星期五, 十一月 23, 2007

detect ARP virus by tcpdump

http://www.yourlfs.org/sysadm_zh_CN.html#toc52 中,讨论了两种 ARP 病毒。但是,这次遇到了不同的 ARP 病毒。

伴随症状:作为路由器使用的 Linux 系统变慢,主要是在上面执行命令(远程 ssh)有延迟,但是通过 console tty 直接登入系统却没有发现变慢了,也没有异常的系统负载。而且用 arp 和 arping 却看不出来,必须使用嗅探器或 tcpdump:
[root@localhost ~]# tcpdump -i eth0 "arp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:13:04.891192 arp reply 192.168.0.154 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:04.951540 arp reply 192.168.0.155 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:04.990617 arp reply 192.168.0.158 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.036379 arp reply 192.168.0.160 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.081340 arp reply 192.168.0.167 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.112326 arp reply 192.168.0.168 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.141507 arp reply 192.168.0.169 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.191408 arp reply 192.168.0.171 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.203497 arp reply 192.168.0.189 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.236458 arp reply 192.168.0.190 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.266490 arp reply 192.168.0.196 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.336378 arp reply 192.168.0.197 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.353386 arp who-has 192.168.0.199 tell 192.168.0.1
22:13:05.373692 arp reply 192.168.0.198 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.406402 arp reply 192.168.0.199 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.567576 arp reply 192.168.0.200 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.606394 arp reply 192.168.0.211 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.691306 arp reply 192.168.0.212 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.788985 arp reply 192.168.0.222 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:13:05.801462 arp reply 192.168.0.230 is-at 00:e0:4d:07:3b:ff (oui Unknown)
......
22:10:42.613320 arp reply 192.168.0.130 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613348 arp reply 192.168.0.132 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613376 arp reply 192.168.0.133 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613407 arp reply 192.168.0.134 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613437 arp reply 192.168.0.137 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613467 arp reply 192.168.0.138 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613497 arp reply 192.168.0.141 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613526 arp reply 192.168.0.142 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613556 arp reply 192.168.0.143 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613586 arp reply 192.168.0.144 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613615 arp reply 192.168.0.145 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613645 arp reply 192.168.0.149 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613673 arp reply 192.168.0.151 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613704 arp reply 192.168.0.152 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613733 arp reply 192.168.0.153 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613764 arp reply 192.168.0.154 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613792 arp reply 192.168.0.155 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613823 arp reply 192.168.0.158 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613853 arp reply 192.168.0.160 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613884 arp reply 192.168.0.167 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613912 arp reply 192.168.0.168 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613943 arp reply 192.168.0.169 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.613973 arp reply 192.168.0.171 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614011 arp reply 192.168.0.189 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614362 arp reply 192.168.0.190 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614394 arp reply 192.168.0.196 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614424 arp reply 192.168.0.197 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614455 arp reply 192.168.0.198 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614484 arp reply 192.168.0.199 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614515 arp reply 192.168.0.200 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614545 arp reply 192.168.0.211 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614576 arp reply 192.168.0.212 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614606 arp reply 192.168.0.222 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614637 arp reply 192.168.0.230 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614667 arp reply 192.168.0.250 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614697 arp reply 192.168.0.253 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614727 arp reply 192.168.0.254 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614758 arp reply 192.168.0.1 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.614877 arp reply 192.168.0.1 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.615186 arp reply 192.168.0.1 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.615788 arp reply 192.168.0.1 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.616564 arp reply 192.168.0.1 is-at 00:e0:4d:07:3b:ff (oui Unknown)
22:10:42.682754 arp who-has 192.168.0.98 tell 192.168.0.125
22:10:43.361718 arp who-has 192.168.0.101 tell 192.168.0.5
22:10:43.368052 arp who-has 192.168.0.199 tell 192.168.0.1

8192 packets captured
17121 packets received by filter
736 packets dropped by kernel
发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)