Jump to content

HELP: ARP ATTACK DETECTED

Yinkus Omolek
 Share

Recommended Posts

Yinkus Omolek

Yinkus Omolek 0

Posted
Posted

Hello house. Please I need your help on how to solve the cyber attack i am facing on my home network. Some months back, my home network was under attack by hackers and they took many thing from me. I now updated and fortified my network with eset internet security. But the shocking thing is that i now have this pop up message of "arp catche poisoning attack' and "duplicate IP adress". I changed my routers and upgraded my pc to another one and still have this arp poising attack.

When i go to the internet security "connected home network" interface, i see another pc on my network which is not me and that pc is running linux OS. Also I see a duplicate of my router also with different mac address. 

Would have loved to attach screen capture but the pc is badly infected as the hackers injected all sort to the pc and am not the administrative user  on that pc. Using a friend Pc now as i dont want to transfer virus to this pc. 

Note: I have formatted the pc twice and got new router. I still dont know the physical link they have to poison the router. 

I also installed Xarp to see the arp table and i still got the arp poisoning message here and also the app also gave me message that my mac adress is been duplicated which is why when i do "arp -a" on cmd the mac adress is same with my home router.

Now i decided to use some command prompt to make the arp static instead of dynamic on CMD  but the message i get is

"the requested operation requires elevation (Run as administrator)". This confirmed that my pc is been remotely controlled.

I later bought a unifi gateway firewall together with the 8-port managed switch but this did not solve the arp poisoning attack

Please i need help to solve this problem. Its really disturbing

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Refer to this Eset Knowledge-based article: https://support.eset.com/en/kb2933-arp-icmp-or-dns-cache-poisoning-attack-in-eset-home-products-for-windows

The important part to note is the following:

Quote

Determine if the IP address detected in the notification is a number that falls within the following range (where "x" is 0-255):

  • 172.16.x.x - 172.31.x.x
  • 192.168.x.x
  • 10.x.x.x

If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by the firewall is located on a public network and could be a threat to your system.

If the Eset ARP poisoning alerts show IP addresses within one of the above addresses ranges, then it's not a real ARP poisoning attack.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
On 10/1/2021 at 1:42 PM, Yinkus Omolek said:

When i go to the internet security "connected home network" interface, i see another pc on my network which is not me and that pc is running linux OS. Also I see a duplicate of my router also with different mac address. 

Later Win 10 versions have a built-in optional feature called "Windows Subsystem for Linux; i.e. WSL. If you did not manually enable this option, it is possible an attacker might have. WSL can be also enabled by running a single command line using PowerShell or via cmd.exe as noted in this Microsoft article: https://docs.microsoft.com/en-us/windows/wsl/install. It has been long theorized that the bash component of this Linux feature could be abused. It is no longer a theoretical abuse and attackers are currently using it: https://www.bleepingcomputer.com/news/security/new-malware-uses-windows-subsystem-for-linux-for-stealthy-attacks/ . Of note:

Quote

Using WSL to avoid detection

The first samples targeting the WSL environment were discovered in early May and continued to appear every two to three weeks until August 22. They act as loaders for the WSL environment and enjoy very low detection on public file scanning services.

In any case, the above would be an explanation for what Eset's Connected Home Monitor is displaying in regards to Linux use.

Edited by itman
Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
On 10/1/2021 at 8:42 PM, Yinkus Omolek said:

Hello house. Please I need your help on how to solve the cyber attack i am facing on my home network. Some months back, my home network was under attack by hackers and they took many thing from me. I now updated and fortified my network with eset internet security. But the shocking thing is that i now have this pop up message of "arp catche poisoning attack' and "duplicate IP adress". I changed my routers and upgraded my pc to another one and still have this arp poising attack.

When i go to the internet security "connected home network" interface, i see another pc on my network which is not me and that pc is running linux OS. Also I see a duplicate of my router also with different mac address. 

Would have loved to attach screen capture but the pc is badly infected as the hackers injected all sort to the pc and am not the administrative user  on that pc. Using a friend Pc now as i dont want to transfer virus to this pc. 

Note: I have formatted the pc twice and got new router. I still dont know the physical link they have to poison the router. 

I also installed Xarp to see the arp table and i still got the arp poisoning message here and also the app also gave me message that my mac adress is been duplicated which is why when i do "arp -a" on cmd the mac adress is same with my home router.

Now i decided to use some command prompt to make the arp static instead of dynamic on CMD  but the message i get is

"the requested operation requires elevation (Run as administrator)". This confirmed that my pc is been remotely controlled.

I later bought a unifi gateway firewall together with the 8-port managed switch but this did not solve the arp poisoning attack

Please i need help to solve this problem. Its really disturbing

If you are formatting your PC completely and they are coming back , then they can be in the UEFI/BIOS but I doubt it , also could be your router is compromised , it doesn't matter that you format the PCs , they will have their way back in by exploiting or using your compromised router to move inside your network

You should secure your router and update it with the latest firmware , if it does have a kind of an exploit and doesn't have any updates from the manufacturers then you should buy a new one or atleast flash it with a different firmware like OPEN-WRT - https://openwrt.org/

When you format your PC , you better install an AV like ESET , and update it to latest updates before you try to do other things, See also if there is an infected device inside your network , if yes , the virus could be passing from an infected device in the network.

Link to comment
Share on other sites
jaypeecee

jaypeecee 0

Posted
Posted

Hi Everyone,

This may well be my very first post on the ESET forums. And I've been using ESET for quite a few years! Anyway, here goes...

I have also been witnessing 'Duplicate IP addresses on network' and 'ARP cache poisoning attack' on my Windows 10 PC. The IP addresses are in the 192.168.x.x range.

I don't wish to detract from the OP's original question but I also thought my query didn't justify a new thread on what appears to be a very similar question.

I have also submitted a technical query directly to ESET Technical Support.

TIA for any advice.

jaypeecee

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted
1 minute ago, jaypeecee said:

I have also been witnessing 'Duplicate IP addresses on network' and 'ARP cache poisoning attack' on my Windows 10 PC. The IP addresses are in the 192.168.x.x range.

Please provide logs collected with ESET Log Collector. Resolving the problem with duplicate IP addresses should also resolve the ARP cache poisoning detections.

Link to comment
Share on other sites
jaypeecee

jaypeecee 0

Posted
Posted

Hi Marcos,

I am unable to send the log file as an attachment to my ESET Tech Support Enquiry email. The compressed file size is 55MB but BT Email restricts me to 33MB. What should I do?

jaypeecee

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 393

Posted
  • Most Valued Members
Posted
11 minutes ago, jaypeecee said:

Hi Marcos,

Is it safe to attach the log file here on the forum?

jaypeecee

Any attachments on here can only be viewed/downloaded by Eset staff so if privacy is a concern you will be safe.

Not sure what the max size is but if it's too big you can upload it to a file upload site 

Link to comment
Share on other sites
jaypeecee

jaypeecee 0

Posted
Posted
2 minutes ago, peteyt said:

Any attachments on here can only be viewed/downloaded by Eset staff so if privacy is a concern you will be safe.

Not sure what the max size is but if it's too big you can upload it to a file upload site 

Hi peteyt,

Thanks a lot for the feedback. I should be OK as the max. total size for attachments on here is 100 MB according to the footnote below...

jaypeecee

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...