DNS Worm Problem
Ok, try this one out:
I have a SBS2000 network, with a Cisco877W router. Recently users started complaining they could not access certain web sites, or links in other pages. This happens to all PC's.
I checked on this (new client to me) and saw that for the past 2 months their internet usage had skyrocketed. All with UPLOADED traffic data.
I immediately suspected a mass mailing worm, or similar, and ran tests on the PC's. Through network cable unplugging etc I found that the server itself was a main culprit. The AV tests came through ok, using Nod32. I then loaded Etherboy, PAcketboy etc to see what traffic was being uploaded continually from the server. Turns out it is DNS packets - all destined for various different messenger sites - yahoo, msn, aol - all dns packets destined for these various servers. I tried to add a whole bunch of these to my hosts file, pointing them all to 127.0.0.1 - but the traffic still remained.
Is this is virus or worm? Has my DNS been poisoned somehow? PLease help - this is my first job with a big client...
Thanks
I have a SBS2000 network, with a Cisco877W router. Recently users started complaining they could not access certain web sites, or links in other pages. This happens to all PC's.
I checked on this (new client to me) and saw that for the past 2 months their internet usage had skyrocketed. All with UPLOADED traffic data.
I immediately suspected a mass mailing worm, or similar, and ran tests on the PC's. Through network cable unplugging etc I found that the server itself was a main culprit. The AV tests came through ok, using Nod32. I then loaded Etherboy, PAcketboy etc to see what traffic was being uploaded continually from the server. Turns out it is DNS packets - all destined for various different messenger sites - yahoo, msn, aol - all dns packets destined for these various servers. I tried to add a whole bunch of these to my hosts file, pointing them all to 127.0.0.1 - but the traffic still remained.
Is this is virus or worm? Has my DNS been poisoned somehow? PLease help - this is my first job with a big client...
Thanks
rule out the basic things first, such as just a normal dns issue.
I'm not familiar with that router, but does it also act as a firewall?
try setting the cisco dns fixup...
fixup protocol dns maximum-length 2048
I'm not familiar with that router, but does it also act as a firewall?
try setting the cisco dns fixup...
fixup protocol dns maximum-length 2048
ASKER
Yes it does - it has ACL's etc. It seems as if the Exchange Priv1.stm is infected with the bagle worm, and BOTOL.D. I have cleaned these out (I think) and I will try to remount the database. Not sure if it will work, but I will try.
What does the dns fix do?
Thanks,
What does the dns fix do?
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, I suppose you are right about the .stm file. The Info Store mounted, with a new, reduced file, but the users could not open their data.
I will run a company wide scan over the weekend, so lets see. I am sure the server is infected, but I cannot see any obvious processes, or registry entries to indicate so. Thanks for the tip on the DNS config, I will try that and let you know. It looks like I have two separate issues here.
I will run a company wide scan over the weekend, so lets see. I am sure the server is infected, but I cannot see any obvious processes, or registry entries to indicate so. Thanks for the tip on the DNS config, I will try that and let you know. It looks like I have two separate issues here.
ASKER
It seems like the problem I have is with DNS. The network wide AV scan did not show up anything significant.
The packet sniffer shows that DNS requests are flooding from the SBServer though. It also shows dns requests coming from the mac address of the router - destined to the broadcast address?
Another company installed a Cisco877W router, and the manager says, after looking at his internet bill, that the usage skyrocketed at around the same time as the install.
If I stop the DNS server service, the traffic stops. and it seems to return to normal. I have setup forwarders on the server, but that has not helped.
Combined this with the problem that the users are seeing when trying to browse the internet, I am sure the DNS, either in the Server, or the router has a config problem.
Not sure what is going on really, I have never seen this before, any ideas?
Thx
The packet sniffer shows that DNS requests are flooding from the SBServer though. It also shows dns requests coming from the mac address of the router - destined to the broadcast address?
Another company installed a Cisco877W router, and the manager says, after looking at his internet bill, that the usage skyrocketed at around the same time as the install.
If I stop the DNS server service, the traffic stops. and it seems to return to normal. I have setup forwarders on the server, but that has not helped.
Combined this with the problem that the users are seeing when trying to browse the internet, I am sure the DNS, either in the Server, or the router has a config problem.
Not sure what is going on really, I have never seen this before, any ideas?
Thx
ASKER
Progress on this:
When I replace the Cisco router, the DNS traffic stops. I believe I have a misconfigured router. I assume then I need to close this question and open up a new one, within the relevant area? How can I do this?
When I replace the Cisco router, the DNS traffic stops. I believe I have a misconfigured router. I assume then I need to close this question and open up a new one, within the relevant area? How can I do this?
ASKER
I have accepted your comment above, as it pointed me in the right direction. However, my problem is not essentially resolved - hence the B grade, but thank you for your help.
ASKER