1

Below is a screeny of my Squert GUI showing the Snort events. Notice they all happen at the same exact time. I cannot figure out what the source of it could be. Any ideas?

enter image description here

Edit: It looks like the domains are owned by DtDNS.

Edit 2: Here's another screeny with more details. It looks like its UDP protocol and port 53.

enter image description here

Tim Molter
  • 111
  • 3
  • FYI, the second screen shot is too small to see. – Jonathan Jan 12 '15 at 20:10
  • Try going directly to the image: https://i.stack.imgur.com/TNfZ4.png. – Tim Molter Jan 12 '15 at 22:09
  • All these alerts say, in and of themselves, is that DNS queries to those domains occurred. That particular provider providers Dynamic DNS services. Dynamic DNS can be used for malicious purposes, but is also used for other reasons an IP can't be static. Do you have any other details about this host around this time? I would recommend checking DNS logs, and DHCP logs as well if you aren't sure which host this is. – theterribletrivium Jan 13 '15 at 01:23
  • @theterribletrivium I know what host it is and I tracked down the PCAP file, but I have no idea what process produced the query. The contents of the PCAP file are simply: d4c3 b2a1 0200 0400 0000 0000 0000 0000 ffff 0000 0100 0000. – Tim Molter Jan 13 '15 at 08:47
  • Do you have DNS logs available? You may be able to determine that these entries were looked up for an innocuous reason by viewing what else happened around that time. – theterribletrivium Jan 13 '15 at 21:48

1 Answers1

1

One idea (though it may or may not be correct) is that malware on your system could be trying to reach out to its creator (e.g. to send out information or to allow for your system to be used in a botnet). The * is typically used as a "wild card". For example, the domain www.abc.3d-game.com should be found by the *.3d-game.com query. The domains shown here definitely look suspicious. I would update your antivirus and run a scan of your system to check for any malware. Even a clean virus scan does not entirely rule that idea out.

Edit: For a Mac, you may be able to use Apple's file quarantine system, see the question: Should I get an antivirus for my Mac?

Community
  • 1
Jonathan
  • 3,157
  • 4
  • 26
  • 42
  • Thanks. I don't have a virus scanner on my Mac. Any suggestions? Also, do you think some Javascript could have run from a web page I had open to do the DNS lookups? I have no idea what produced the UDP query. – Tim Molter Jan 12 '15 at 19:42
  • @TimMolter I edited my question to address Macs as well. – Jonathan Jan 13 '15 at 01:05