提醒参加北京Tech.Ed2007会议并在九华山庄上网的朋友注意!
表现是网络速度非常慢,网页经常需要刷新才能打开。
首先给大家看几个截图:
我想做安全的朋友应该都很熟悉了,典型的ARP攻击。
再看看AST的判断:
看来我们的判断没有错,经过确认,这个主机不是酒店的电脑。那么,他是谁呢?
我扫了一下,初步判断
这台机器使用最常见的XP:
172.26.1.40 resolves as A1120.
Remote operating system : Microsoft Windows XP Service Pack 2
漏洞也是存在的(3个):
05-027,06-035,06-040
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.
Description :
The remote host is vulnerable to a buffer overrun in the 'Server' service
which may allow an attacker to execute arbitrary code on the remote host
with the 'System' privileges.
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
SMB implementation.
Description :
The remote version of Windows contains a flaw in the Server Message
Block (SMB) implementation which may allow an attacker to execute arbitrary
code on the remote host.
An attacker does not need to be authenticated to exploit this flaw.
Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.
Description :
The remote host is vulnerable to heap overflow in the 'Server' service which
may allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.
In addition to this, the remote host is also vulnerable to an information
disclosure vulnerability in SMB which may allow an attacker to obtain
portions of the memory of the remote host.
此时看来,更像是某个无辜的朋友中了ARP病毒,想想就算了吧。因为我向来以善意来猜测别人。
但是后来的情况让我觉得恐怕这并非那么简单:
从上边的图片看来,所有访问HTTP的请求都被插入了一个js来挂马,这“可爱的马儿”还集多个exploit于一身,正所谓居家旅行........之必备....
真不知有多少弟兄在此中招。实在不忍通知了几位朋友和会务组,会务组也很快通知了酒店,但是当会议结束离开时,酒店仍然没有给任何答复...:(
如果你有耐心看到这里,请修改一下你的密码,虽然我们大家向来都以善意来揣测别人~