+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Windows Thread, Is this DNS poisoning? in Technical; We have about 400 or so winXP machines running on w2k servers. Back in September of last year we were ...
  1. #1

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Is this DNS poisoning?

    We have about 400 or so winXP machines running on w2k servers.
    Back in September of last year we were hit with the SDbot virus which infected all the clients. In addition we discovered a root kit on some of the workstations.

    We managed to get the network clean with the exception of the following strange behaviour.
    Doing some routine scans we discovered that some of the clients were reporting their DNS names as variations of the following
    GRUEL-2-142.PPP.andrew.cmu.edu

    The -2-142 would be the network part of our ipaddress and the rest resolved to The Carnegie Mellon University in Pittsburg USA.

    Looking in DNS we could see that these addresses were in the DNS cache which we cleared (on the server that is). This brought temporary relief but the Gruel addresses soon returned even on clients that were re-imaged leading us to believe that the problem related to DNS itself. Some form of poisoning ???

    Despite this worrying trend the network was working OK and I’d attempt to do some research into this whenever I got a spare minute.
    However, things began to change about two weeks ago.

    ActiveD showed some strange behaviour.
    The DHCP scope disappeared without trace one day followed by all the forwarders having been taken out of DNS on another day.
    We have some additional machines in the DNS cache now which are in the same EDU.CMU.ANDREW. tree and say they are DDNS.
    There are A records which call themselves things like ddns-master with an IP in our range. And NS servers called things like ddns-a100.net.cmu.edu.

    Most worrying of all the server decided to stop playing today and no one could connect to network shares and hence were unable to login. The server ground to a halt and it needed a reboot to get things going again. There does not seem to be anything in the event logs worth mentioning. Hardware is OK - I'm thinking something overwhelmed SMB.

    Any ideas on how I can clean DNS or even to try and get a better understanding of what is actually going on.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Is this DNS poisoning?

    Your network is compromised. You have no idea where or how. Therefore, you cannot trust any of your systems. As such:

    1. Backup your user's data (after a virus scan. You might want to miss out executables any other nasties just in case) and any configuration settings you need (GPO's, etc).
    2. Restore all your servers from the last known good backups (pre-september).
    3. Reimage all your client PCs from a known good image (again, pre-september).
    4. Evaluate how the virus got in to prevent it happening again.

  3. #3
    ChrisC's Avatar
    Join Date
    Mar 2006
    Location
    Dorset
    Posts
    767
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    18

    Re: Is this DNS poisoning?

    That sounds like the best course of action to me.

    Chris

  4. #4

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Is this DNS poisoning?

    I've done security forever and TBH I can't figure out from your post whether your network is seriously compromised or just broken. However if Geoff is right and you do follow his advice, I recommend step 4 *first* otherwise you might find it gets compromised all over again before you've finished reimaging.

  5. #5

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593

    Re: Is this DNS poisoning?

    Just to Add to Geoff and PiqueABoo ... turn off and remove the network leads of all your workstations and servers and only plug them back onto the network after you have rebuilt them from a good configuration and patched them.

    A big job you have there ... best of look with it all. If you are looking for possible vectors of attack I would look at staff laptops, and also make your firewall a little overzealous until you are happy things are back to normal.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Is this DNS poisoning?

    I would look at staff laptops
    Unencrypted wifi AP's are a favorite of mine atm.

  7. #7

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593

    Re: Is this DNS poisoning?

    I was asked at Manglement Meeting tonight why I didn't just tell the VIth formers the WEP thing so they can use their own laptops ...

    I asked if she wanted them to know what she orders online since we will have no control over the machines at all ...

    Strangely enough she backed down and wants me to explained things to the VIth formers ...

  8. #8

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    yeah
    When I started here in the summer the staff used laptops with full admin rights and blank passwords to boot. The amount of malware that came in once term started had to be seen to be believed. I put a stop to that by reimaging all laptops and locked them down. Some staff still won't talk to me accusing me of being paranoid.
    This job really is between a rock and a hard place.

    Just for info, when the virus first kicked off I advised just what Grumbledook suggested but the head overruled me. Then by christmas the network was working fine as far as performance was concerned. It's only recently that server behaviour indicates that its been compromised big time.
    I think I'm gonna have to bite the bullet.
    Anyone fancy a busmans holiday in York LOL ;-)

  9. #9

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593

    Re: Is this DNS poisoning?

    Tempting ... very tempting ...

    I charge a very reasonable rate ... unfortunately my Head doesn't. Seems to think that if I am out of school the school should be reimbursed.

    Can it wait until the Easter hols? (stupid question I know ... but have to ask!)

  10. #10

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    Im on holiday next week...

  11. #11

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Is this DNS poisoning?

    Quote Originally Posted by GrumbleDook
    remove the network leads
    Agreed. It's difficult to judge from a distance, but if something sufficiently strange happened on mine I'd take the phone off the hook, pull the WAN link, verify the servers were free of any active malware, change the admin password(s) and then set about trying to figure out what happened.

    In this particular case, the right details aren't there so I can't judge what going on with the DNS cache, scans and clients reporting names. Could be a red herring coz if you've got an authoritative reverse zone then I don't think your IP-to name mappings will not appear in the cache.

    Forwarders & scopes both disappering is less easy to dismiss i.e. the most likely reason is because someone has access and removed them.

  12. #12

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    mmmmmmm
    It's the verify no malware which I'm finding a bit tricky. I've run all sorts of stuff - nmap to see whats listening, rootkit revealer etc and they all come up clean. nevertheless, this does not mean to say that it is in fact clean.
    Not sure exactly what you mean about the mappings. The cache appears to look normal in my limited experience with exception of these rogue GRUEL entries and whats with the DDNS in the cache?

    I could mail details over to someone if they are willing to have a quick look for me and see what they think?
    Unless I can actually nail this one and say with a degree of certainty that I know whats going on -then as you guys have said - I can't trust it.

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Is this DNS poisoning?

    You have to rebuild everything, you don't have a choice in the matter. From both a technical and legal point of view.

  14. #14

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    Actually, I've been running this past the head of ICT and I think we're gonna flatten everything. This will have to wait till the summer though.

  15. #15

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Is this DNS poisoning?

    I'll let the Data Protection Office know.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •