Networks

General discussion

Locked

DNS Spoof/Hijack/Poison

By hbombvi ·
I'm not sure what the proper terminology is in this matter, but this has been driving me nuts.

Here's the situation. In my network, DHCP is assigned by the router. Everyone once in a while (for the past couple weeks_ when my users turn on their computers they pick up the address of another computer in the network as the DNS server. Now it's always the same address and I've tracked down the computer that I believe is causing this problem but I can't find a thing wrong on it. So far I've run two full Malwarebytes scans and a full Symantec Antivirus scan. Nada!

I've checked that computer a few times now. It never fails to get the right DNS servers from the router.

Now here's the really weird part. In the past when this happened the users who got the wrong DNS entry couldn't access the Internet at all until I asked them to repair their network settings after which they get the right DNS entries. But today I've managed to surf the Internet for a full hour before I realized some slowdown and checked my DNS entry. To my surprise, it was the IP of that very machine.

Anyone ever deal with anything like this? I'd appreciate any ideas.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Who do you work for?

by CharlieSpencer In reply to As much as I hate it

I ask just so I don't put in an application there by mistake. :-)

Collapse -

I thought it was obvious

by hbombvi In reply to Who do you work for?

I work for the government. :)

Not the federal mind you. It's local. But I won't say where. LOL!

Collapse -

Possible root kit?

by mjd420nova In reply to DNS Spoof/Hijack/Poison

I've seen this happen on a couple corporate networks and found a root kit that had forced the DNS change to make all the other network nodes to access the internet through the infected unit. Turn off the infected unit, leave it off and then turn on the other units and see if that cures the problem. It should only happen when that unit is on. Then with all the other units off, just turn on the suspect unit after isolating it from the network. Monitor the task manager and see if it reveals the attempt to access the network and the internet. The unit would require a wipe if a root kit identifier/removal tool is unsuccessful.

Collapse -

Uh-oh

by hbombvi In reply to Possible root kit?

I was afraid a wipe would be the only solution. I had the problem once before and that was the only solution I could come up with. I'm certain it's this computer though as I only get calls about it when that computer is on. I'll try to find a good root kit identifier/removal tool I can try.

Collapse -

Tried them

by hbombvi In reply to Here are some

No luck. Even after running several rootkit checks (found nothing) and changing to a static IP it's still doing it.

Collapse -

Possible Bot. attempt?

by matthew.balthrop In reply to DNS Spoof/Hijack/Poison

Either way, once isolated to that node the best response would probably be a wipe and re-image. The problem though is if that was a remote attack it would not be difficult for it to occur on another node on the network. Very strange though.

-alias

Collapse -

I agree

by hbombvi In reply to Possible Bot. attempt?

The last time I had this issue I just wiped the hard drive. Problem solved!

Couldn't do it this time though.

Collapse -

Another theory

by Michael Kassner Contributor In reply to DNS Spoof/Hijack/Poison

I wouldn't focus too hard on the computer that is being broadcast as the DNS server. If you have the workstations set up as DHCP clients they get that information from the DHCP server.

So either the router is offering that address as the DNS server or the computer in question is acting as a DHCP server and replying to DHCP requests faster than the router.

I'd check the lease time being published by the router and see if it the same as that given to the clients. To double check do a ipconfig/release and renew to see if the lease time matches.

There are exploits available for consumer grade routers that will setup rogue DNS servers, but your situation isn't exactly representing the typical exploit. I'd still be suspect of the router or check for other rogue DHCP servers on your network.

This SANS article mentions the process:

http://isc.sans.org/diary.html?storyid=6025

I'd might suggest getting a LiveCD that has a built in scanner as this type of malware is cognizant of most popular malware scanners.

Collapse -

Thanks for the input everyone

by hbombvi In reply to DNS Spoof/Hijack/Poison

I'm going to recommend to his boss that he doesn't plug his computer into our network anymore. I think he'll be more agreeable now that he just found himself hit with the same problem.

Thanks for all the help.

Related Discussions

Related Forums