+ Post New Thread
Results 1 to 6 of 6
Windows Server 2000/2003 Thread, DNS + Confickr in Technical; Dear All. I have a windows server running AD and DNS services. I have detected in the fiewall that the ...
  1. #1

    Join Date
    Jan 2009
    Posts
    32
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    DNS + Confickr

    Dear All.

    I have a windows server running AD and DNS services. I have detected in the fiewall that the server is sending confickr packets through it, but after various antivirus checks (I even had the visit from a panda antivirus engeneer and couldn't find anything) nothing came up so I think that the maybe the problem is that when an infected user connects to the network using the win server as the DNS server, the client sends the confickr udp packets through the DNS server....

    Is there anyway of checking who is doing these requests in the DNS server I tried in the event viwer and in system32\dns\dns.log but couldn't find anything....

    Here is a sample of the firewall capture:

    02/18 12:26:13 spyware Conficker DNS Request 20000 LAN WAN 192.168.111.2 80.58.61.254 55264 53 dns alert high

    Any ideas???

    Thanks
    Last edited by joseph; 21st February 2011 at 10:53 AM.

  2. #2

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    What firewall are you using?

  3. #3

    Join Date
    Jan 2009
    Posts
    32
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Palo Alto.

  4. #4
    RobMongoose's Avatar
    Join Date
    Jul 2010
    Location
    Tyne & Wear, UK
    Posts
    36
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Blog Entries
    1
    Rep Power
    9
    Would it be possible to get a NIC MAC address from the LAN IP (I'm assuming the one shown is for the device sending the packet) either from the captured packets or by doing an nslookup? You could then use Nmap or similar to search for that MAC address and track the machine from there.

  5. #5

    Join Date
    Jan 2009
    Posts
    32
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The lan Ip is the ip of the DNS Server...

    Since I don't get any suspicious traffic over the weekend I think I'm sure the packets come from an infected client... but how to track who is sending those packets???


  6. #6

    Join Date
    Jan 2009
    Posts
    32
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    is there any way of tracking all the dns requests in the DNS server in win 2k3???

SHARE:
+ Post New Thread

Similar Threads

  1. ClearCloud DNS: An Anti Malware DNS
    By DaveP in forum IT News
    Replies: 2
    Last Post: 18th July 2010, 09:55 AM
  2. DNS
    By Sunderwood in forum Windows
    Replies: 5
    Last Post: 4th September 2008, 12:16 PM
  3. DNS Flush / DNS Register
    By brahma in forum Windows
    Replies: 1
    Last Post: 18th July 2008, 09:29 AM
  4. DNS Problems... DCHP correct, DNS wrong
    By burgemaster in forum Windows
    Replies: 7
    Last Post: 27th June 2008, 11:05 AM
  5. DNS HELP
    By in forum Windows
    Replies: 19
    Last Post: 21st April 2006, 03:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •