Suspicious outgoing web traffic to Zango / 180 Solutions

brandonharris
brandonharris used Ask the Experts™
on
Hi Experts,

We began having problems yesterday morning that seem to have gotten progressively worse in the meantime. We have a Windows 2003 / XP / Windows 7 domain environment, all behind a Watchguard x1250e firewall.

Users began complaining that there were certain sites they couldn't get to, while others were fine. Some of the problematic sites were banking sites. I checked the firewall logs and found that several computers on the LAN were trying to pass outgoing traffic on port 80 to a set of IP addresses in the 70.96.0.x range. The firewall is blocking this outgoing traffic with messages like this:

 "192.168.x.x. > 70.96.0.11...ZangoBar|180Solutions|BT, destination IP on Spyware Blocklist, firewall drop."

As time has gone on, more and more of our computers are attempting to send packets out to the banned range of IP addresses. We're still unable to reach certain banking sites and also can't reach Microsoft Update and can't download updates directly from the AVG site. Has anyone experienced something similar? It feels like all the computers on this LAN have hijacked browsers......IE & Firefox both produce similar results.

I'm in the process of updating AVG to the latest version, but would love to know if somebody else out there has had a similar experience and how you got through it.

Thanks in advance, EE community,

Brandon
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
Time to isolate the computers and run malwarebytes on each of them.. You definitely have some unwanted software/toolbars on your computers.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
'180Solutions' has always been nasty malware that invites other malware and viruses into your computer.  It's been years since I've seen it but I used TrendMicro's free scan tool back then.  These days I use ComboFix and MalwareBytes and they seem to catch everything.  When I was working on computers with 'rogue anti-virus', I used a Linux Live disk to delete any exe's downloaded at the time the infection started.

Author

Commented:
Thanks for the input, all. Today I physically went to the affected network's site and learned that if I set any machine's DNS server to 8.8.8.8 or some other publicly-available DNS server instead of our internal DNS server, I was then able to get out to banking sites, Windows Update, AVG's site, etc.

So it would seem that the problem is with our internal DNS. Does anyone have suggestions on how to repair? Do I just need to revert to last backup that doesn't exhibit this symptom or is something more drastic in order?

Thanks for any input.
Technical Designer
Commented:
These are called DNS spoofing or DNS cache poisoning. Read about them here:
http://en.wikipedia.org/wiki/DNS_spoofing

So it would be your DNS server that need to be fix.

What Anti-Virus Software are you running on the DNS server?
What OS is it running and which DNS application is been used?
Is the DNS server fully updated?

If you are using Microsoft DNS server on Windows 2003 then below link might be of some help.

http://support.microsoft.com/kb/241352

I hope that would help

Sudeep

Author

Commented:
Hi SSharma,

You're exactly right, the issue was DNS cache poisoning. We are using Windows Server 2003 R2 as OS on the DNS server and have AVG antivirus software running on it.

Yesterday when I changed our internal DNS server's forwarders from our ISP's DNS servers to Google's DNS (the 8.8.8.8 address mentioned previously), I also flushed our internal server's DNS and ARP caches. This corrected the problem we were seeing with incorrect name resolutions to banking sites, etc. I mistakenly thought that the problem was therefore with our ISP's DNS servers, but I later found out that was wrong.

We have multiple locations which are all set the same way: all workstations on the LAN point to our internal DNS servers and the internal DNS in turn points to our ISP's DNS servers for external resolutions. So to test my theory, I logged in to several of these remote sites and found that they didn't exhibit the same problems with banking sites, Windows Update site, etc. as did the original location.

So, I then went back to the original (problematic) location and changed our internal DNS server to once again use our ISP's DNS servers for external resolution and all worked as expected.

Thanks very much to all who helped!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial