[nzlug] mac address / arp issues?
Edwin F
edf825 at gmail.com
Fri Oct 5 19:00:48 NZST 2007
On 10/5/07, Jim Cheetham <jim at gonzul.net> wrote:
> On 05/10/2007, Antonio Broughton <antonio at flerwin.net> wrote:
> > If this computer does have a ViRii... does anyone know why it would
> > be stuffing up the arp table on the Linux server?
>
> In order to make sure that all your network traffic is directed to it,
> so it can scan the packets for interesting passwords &c, before either
> dropping it, or passing it on to the real target.
>
> You may have a virus using pcap on your machine now. As always, it's
> safest to just erase the hard drive, and reinstall the OS from scratch
> / original distribution CDs. Trying to delete a virus is ... generally
> pointless.
>
> -jim
>
Indeed. Looks exactly like ye olde ARP poisoning attack; the old
switcheroo; the old backwards tango.
The box is most definitely infected, or somebody with access to the
machine is doing it deliberately in order to capture data flowing in
the network, so I'd keep it off the internal network while it's in its
current state.
~ed.
More information about the NZLUG
mailing list