The form of
a ARP virus:
1, the Internet through the network all or BA2 part of the computer is not able to;
2, open the webpage garbled;
3, open the webpage that virus;
Method for
find ARP virus:
If Syria fault status in the network, is likely to be the ARP virus in the computer. Specific killingmeasures are as follows:
1, to determine
the fault segment of the VLAN, gateway and IP address and other information;
2, the landing of the gateway switch (must be a gateway switch, otherwise there is no ARP table.)
3, through the dis log command
to view the log, if a virus is usually a warning (but not all). If the following log:
%Dec 10 13:06:18 2007 Huawei8508_1 ARP/4/DUPIFIP:Slot=4; Duplicate address10.110.70.126 on VLAN909, sourced by 0016-ec71-9996
%Dec 10 13:05:17 2007 Huawei8508_1 ARP/4/DUPIFIP:Slot=4; Duplicate address10.110.70.126 on VLAN909, sourced by 0016-ec71-9996
The above log says: VLAN 909 segment, MAC address for the ARP 0016-ec71-9996 computervirus.
4, if the
log contains no information
display information, you need to see the ARP address of the switch table. Through the dis ARP in VLAN, |, such
as dis ARP | in
909. The following informationwill appear:
Note: all MAC addresses corresponding to the IP address are the same, is not normal. Normal ARP table should be different according to different MAC address IP address.
< Huawei8508_1>dis ARP | in 909
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Port Name Aging Type
10.110.64.168 0016-ec71-9996 909 GigabitEthernet4/1/5 13 D CunVPN
10.110.64.200 0016-ec71-9996 909 GigabitEthernet4/1/5 14 D CunVPN
10.110.70.60 0016-ec71-9996 909 GigabitEthernet4/1/5 15 D CunVPN
10.110.70.17 0016-ec71-9996 909 GigabitEthernet4/1/5 16 D CunVPN
10.110.64.236 0016-ec71-9996 909 GigabitEthernet4/1/5 16 D CunVPN
10.110.70.18 0016-ec71-9996 909 GigabitEthernet4/1/5 16 D CunVPN
10.110.70.20 0016-ec71-9996 909 GigabitEthernet4/1/5 17 D CunVPN
10.110.64.221 0016-ec71-9996 909 GigabitEthernet4/1/5 18 D CunVPN
10.110.64.231 0016-ec71-9996 909 GigabitEthernet4/1/5 19 D CunVPN
10.110.64.225 0016-ec71-9996 909 GigabitEthernet4/1/5 20 D CunVPN
10.110.64.160 0016-ec71-9996 909 GigabitEthernet4/1/5 20 D CunVPN
The above information representation: VLAN 909 segment, MAC address for the ARP 0016-ec71-9996 computer virus.
5, using the above two methods can easily determine which MAC address poisoning, but is unable to determine the IP address. To determine
the IP address is how much more difficult.Need to rely on the E shield software and the
daily IP and MAC records and other tools to judge.
6, if the above tools are not, only the
first landing in the layer two
switch corresponding (note, is the two level of access switch). By viewing the MAC address and port of the corresponding table, in order to determine which port. Specific methods are as follows:
< Huawei3900_1>dis mac-address 0016-ec71-9996
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME (s)
0016-ec71-9996
909 Learned GigabitEthernet1/0/5 AGING
From the
above information can tell 0016-ec71-9996 this computer is connected to the 3900switch
GigabitEthernet1/0/5 port.
7, in order to temporarily restore network, can close the switch GigabitEthernet1/0/5 port. The following:
The < Huawei3900_1>sys
System View: return to User View with Ctrl+Z.
[Huawei3900_1]int g 4/1/5
[Huawei3900_1-GigabitEthernet4/1/5 ]shutdown
8, then log
on to the gateway switch, the corresponding VLAN restart, as follows:
[Huawei8508_1]int Vlan-interface 909
[Huawei8508_1-Vlan-interface909]shutdown
[Huawei8508_1-Vlan-interface909]undo shutdown
Normal
operation 9, so you can restore the network, as for the poisoning
of the machine. Users need treatment. Suggested reinstall the system directly, and immediately buy SL1Q install the patch,antivirus software, 360 security guards, E shield and other tools. To avoid duplication ofpoisoning. This is very important, because of the possibility of very large repeat poisoning.
没有评论:
发表评论