Mohammed Ismail wrote:
> all connections are wired Ethernet connections
> ADSL modem <<==>> wan int. m0n0wall LAN int. <<==>> Ethernet wired clients.
> all clients OS will be winxp
> and I cannot garantee good antivirus or firewalls on those PCs
> so I want m0n0 to keep sending his MAC address to all Clients to maintain connectivity between
clients and m0n0.
> the Trojan name was HackTool.win32.ArpAttacker.3020
> thanks allot
It is doing an arp poisoning attack. It overloads the switch, and if
m0n0wall did the same it would fall over to a hub, and all the data will
still go to the compromised machine. I understand that you don't have
access to the clients, but the only fix it to remove the bad client.
You may want to seal off the net to keep it from spreading as well.