W sumie ja juz sam nie wiem, moze cos podpowiecie, mam serwer dedykowany klienta na windows server 2012.
Serwer hostuje pare stron www plus poczta i jakas baza danych na MSSQL.
Skubianiec strasznie sieje ARPy do adresow IP ktore nie sa przypisane do niego.
Otrzymalem pelny dostep do serwera klienta, chcialem ustawlic czy serwer nie ma jakiego spoorfera, malware badz innych dziwnych rzeczy. Okazuje sie ze nie.
Daje wycinek z wiresharka
Kod: Zaznacz cały
Frame 6915: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Interface id: 0 (\Device\NPF_{901A71B2-CAF0-4CB0-9A6B-B5437760DEF7})
Encapsulation type: Ethernet (1)
Arrival Time: Jun 17, 2016 11:01:58.095304000 GMT Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1466157718.095304000 seconds
[Time delta from previous captured frame: 0.000014000 seconds]
[Time delta from previous displayed frame: 0.000014000 seconds]
[Time since reference or first frame: 149.556280000 seconds]
Frame Number: 6915
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:arp]
[Coloring Rule Name: ARP]
[Coloring Rule String: arp]
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)
Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
Type: ARP (0x0806)
Padding: 414141414141414141414141414141414141
Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: FujitsuT_c2:a0:39 (00:19:99:c2:a0:39)
Sender IP address: 88.208.x.y <--- wlasciwy adres serwera
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 88.208.x.y <--- target ktorey jest spoofowany
Kod: Zaznacz cały
Jun 17 11:59:28 10.10.130.197 029289: Jun 17 10:59:28.003 GMT: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/14, vlan 224.([0019.99c2.a039/88.208.PRAWDZIWY ADRES IP/0000.0000.0000/88.208.ADRES SPOOFOWANT/10:59:27 GMT Fri Jun 17 2016])