flooding root DNS servers from local computer


Recommended Posts

Hi,

I have problem with one computer in my network, Its sending random name DNS queries and I cant find out what is causing this. In attachment you have screen capture from wireshark at infected comp..

One more thing is that its using increment in local port on computer by 1 every next quarie and those DNS queries dont come to my local DNS at all, I see them on my firewall where they are blocked.

All DNS queries are toward ROOT DNS servers only and my computer has right local DNS server setup in network config.

I know that this is some kind virus/bot.

I scanned computer with SpyBot/SD, trend Micro, Malwarebytes v151,RootkitBuster,MBRCheck,Avira but no luck !

post-391238-0-71549500-1305642036.jpg

Link to comment
Share on other sites

Yeah that clearly is not right ;)

you could try a simple netstat -anb to see what process is making the connections. If you can not see it with that - I would assume they are UDP and not TCP so you might not be able to catch the connection attempt.

Then take a look at tcpview you can get from here

http://technet.microsoft.com/en-us/sysinternals/bb897437

To find the process making the dns queries. Since its making so many queries you should be able to catch it pretty easy - it took me a few times to notice the nslookup I was doing and pause the screen.

You could use something like netlimiter monitor as well - it will show you the processes making connections

http://www.netlimiter.com/download.php

post-14624-0-48070700-1305644759.jpg

Link to comment
Share on other sites

Hi,

First thanx BudMan for help,

I solved the problem, but first to comment your sugestions.

I tried with tcpview but I couldnt see anything even with pause and yes with netstat you cant see it.

Only way I could see something is wrong is my firewall and with wireshark on infected comp.

The problem was backdoor "SINOWALL.knf" and it was found/removed with Anti-rootkit utility TDSSKiller.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.