Malicious-DNS
Sten Carlsen
stenc at s-carlsen.dk
Mon Feb 18 23:50:18 UTC 2019
Or do the combination, setup the fake server and use tcpdump or
wireshark to capture all access. That should catch all ports and protocols.
On 18-02-2019 21.05, Kevin Darcy wrote:
> Another approach is to define a "fake" vitaminc.pro
> <http://vitaminc.pro> domain, point it at an internal webserver
> (assuming you have a spare, or can spin one up for the purpose), and
> see what clients are hitting it.
>
> Of course, that assumes the communication is web-based. If it's some
> other protocol(s), you'd need to monitor that protocol, or those
> protocols, on the "decoy" server. One would need to know more about
> the behavior of the malware involved.
>
> Speaking of which, Virustotal doesn't seem to think there's anything
> suspicious about vitaminc.pro <http://vitaminc.pro>. Haven't checked
> my other sources of Threat Intelligence, but usually there's
> *something* on VT if a domain is being used as a C&C...
>
>
> - Kevin
>
>
> On Mon, Feb 18, 2019 at 9:24 AM Tony Finch <dot at dotat.at
> <mailto:dot at dotat.at>> wrote:
>
> MEjaz <mejaz at cyberia.net.sa <mailto:mejaz at cyberia.net.sa>> wrote:
> >
> > If I enabled the system performs will slow down?
>
> Depends on how much load your servers are under and what their
> capacity
> is.
>
> An alternative to query logs, when you are searching for a known query
> name, is to use tcpdump. It's a tedious and fiddly to convert the
> name to
> DNS wire format and then into a pcap filter expression, so I have
> a little
> script to do that (quoted below after my .sig). The command you
> want is
> like:
>
> tcpdump -np udp port 53 and '(' udp[20] == 8 and udp[21] == 118
> and udp[22] == 105 and udp[23] == 116 and udp[24] == 97 and
> udp[25] == 109 and udp[26] == 105 and udp[27] == 110 and udp[28]
> == 99 and udp[29] == 3 and udp[30] == 112 and udp[31] == 114 and
> udp[32] == 111 ')'
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at <mailto:dot at dotat.at>>
> http://dotat.at/
> Southeast Iceland: Northerly 6 to gale 8, veering northeasterly 5
> to 7. Rough
> or very rough. Rain or wintry showers. Good, occasionally poor.
>
>
> #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> use Net::DNS::DomainName;
>
> die "usage: $0 <domain-name>\n"
> unless @ARGV == 1;
>
> my $text = shift;
> my $wire = new Net::DNS::DomainName($text)->canonical;
>
> my @wire = unpack 'C*', $wire;
>
> pop @wire unless $text =~ m{\.$};
>
> printf "'(' %s ')'\n",
> join ' and ',
> map { sprintf "udp[%d] == %d",
> 20 + $_, $wire[$_] }
> 0 .. $#wire;
> #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> die "usage: tcpdump-qname.pl <http://tcpdump-qname.pl> <dns-label>\n"
> unless @ARGV == 1;
>
> my $name = shift;
>
> my @name = unpack 'C*', $name;
>
> printf "%s\n", join ', ', @name;
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190218/c832d0d1/attachment.html>
More information about the bind-users
mailing list