MAC spoofing error on remote server

isaami · Oct 29, 2009

Hi

There was a virus attack on my web server hosted remotely. The hosting company suspended the server and informed us through an email notice:

Cause of suspension: The server tried to send a packet with an
unregistered MAC address (so called "MAC spoofing"). This caused an
automatic switchport shutdown.

offending MAC: 000d.3af1.4f00

Now, the server is in debug mode and I don't have all the options to install/uninstall programs on server through a web based limited control panel. I generated the following hijackthis log. Please help me if you get a clue from this. Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:54 PM, on 10/29/2009
Platform: Windows Vista (WinNT 6.00.1504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
X:\windows\System32\smss.exe
X:\windows\system32\csrss.exe
X:\windows\system32\csrss.exe
X:\windows\system32\wininit.exe
X:\windows\system32\winlogon.exe
X:\windows\system32\services.exe
X:\windows\system32\lsass.exe
X:\windows\system32\lsm.exe
X:\windows\system32\svchost.exe
X:\windows\system32\svchost.exe
X:\windows\System32\svchost.exe
X:\windows\system32\winpeshl.exe
X:\windows\system32\svchost.exe
X:\windows\system32\cmd.exe
X:\windows\System32\svchost.exe
X:\windows\system32\svchost.exe
X:\windows\system32\svchost.exe
X:\Tools\WinVNC\WinVNC.exe
X:\Tools\PKLauncher\PKLauncher.exe
X:\Tools\Firefox\Firefox.exe
X:\Tools\A43\a43.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=cmd.exe /k start cmd.exe
O1 - Hosts: ::1 localhost
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] x:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [NSS] "x:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.3.0.44\InstStub.exe" /RELAUNCH /RUNONCE /NOPROMPT /PRODID NSS
O4 - HKCU\..\Run: [PAVAgent] c:\Portable Antivirus\pavcfg.exe
O4 - HKCU\..\Run: [PAVEye] c:\Portable Antivirus\paveye.exe
O4 - HKUS\S-1-5-18\..\Run: [PAVAgent] c:\Portable Antivirus\pavcfg.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [PAVEye] c:\Portable Antivirus\paveye.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [PAVAgent] c:\Portable Antivirus\pavcfg.exe (User 'Default user')
O10 - Broken Internet access because of LSP provider 'x:\windows\system32\winrnr.dll' missing
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:

--
End of file - 2455 bytes

chaslang · Nov 1, 2009

Welcome to Major Geeks!

If you have a server that is infected, then you need get someone to fix the server. This is not something we can help you fix since it is not malware. MAC spoofing is cause by incorrectly/poorly configure network hardware or hardware lacking sufficient capabilities.

Also a HijackThis log is not going to help you find any problems related to MAC or IP spoofing.

However, I will ask what the below are. cmd.exe is not the Windows shell. Explorer.exe is!
X:\Tools\A43\a43.exe

F2 - REG:system.ini: Shell=cmd.exe /k start cmd.exe

Log in or Sign up

MAC spoofing error on remote server

isaami Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

MAC spoofing error on remote server

isaami Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches