[unisog] Arp spoofing attack
ckeladis at gmail.com
Tue Apr 29 21:43:19 GMT 2008
Do you have the name of the malware (from an A/V scan), or better yet
a sample for analysis?
On Tue, Apr 29, 2008 at 4:31 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Just a quick heads up. We had an incident today that took much longer
> to resolve because no one immediately recognised the symptoms. Here's
> hoping that if one of you get hit you will know what it is without
> having to work it out the hard way like we did.
> Service desk started getting reports of web pages with Chinese ads
> inserted in them. It rapidly became apparent that just one chunk of
> our network ( a /20 block) was affected (first clue). What confused
> the issue was that the initial reports all complained about pages on
> our main web site which cause us to misdirect our attention to the
> content management system.
> Eventually I realised that the problem was much more wide spread than
> just our servers and that web pages from outside were being mangled as
> well. My first reaction was some form of malware that was spreading
> within the /20 network or that some name server cache had been
> deliberately corrupted(It's capping week here ;) and this wasted more
> time. Then I found out that all flavours on machines were affected:
> Macs, linux and multiple windows versions (second clue).
> At this point I decided that it had to be something networks related.
> Parallel with this some users were sniffing the network from affected
> machines and noticed lots of spurious ARP traffic (final clue). A few
> minutes poking with netdisco revealed one mac address with *lots* of
> IPs associated with it. Disabling its switch port solved the problem.
> If I had thought of arp spoofing at 10am in the morning when I first
> heard about it we could have dealt with the problem in a few minutes,
> as it was we wasted many man hours before the penny dropped.
> The machine in question had just returned from a conference in China
> -- it was fully patched but had no AV. It was a privately owned
> laptop on the network without AV in contravention of policy. Sigh...
> Oh yes, a Japanese version of windows...
> What happened:
> The machine in question was infected with something that used arp
> spoofing to convince the router to send traffic for many addresses on
> the network to it rather than to the real machine. It then mangled
> web pages by inserting a single line of java script at the start and
> then passed the traffic on to the intended recipient.
> Cheers, Russell
> unisog mailing list
> unisog at lists.dshield.org
More information about the unisog