I found that one user is making connections to coin mining related domains. Is there any way to stop this activity, with respect to that user?
Asked
Active
Viewed 209 times
2 Answers
1
It depends on the context of these connections, but things that you could do are:
Identify whether these connections related to someone just browsing about coin miners (e.g. with intention to install one) or are they made by the actual software/malware (which means that the user has it installed and running). If the user was just browsing the links but didn't install anything, this activity itself is not a threat;
Take a look at the domains' categorization. Does it seem suitable? The names depend on the vendor you use, but if it's something like "Business", "Internet services" or no category then they are likely permitted even though they maybe shouldn't be permitted. In this case you should inform the vendor about the false category, they will recategorize the domains and next time these connections will be blocked. Possibly a local block for particular domains can be locally enforced, from your company's side if you report this activity;
If it is determined that the user has a miner installed, uninstall it or reinstall the whole host (depends really on your company's policy how to act here).
There is a pretty broad spectrum of possible actions in this case, depending on the context, but these things above are the usual.
skooog
- 1,008
- 7
- 17
0
Sinkhole the domains.
Either at the DNS server level or in the user's hosts file, make it resolve to 127.0.0.1.
Also, be advised: more and more sites (even legit ones, sadly) are running Javascript bitcoin miners at pageload. The big one that's making waves lately is coinhive, and it seems malware authors are also starting to incorporate it.
Ivan
- 6,288
- 3
- 18
- 22