Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

network monitor

hello experts

We use Open DNS to block malicious websites.

Our report is showing vicp.net domain being filtered out with a huge hit count.

It is good that it is being blocked however I suspect that there is a virus infection or malware infection on the network on one of the PCs.

But since Open DNS has no way of finding out the offending endpoint, I have to do this locally and myself.

I don't know much about the network monitoring but I do know the concept on which the utilities like ethereal and Microsoft Network monitor work.

I have never used any of that successfully after playing around with them.

So 1. Is there a way I can use any of these monitoring utilities and if so, which one and exactly how do I setup the filters etc.

2. Is there an alternative way of finding this out? Our AV monitoring suggests everything is fine.

As you can understand this is my #1 priority right now as I need to stop this before it spreads to the other branch offices as well.

Urgent help needed!!!
0
alex110109
Asked:
alex110109
  • 3
  • 3
1 Solution
 
MikeKaneCommented:
If you have an appliance on the perimeter, you should check to see if that device has any features to help you out.    I.e. Cisco ASA Informational Log can help you match traffic, or a device with netflow might be good here also.

If you have none of these available, my next thought would be to connect a PC with wireshark to a switch monitoring port that watches your traffic heading toward the router/firewall, or you can use a hub if you have one available.    A wireshark trace run for 30 min should get you enough data.    Filter on DNS packets and browse the log to find the offending pc.

0
 
alex110109Author Commented:
Hi Mike

Currently I only have access to the server remotely.

Its SBS 2008 server so essentially it is the DNS server all the client PCs use.

I have done the capturing and filtering of packets on the server itself and it shows me the offending IP to be the server itself.

However, I don't know if that means the server itself is the culprit here or the server is coming up in the logs because the server is simply relaying the DNS quries to external DNS servers and is being caught doing that?

I ran this from a PC and also ticked the "run in permiscus mode" but still its not capturing the traffic from any PCs other than itself.

Now this may be a different question but assuming server itself is infected, is there a tool I can run that will tell me which process or file is trying to access the domain in question?
0
 
MikeKaneCommented:
>> the server is simply relaying the DNS quries to external DNS servers

Most likely, yes.


>>I ran this from a PC and also ticked the "run in permiscus mode" but still its not capturing the traffic from any PCs other than itself.

It's probably on a switch, not a hub, so it won't see traffic other than that destined for it or from broadcasts.    


You could turn on wireshark on this host.   Let PCs make the DNS requests as they normally would.    Then take the capture, filter on port 53 traffic, then just start looking for the site's FQDN on the requesting packets.  


0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
MikeKaneCommented:
Did the wireshark suggestion not work for you?
0
 
alex110109Author Commented:
Hi Mike

Yes it did work for me, however I was unsure if it was the server or any of the workstation requesting the DNS resolution.

It did turn out to be the server as that was my first suspect and so I can say that the problem is fixed.

However, I would have loved to go deeper in this situation to pin-point the cause.
0
 
alex110109Author Commented:
fixed the problem but took a bit of guess work.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now