DNS and Weird caches

Printable View

January 12th, 2005, 12:17 AM
kruptos

DNS and Weird caches

Hey all,

Trying to resolve an issue here at work. Here is the basic outline:

We are running Windows 2000 Domain in Native mode. 2 Domain Controllers, about 50 Windows 2000 PCs, Internal DNS and DHCP servers Running.

1. Noticed a very large amount of dns cached lookups on our 2000 Domain Controller directly related to porn sites.

2. During the process of troubleshooting, i cleared the cache and no more then 5 minutes later, all the same sites were back in the cache.

3. After noticing this pattern i played around for a bit and discovered that approximattly every 2 - 5 minutes the same events would happen after i cleared the cache.

4. Put up Ethereal and cleared cash, captured packets on the network untill I witnessed the same thing again. Stopped ethereal and looked for the source ip of the DNS querys.

5. The DNS querys have come from about 6 different machines so far all on the same subnet. But with further testing I think that I may find more. All machines are running Norton Corporate AV.

I do not see any spyware or anything that is installed, no weird processes running that look malicious, wondering if there is a new or old program that would cause this to happen all the time. First noticed this problem yesterday.

Anyone have any ideas?
January 12th, 2005, 02:43 AM
oofki

Well if no one was on those computers after you cleared the cache and it came right back than it isnt a person doing it so the only thing left is software, it has to be some type of spyware/adware/malware.
January 12th, 2005, 02:47 AM
kruptos

That was my first thought, just wondering if anyone has ran into a similar situation, or can put a specific name with the bug thats doing it.

We do have a pretty fun group of network admins here and I dont rule out that it may be one of them just trying to get a rise out of me :-)
January 12th, 2005, 02:50 AM
zencoder

oofki makes a good point. Are you certain they aren't being used when the resolve requests come over the wire? Have you physically inspected the machines? Just because they are running coporate AV doesn't mean much...a user could have installed spyware, malware, or even be running a server from them (doubtful, but anything is possible).

More info would help.
January 12th, 2005, 02:53 AM
zencoder

Quote:

Originally posted here by kruptos
We do have a pretty fun group of network admins here and I dont rule out that it may be one of them just trying to get a rise out of me :-)

Oh ho ho, well, that is an entirely different matter...nothing like adding a little Logoff command to the end of his login scripts to exact some revenge. ;)
January 12th, 2005, 03:30 AM
Spyrus

You may want to look at the hosts files on the suspect machines and see if there is anything added on them other than

Code:

local host 127.0.0.1

If you do have anything else in there then you may want to look for the newest strain of VX2 which is a pain in the arse to remove. If you find out thats what it is let me know and I will get you some documentation on how to remove it.
January 12th, 2005, 03:32 AM
kruptos

Haha That might just be the thing to do. We are always playing little practicle jokes on each other.. kind of a spy vs. spy atmosphere.

I might have to do some logon script editing tonight :-)

Thanks for the idea.... This could actually be a whole other fun thread topic :-)
January 12th, 2005, 03:43 AM
oofki

Or you could get fired after you find out it wasnt them who did it lmao. Im j/k but that but zen is right, A/V isnt going to do much against spyware, some pick up minimal spyware but Corprater versions dont pick up any.