[ previous ] [ next ] [ threads ]
 From:  "David Burgess" <apt dot get at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020
 Date:  Tue, 6 May 2008 21:16:09 -0600
I don't have the solution you're asking for, but on networks I have
administered in the past I have just cut off connectivity for any
computer that I know to be infected, just put a block-all rule for
that IP in the firewall.

That said, you may have trouble identifying the culprit if your arp is
messed up. Try logging everything to a syslog server then rebooting
your m0n0wall. Watch for arp messages and dhcp log for clues as to
who's screwing you around. You may have to add static arp entries to
your m0n0wall's arp table, although I've found this to be useless
unless you have a way of blocking arp packets at the client.

This could prove difficult, especially if you have many clients.


On Tue, May 6, 2008 at 9:05 PM, Mohammed Ismail <m dash ismail at link dot net> wrote:
> all connections are wired Ethernet connections
>  ADSL modem <<==>> wan int. m0n0wall LAN int. <<==>> Ethernet wired clients.
>  all clients OS will be winxp
>  and I cannot garantee good antivirus or firewalls on those PCs
>  so I want m0n0 to keep sending his MAC address to all Clients to maintain connectivity between
clients and m0n0.
>  the Trojan name was HackTool.win32.ArpAttacker.3020
>  thanks allot
>  Hi,
>  Are you using a wireless access point to run everyone through captive
>  portal or are they all wired in via Ethernet port?
>  Thanks,
>  Michael
>  Mohammed Ismail wrote:
>  > I have been using m0n0 wall since 2006 and till now it is relay the best, providing me high
stability and hardware cost effective.
>  > turning 200 MHZ PC into an advanced Router.
>  >
>  > now adays i faced a problem, spoofing wrong MAC
>  > my LAN ip is > MAC 00:23:34:43:f4:b1
>  > so when i type arp -a in command under windows xp from any client PC i should get the right mac
i get for instade for example
>  >    wr:on:g:ma:ca:dd
>  > now the trojan give wrong MAC
>  > also in ARP cache on m0n0wall i get all MAC addresses of the client are the same!!!
>  > like this>>
>  > 00:16:17:ec:9f:b8
>  >      00:16:17:ec:9f:b8
>  >      00:16:17:ec:9f:b8     00:16:17:ec:9f:b8
>  >
>  > so in captive portal i must check on , disable MAC filtering , so thoes clients get internet
>  >
>  > there are some applecations that uses winpcap and make statice arp entire on the infected pc
>  > keep telling my mac is xx:xx:xx:xx:xx:xx and keep Gateway Mac as static entry in arp table in
windows xp
>  >
>  > sorry for long explainning of the problem,
>  > now is it possible that i make m0n0wall keep telling clients that M0n0 IP is and
MAC is 00:23:34:43:f4:b1
>  >
>  > so it is added in arp table of the client machine as static entery , or keep sending this arp
packet every 1 sec to prevent spoofing of m0n0 mac
>  > this also will provide security from spoofing.
>  >
>  > Note: i am useing 1.3b10
>  > and i have this problem in 7 networks that i dont have easy access to client PCs
>  > so i need a remote solution. if possible
>  >
>  > best regards
>  > Mohammed Abd El Wadoud
>  > Account Manager
>  > Sharm El Sheikh
>  > m dash ismail at link dot net
>  > +20105337746
>  >
>  >
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch