恼人的ARP病毒
这两天检查交换机日志,发现日志里报告ip冲突 :
2006-12-21 09:27:26 Local7.Warning 172.20.100.180 Dec 21 09:42:20 2006 Quidway ARP/5/DUPIP:IP address 172.20.35.3 collision detected, sourced by 0014-2247-7dc9 on Ethernet0/8 of VLAN35 and 0010-c6dd-570f on Ethernet0/8 of VLAN35
2006-12-21 09:27:26 Local7.Warning 172.20.100.180 Dec 21 09:42:20 2006 Quidway ARP/5/DUPIP:IP address 172.20.35.3 collision detected, sourced by 0014-2247-7dc9 on Ethernet0/8 of VLAN35 and 0010-c6dd-570f on Ethernet0/8 of VLAN35
2006-12-21 09:27:36 Local7.Warning 172.20.100.180 Dec 21 09:42:30 2006 Quidway ARP/5/DUPIP:IP address 172.20.35.3 collision detected, sourced by 0010-c6dd-570f on Ethernet0/8 of VLAN35 and 0014-2247-7dc9 on Ethernet0/8 of VLAN35
2006-12-21 09:27:36 Local7.Warning 172.20.100.180 Dec 21 09:42:30 2006 Quidway ARP/5/DUPIP:IP address 172.20.35.3 collision detected, sourced by 0010-c6dd-570f on Ethernet0/8 of VLAN35 and 0014-2247-7dc9 on Ethernet0/8 of VLAN35
2006-12-21 09:27:42 Local7.Warning 172.20.100.180 Dec 21 09:42:36 2006 Quidway ARP/5/DUPIP:IP address 172.20.35.4 collision detected, sourced by 0014-2247-7dc9 on Ethernet0/8 of VLAN35 and 0010-c6dc-faf9 on Ethernet0/8 of VLAN35
2006-12-21 09:27:42 Local7.Warning 172.20.100.180 Dec 21 09:42:36 2006 Quidway ARP/5/DUPIP:IP address 172.20.35.4 collision detected, sourced by 0014-2247-7dc9 on Ethernet0/8 of VLAN35 and 0010-c6dc-faf9 on Ethernet0/8 of VLAN35
2006-12-21 09:27:51 Local7.Warning 172.20.100.180 Dec 21 09:42:45 2006 Quidway ARP/5/DUPIP:IP address 172.20.35.4 collision detected, sourced by 0010-c6dc-faf9 on Ethernet0/8 of VLAN35 and 0014-2247-7dc9 on Ethernet0/8 of VLAN35开始的时候,觉得是认为原因造成的,后来部长分析应该是0014-2247-7dc9这个MAC地址的计算机上有病毒或黑客程序一直在冒充 其他人的地址。
使用nbtscan扫描172.20.35.0/24这个网段,找到这个及其,经过和DHCP服务器核对无误 。然后,登录这个机器所在的172.20.100.35这台交换机,找到这个mac地址所在的端口,关闭该端口,确认是否的确是该mac的计算机在搞破坏。经过确认后,初步估计是病毒再捣乱。
经过我和两个同事一番折腾,最终没有找到原因,我想到了经常使用的"冰刃",于是下载了一个,问题出现了,在冰刃中查看进程,发现一个"wmbose.exe"的进程,关闭这个进程,世界就清净了,然后查看启动项,在MCU\microsoft\windows\currentversion\run\下,有一个启动项就是用来启动这个wmbose的,但是在系统自带的 regedit中却看不到这个项目。用冰刃删除之,问题总算解决了。