![]() |
|
論壇說明 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
![]() ![]() |
|
主題工具 | 顯示模式 |
|
![]() |
#1 (permalink) |
長老會員
![]() |
![]() ![]() 網管至少得具備一點英文基礎吧.... We have a residential (ie: I don't control what is on them) network here of up to 500 computers at any one time. Currently there is a machine doing an ARP-cache poisoning attack against the network. For some unknown reason, it is inserting the string "1^LIBraBBGvB8i~o+Z~UU?L5{B~SLIB5C" into HTTP responses just after the HTTP headers. I presume (NOTE: this is speculation, I have not yet been able to examine the machine in question) that this is due to a trojan/worm or other malware on the system performing the attack, possibly trying to spread itself to other computers on the subnet accessing the web running a vulnerable web browser - although I have not yet identified the effect of that string, so it may be for some other purpose. I suggest you check other machines on your network for possible compromises. Use a program like wireshark to examine network traffic to see if there are a continuous stream of ARP responses that _appear_ to be from your router to every other IP address in the subnet, but telling them in incorrect MAC - the computer with that MAC will be the culprit - you may use nmap to find the IP address of the machine. Alternatively if you are using a managed switch, you can look for the MAC that maps to just about every IP address on the subnet. 這是 MSDN 論壇的回覆, 看看有沒有幫助 |
__________________ 刑天舞干戚
|
|
![]() |
送花文章: 6,
![]() |
向 plunderer 送花的會員:
|