[ previous ] [ next ] [ threads ]
 From:  Lee Sharp <leesharp at hal dash pc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020
 Date:  Tue, 06 May 2008 22:18:23 -0500
Mohammed Ismail wrote:
> all connections are wired Ethernet connections 
> ADSL modem <<==>> wan int. m0n0wall LAN int. <<==>> Ethernet wired clients.
> all clients OS will be winxp
> and I cannot garantee good antivirus or firewalls on those PCs 
> so I want m0n0 to keep sending his MAC address to all Clients to maintain connectivity between
clients and m0n0.
> the Trojan name was HackTool.win32.ArpAttacker.3020
> thanks allot

It is doing an arp poisoning attack.  It overloads the switch, and if 
m0n0wall did the same it would fall over to a hub, and all the data will 
still go to the compromised machine.  I understand that you don't have 
access to the clients, but the only fix it to remove the bad client. 
You may want to seal off the net to keep it from spreading as well.