DNS calls to Ukraine destinations
- From: "Gary S. Terhune" <grystnews@xxxxxxxx>
- Date: Sun, 24 Sep 2006 11:41:38 -0700
I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA 2004,
two XP Pro clients.) The box was heavily infected by numerous viruses and
other malware on 9/11. Issues with antivirus installation resulted in its
not updating for some time, but I'm not certain just how it all got started.
Far as I can tell, none of it got to any of the other machines on the
network,
I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
Trend-Micro AV) and it seems to be healthy now, but the ISA logs show this
machine making repeated calls on DNS protocol, port 53, to two different IPs
that belong to a web hosting company in the Ukraine. I can't help but think
that this is malware in action, but can't determine what is doing it. The
ISA firewall is blocking the requests, but I'd like to know what's going on.
Any ideas on how to trace this? I can't find anything in running processes
that isn't supposed to be there. Note that these calls are being made even
when nobody is logged on to the machine. They're averaging one per second.
--
Gary S. Terhune
MS MVP Shell/User
.
- Follow-Ups:
- Re: DNS calls to Ukraine destinations
- From: MowGreen
- Re: DNS calls to Ukraine destinations
- From: David H. Lipman
- Re: DNS calls to Ukraine destinations
- From: Malke
- Re: DNS calls to Ukraine destinations
- Prev by Date: Re: Broadband and security question
- Next by Date: Re: DNS calls to Ukraine destinations
- Previous by thread: Keeping yourself safe from identity thieves
- Next by thread: Re: DNS calls to Ukraine destinations
- Index(es):
Relevant Pages
|
