:43:f4:b1
> so when i type arp -a in command under windows xp from any client PC i should get the right mac i
get for instade for example
>    wr:on:g:ma:ca:dd
> now the trojan give wrong MAC
> also in ARP cache on m0n0wall i get all MAC addresses of the client are the same!!!
> like this>>
> 00:16:17:ec:9f:b8      
>      00:16:17:ec:9f:b8    
>      00:16:17:ec:9f:b8     00:16:17:ec:9f:b8           
> so in captive portal i must check on , disable MAC filtering , so thoes clients get internet
> there are some applecations that uses winpcap and make statice arp entire on the infected pc
> keep telling my mac is xx:xx:xx:xx:xx:xx and keep Gateway Mac as static entry in arp table in
windows xp
> sorry for long explainning of the problem,
> now is it possible that i make m0n0wall keep telling clients that M0n0 IP is and MAC
is 00:23:34:43:f4:b1
> so it is added in arp table of the client machine as static entery , or keep sending this arp
packet every 1 sec to prevent spoofing of m0n0 mac
> this also will provide security from spoofing.
> Note: i am useing 1.3b10
> and i have this problem in 7 networks that i dont have easy access to client PCs
> so i need a remote solution. if possible
> best regards
> Mohammed Abd El Wadoud
> Account Manager
> Sharm El Sheikh
> m dash ismail at link dot net
> +20105337746

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch