Fractional CTO

David Favor

Software Engineer

noci

Alexandre Takacs

<div>
Dr. Klahn said it well, &quot;something shady going on&quot; describes this situation well.
</div>


Dr. Klahn said it well, "something shady going on" describes this situation well.

<div>
So why didn't you start capturing the traffic to find out which IP addresses are requesting it? Or why didn't the filter logs already show it?
</div>


So why didn't you start capturing the traffic to find out which IP addresses are requesting it? Or why didn't the filter logs already show it?

<div>
.onion DNS addresses are attempts to reach the TOR network, good you block them esp. if you have no normal use for it.<br>If you need to know where it goes you need a TOR enabled system and see where the address goes to.<br>(preferably a standalone form a separated network).<br><br>The systems requesting the names should be considered being damaged and investigated, and it could be wise to quarantine them. <br><br>You may also need to proxy DNS requests though a local DNS server. And block all other queries to prevent hardcoded DNS servers being used from the malware.
</div>


.onion DNS addresses are attempts to reach the TOR network, good you block them esp. if you have no normal use for it.
If you need to know where it goes you need a TOR enabled system and see where the address goes to.
(preferably a standalone form a separated network).

The systems requesting the names should be considered being damaged and investigated, and it could be wise to quarantine them.

You may also need to proxy DNS requests though a local DNS server. And block all other queries to prevent hardcoded DNS servers being used from the malware.

<div>
Check your DNS logs which may help you to identify the IP requested it. Or you may &nbsp;need to run a packet capture with filter for. onion<br><br><br><br>
</div>


Check your DNS logs which may help you to identify the IP requested it. Or you may  need to run a packet capture with filter for. onion





<div>
there was indeed a malware on 3 workstations that we managed to identify
</div>


there was indeed a malware on 3 workstations that we managed to identify

<div>
<div class="content wysiwyg-content">
Hello<br />
<br />
We are doing some DNS based filtering on our networks and lately, we see a significant amount of lookups for an onion site (hpaur4rufcjohrag.onion).<br />
<br />
None of our users are running TOR and obviously our resolver will return an NXDOMAIN error for those but I still worry this is some sort of malware. Tried to google it but not seeing any obvious answer.<br />
<br />
Opnions ?
</div>
</div>


Hello

We are doing some DNS based filtering on our networks and lately, we see a significant amount of lookups for an onion site (hpaur4rufcjohrag.onion).

None of our users are running TOR and obviously our resolver will return an NXDOMAIN error for those but I still worry this is some sort of malware. Tried to google it but not seeing any obvious answer.

Opnions ?

strange .onion DNS requests from LAN

Tor is free software for enabling anonymous communication. Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Routing is implemented by encryption in the application layer of a communication protocol stack, nested like the layers of an onion. Tor encrypts the data, including the destination IP address, multiple times and sends it through a virtual circuit comprising successive, randomly selected Tor relays.

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.

Network Security

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.