0

Need some help in understanding below attack.

The below logs are extracted from the firewall and i could see a outbound connection from ldap server to 194.169.218.42. But walking through the logs(given below) you could see DNS hostname martinhot.xyz This dns domain has differnt ip(93.158.205.211) and is blacklisted by almost all threat feeds. is this kind of attack? Why my ldap server Contacting this domain?

<13>Sep 13 07:29:13 10.30.130.7 13Sep2016 07:29:13 monitor 10.x.x.x product: New Anti Virus; src: LDAp IP; s_port: 54661; dst:
194.169.218.42; service: 53; proto: udp; rule: ;Confidence Level: 5;Destination DNS Hostname: martinhot.xyz;Protection Type: DNS reputation;Protection name: Malware.ytire;Source OS: Windows;Suppressed logs: 4;__policy_id_tag: product=VPN-1 & FireWall-1[db_tag={79357CCC-7962-D34A-B8E9-BED995AEA705};mgmt=SecurityManager.com;date=1473679193;policy_name=Col_fw];action_details:
*** Confidential ***;description: Connection was allowed because background classification mode was set. See sk74120 for more information.;has_accounting: 0;i/f_dir: outbound;i/f_name: eth0;log_id: 2;malware_action: Malicious DNS request;malware_family: Malware;malware_rule_id: {00000040-0096-004E-9D42-F129618FF42F};origin_sic_name: ;protection_id: 0020287A0;received_bytes: 0;scope: 10.25.165.254;sent_bytes: 0;session_id: <57d7e309,00000022,0bfc190a,c0000002>;severity: 3;snid: 7951c679;src_machine_name: *** Confidential ***;src_user_name: *** Confidential ***;user: *** Confidential ***;vendor_list: Check Point ThreatCloud, ;

So My LDAP server is contacting the DNS server which is blacklisted. How saFe is this.
Should i be concerned?

MS Guy
  • 97
  • 9
  • The first connection is to a DNS server (UDP port 53), presumably to look up the IP for martinhot.xyz. What kind of LDAP server is it and is it running any other services? – Julian Knight Sep 13 '16 at 13:15
  • We belong to security team. As of now no idea about the service running on LDAP. What hits me is that why LDAP server contacting the blacklisted DNS hostname. Is it related to any services running under the LDAP server. Should I be concerned – MS Guy Sep 13 '16 at 13:25
  • Actually, I just looked again and the platform is Windows? So what makes you think the LDAP service issued the call? Much more likely that something else running on the system or an admin accessing the OS triggered the DNS lookup. – Julian Knight Sep 13 '16 at 13:28

1 Answers1

1

If the LDAP server is actually an Active Directory Domain Controller, then it will have a bundled DNS server installed. By default, recursive resolution is also enabled.

Many Windows admins also set this DNS server as the default on clients as it is the easiest way for the domain DNS names to be picked up without delegation.

You're probably seeing that DNS server resolving the domain for one of the clients.

While the DNS server can be configured to log each resolution, it is not very efficient. So the best way to find out which clients are involved is to look for connections to the IP that is returned by DNS.

billc.cn
  • 3,852
  • 1
  • 16
  • 24