Malware Help

jasonhart · 2016-07-30T19:52:44.000Z

I need a little assistance from my fellow Spice Heads!

I have a client that introduced Malware to the company network. I have used Malwarebytes to remove everything and also Nuked the workstations and the AD server. The network is still running sluggish, upon further investigation the NEW AD server is being bombarded with DNS requests from around the world.

How can I find the device that these requests are coming from? I have disabled the DHCP and assigned Static IP’s on all devices. (Not a large network) I have tried shutting down each device one by one to no avail.

Here is the environment:

1 Xenserver

AD VM running 2012 R2 and 3 Server 2012 R2 VM’s, 4 Windows 10 VM’s and 4 Physical PC’s also running Windows 10. All workstations have been Nuked.

Any advice on where to start would be awesome

Rod-IT · 2016-07-30T20:03:03.000Z

You said this is being bombarded from around the world with DNS requests which makes it sound like this DNS server is public facing, if so, why? This is your AD server, it should remain internal

jasonhart · 2016-07-30T20:11:14.000Z

I have blocked all DNS traffic at the SonicWALL. However when I look at the AD Resource Monitor the DNS.exe is getting hammered by hosts from all over the world.

patrickjordan · 2016-07-30T20:57:21.000Z

A few questions and things to look at:

So DNS requests from all over the world are hitting the external IP address for your AD server? If so, do you have more than one static IP address? If so, might want to change that address

Check your DNS setup - make sure your AD server is only servicing your company.local domain

Use netstat on the AD server and your Sonicwall to narrow down where requests are coming from - start blacklisting those on the firewall

Rod-IT · 2016-07-30T20:59:50.000Z

Jason2554:

I have blocked all DNS traffic at the SonicWALL. However when I look at the AD Resource Monitor the DNS.exe is getting hammered by hosts from all over the world.

Are you sure its getting requests from outside and these are not internal requests being queried?

If these are external queries asking your DNS server, your DNS server is public facing and while this is also an AD server, this is bad.

Can you share a log or something to show these queries?

ishwarvibhuti · 2016-07-31T08:09:41.000Z

First of all change the passwords wherever applicable. If possible than for all. Check the Login Event log in the Firewall if are there any successful logins from outside. Change passwords for Firewall as well as Servers also.
Check there are few default and fully authorised Built-in admin and active users on firewall. Like there are admin and support is there in Cyberoam. Check them if they are their are not having default password still. If you have not left default passwords for those IDs still change them also.
If you are getting any successful login in firewall from outside, check same IP in performance monitor on each node. That node may be still under effect of the malware.

coryhamma · 2016-08-02T19:50:53.000Z

It sounds like the malware has not been completely eradicated. If all the computers (virtual and physical) were not all disconnected from the network at the same time, you may have had infections occurring on local machines as they were re-installed.

The DNS issue is puzzling. What connections (ports/services) are you allowing into your network from the Internet? Do you have a DMZ area for servers that accept connections from the Internet, which blocks these machines from contacting your internal PCs and servers?