0

Below is the specific traffic monitored at the network perimeter and originating from a user PC on Vista platform.

My question is not about the effects of the flood, but about the nature of the source of it. Is this some known infection, or just an application went out of control? a standard NOD32 scan didn't find anything, as the user told me.

Thank you for any hint.

14:40:10.115876 IP 192.168.7.42.4122 > 67.228.0.181.53: S 2742536765:2742536765(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.115943 IP 192.168.7.42.4124 > 67.228.181.207.53: S 3071079888:3071079888(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116015 IP 192.168.7.42.4126 > 67.228.0.181.53: S 3445199428:3445199428(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116086 IP 192.168.7.42.4128 > 67.228.181.207.53: S 2053198691:2053198691(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116154 IP 192.168.7.42.4130 > 67.228.0.181.53: S 2841660872:2841660872(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116222 IP 192.168.7.42.4132 > 67.228.181.207.53: S 3150822465:3150822465(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116290 IP 192.168.7.42.4134 > 67.228.0.181.53: S 1692515021:1692515021(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116358 IP 192.168.7.42.4136 > 67.228.181.207.53: S 3358275919:3358275919(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116430 IP 192.168.7.42.4138 > 67.228.0.181.53: S 930184999:930184999(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116498 IP 192.168.7.42.4140 > 67.228.181.207.53: S 1504984630:1504984630(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116566 IP 192.168.7.42.4142 > 67.228.0.181.53: S 546074424:546074424(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116634 IP 192.168.7.42.4144 > 67.228.181.207.53: S 4241828590:4241828590(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116702 IP 192.168.7.42.4146 > 67.228.0.181.53: S 668634627:668634627(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.116769 IP 192.168.7.42.4148 > 67.228.181.207.53: S 3768119461:3768119461(0) win 16384 <mss 1460,nop,nop,sackOK>
14:40:10.117360 IP 192.168.7.42.4111 > 67.228.0.181.53:  12676 op8 Resp12*- [2128q][|domain]
14:40:10.117932 IP 192.168.7.42.4112 > 67.228.181.207.53:  44190 op7 NotAuth*|$ [29103q],[|domain]
14:40:10.118726 IP 192.168.7.42.4113 > 67.228.0.181.53:  49196 inv_q [b2&3=0xeea] [64081q] [28317a] [43054n] [23433au] Type63482 (Class 5889)? M-_^OS>M-JM-m^_M-i.[|domain]
14:40:10.119934 IP 192.168.7.42.4114 > 67.228.181.207.53:  48131 updateMA Resp12$ [43850q],[|domain]
14:40:10.121164 IP 192.168.7.42.4115 > 67.228.0.181.53:  46330 updateM% [b2&3=0x665b] [23691a] [998q] [32406n] [11452au][|domain]
14:40:10.121866 IP 192.168.7.42.4116 > 67.228.181.207.53:  34425 op7 YXRRSet* [39927q][|domain]
14:40:10.123107 IP 192.168.7.42.4117 > 67.228.0.181.53:  56536 notify+ [b2&3=0x27e6] [59761a] [23005q] [33341n] [29705au][|domain]
14:40:10.123961 IP 192.168.7.42.4118 > 67.228.181.207.53:  19323 stat% [b2&3=0x14bb] [32491a] [41925q] [2038n] [5857au][|domain]
14:40:10.132499 IP 192.168.7.42.4119 > 67.228.0.181.53:  50432 updateMA+ [b2&3=0x6bc2] [10733a] [9775q] [46984n] [15261au][|domain]
14:40:10.133394 IP 192.168.7.42.4120 > 67.228.181.207.53:  2171 notify Refused$ [26027q][|domain]
14:40:10.134421 IP 192.168.7.42.4121 > 67.228.0.181.53:  25802 updateM NXDomain*-$ [28641q][|domain]
14:40:10.135392 IP 192.168.7.42.4122 > 67.228.181.207.53:  2073 updateMA+ [b2&3=0x6d0b] [43177a] [54332q] [17736n] [43636au][|domain]
14:40:10.136638 IP 192.168.7.42.4123 > 67.228.0.181.53:  15346 updateD+% [b2&3=0x577a] [61686a] [19106q] [15824n] [37833au] Type28590 (Class 64856)? [|domain]
14:40:10.137265 IP 192.168.7.42.4124 > 67.228.181.207.53:  60761 update+ [b2&3=0x2b66] [43293a] [53922q] [23115n] [11349au][|domain]
14:40:10.148122 IP 192.168.7.42.4125 > 67.228.0.181.53:  3418 op3% [b2&3=0x1a92] [51107a] [60368q] [47777n] [56081au][|domain]
  • recommend reformatting data to make it human-parsable;) – Andy Jun 17 '10 at 14:33
  • @radudani: this question will be migrated to our sister site, Server Fault. you will need to register your account here and there with the same OpenID to regain ownership of the question. – quack quixote Jun 17 '10 at 15:52

1 Answers1

0

Since both of the DNS servers being hit are at softlayer, a fairly well known hosting company.

First question would be, why would your machine be getting DNS from there. Since the machine is a client machine and not a server, it isn't like you would be running nameservice from that machine, so, I would suspect something is redirecting DNS requests for a particular app there. It is somewhat common for zombie botnet processes to use their own DNS servers so that they can redirect their zombies to connect to a command and control network of their choosing. Both IP addresses appear non-responsive, and don't appear to be answering DNS queries, so it is possible it was an exploited machine that was taken down.

The fact that you actually logged successful requests and now that machine isn't responding gives another data point that something isn't quite right.

I'd pull that box off the network and do a scan to see if it finds any malware.

user6738237482
  • 1,480
  • 12
  • 7