DNS and Weird caches
Results 1 to 8 of 8

Thread: DNS and Weird caches

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    137

    DNS and Weird caches

    Hey all,

    Trying to resolve an issue here at work. Here is the basic outline:

    We are running Windows 2000 Domain in Native mode. 2 Domain Controllers, about 50 Windows 2000 PCs, Internal DNS and DHCP servers Running.

    1. Noticed a very large amount of dns cached lookups on our 2000 Domain Controller directly related to porn sites.

    2. During the process of troubleshooting, i cleared the cache and no more then 5 minutes later, all the same sites were back in the cache.

    3. After noticing this pattern i played around for a bit and discovered that approximattly every 2 - 5 minutes the same events would happen after i cleared the cache.

    4. Put up Ethereal and cleared cash, captured packets on the network untill I witnessed the same thing again. Stopped ethereal and looked for the source ip of the DNS querys.

    5. The DNS querys have come from about 6 different machines so far all on the same subnet. But with further testing I think that I may find more. All machines are running Norton Corporate AV.

    I do not see any spyware or anything that is installed, no weird processes running that look malicious, wondering if there is a new or old program that would cause this to happen all the time. First noticed this problem yesterday.

    Anyone have any ideas?
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Well if no one was on those computers after you cleared the cache and it came right back than it isnt a person doing it so the only thing left is software, it has to be some type of spyware/adware/malware.

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    That was my first thought, just wondering if anyone has ran into a similar situation, or can put a specific name with the bug thats doing it.

    We do have a pretty fun group of network admins here and I dont rule out that it may be one of them just trying to get a rise out of me :-)
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    oofki makes a good point. Are you certain they aren't being used when the resolve requests come over the wire? Have you physically inspected the machines? Just because they are running coporate AV doesn't mean much...a user could have installed spyware, malware, or even be running a server from them (doubtful, but anything is possible).

    More info would help.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by kruptos
    We do have a pretty fun group of network admins here and I dont rule out that it may be one of them just trying to get a rise out of me :-)
    Oh ho ho, well, that is an entirely different matter...nothing like adding a little Logoff command to the end of his login scripts to exact some revenge.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    You may want to look at the hosts files on the suspect machines and see if there is anything added on them other than
    Code:
    local host 127.0.0.1
    If you do have anything else in there then you may want to look for the newest strain of VX2 which is a pain in the arse to remove. If you find out thats what it is let me know and I will get you some documentation on how to remove it.
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  7. #7
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    Haha That might just be the thing to do. We are always playing little practicle jokes on each other.. kind of a spy vs. spy atmosphere.

    I might have to do some logon script editing tonight :-)

    Thanks for the idea.... This could actually be a whole other fun thread topic :-)
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  8. #8
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Or you could get fired after you find out it wasnt them who did it lmao. Im j/k but that but zen is right, A/V isnt going to do much against spyware, some pick up minimal spyware but Corprater versions dont pick up any.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •