none
请问server2008 ad环境里的dns服务器 ,如何查询每一个dns请求日志信息? 客户端ip 请求解析域名 时间. RRS feed

  • 问题

  • 请问server2008 ad环境里的dns服务器 ,如何查询每一个dns请求日志信息?  客户端ip 请求解析域名 时间.  

    环境有主备两台域控,客户端都有设置两个域控ip为dns.

    目的是查哪些ip的电脑被垃圾软件利用,狂申请访问 随机域名 . 现在出口ip被cbl黑名单. 说是与25端口无关,是访问他们黑洞服务器里的80端口.

    \

    \

    \

    \

    \

    \

    \

    IP Address ********** is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2014-06-16 01:00 GMT (+/- 30 minutes), approximately 2 hours ago.

    It has been relisted following a previous removal at 2014-06-13 03:43 GMT (2 days, 22 hours, 57 minutes ago)

    This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms.

    SpamHaus/the CBL is assisting the US Department of Justice (DOJ), Federal Bureau of Investigation (FBI), numerous other international law enforcement agencies and many private security organizations around the world in an operation to disrupt and mitigate the GOZ and cryptolocker botnets. This is not expected, by itself, to destroy these botnet. But it will disrupt them, and give people a chance to eradicate much of these infections. Important, the measures taken will only be effective for about 2 weeks. It is fully likely that these botnets will restore themselves to full operation after the two weeks, so at best you have two weeks to mitigate these infections.

    This is the US Department of Justice Announcement and FBI Press Release. A similar alert has been published by the UK National Crime Agency (NCA).

    The most important/up-to-date mitigation information is published by the US CERT.

    ZeuSv3 takes advantage of P2P techniques by communicating with other nodes (=infected computers) on high ports (UDP and TCP).

    How to find an infected computer behind a NAT

    Please read the following section in its entirety.

    NEW! The Gameover Zeus/Tovar project has set up a "lighthouse IP". The lighthouse IP has been set up to help administrators find the Gameover Zeus infection on NAT networks. The theory is simple: every time an infected PC attempts to connect to a Command&Control sinkhole (see below for a partial list), the infected PC will alsosend a UDP packet to IP address 72.52.116.52 on port 4643 (though we suggest logging all ports). By configuring that address into your firewall, you can log which local IP address is attempting to contact 72.52.116.52, and thereby find and remediate the infection.

    If you are connected to us via a computer you believe may be infected, this link should help confirm your suspicion: Online Gameover Zeus Detector

    REMEMBER Gameover Zeus DOES NOT communicate over port 25 at all. It has nothing to do with email. Do not waste your time fiddling around with port 25 firewall rules.

    To find an infected computer on a NATted LAN you are searching for a local machine that is trying to make connections to a Zeus Command and Control (C&C) server on the Internet. These C&C servers have been taken over by our partners and they are giving us reports about which IPs are trying to talk to them. It is those IP addresses that are infected.

    If you have full logs of your firewall activity at the time this occurred, you can look in the logs for the time/sinkhole IP and destination port information given below.

    If you do not have full logs, you will need to set up a sniffer or firewall rules to catch and log attempts to talk to the C&C.

    NEW Instructions:

    In more difficult situations where you're unsuccessful with the above, you can configure your firewall or sniffer to watch for TCP/IP sessions going from your LAN to the Internet where the destination port number is above 1000. If you see a local IP address making lots of connections to different IPs on the internet on ports > 1000, you have probably identified the infected machine - this is the peer-to-peer communications that your zeus infection is attempting to other zeus infections.

    The technique described in the previous paragraph will work best if your LAN is quiet, or you can disconnect your LAN from the Internet for a short period.

    The report for your IP indicates connections from/to TCP/IP IP address 54.83.43.69 (the sinkhole server address) with a destination port 80, source port (for this detection) of 49219 at exactly 2014-06-16 00:54:45 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.

    See the paragraph below about Sinkhole IP addresses.

    The above report may include some "n/a" - this means that our provider didn't make the information available to us. We are attempting to resolve this issue, but in the meantime we must make the best of the information we have. See the paragraph below about Sinkhole IP addresses.

    When checking your logs remember that the source port changes every time a C&C attempt is made, so unless you have detailed firewall logs for the time the listing occurred, it's not worth looking for the source port.

    One other way to find it, if you have your own DNS server and can configure it to log, you can check the logs for machines that are doing lookups of strange things. Gameover Zeus does lookups of very strange looking domains, like:

    xbyycitohzwoxghaqubu.ru
    dkvhnzdilfwhzizxczbqfydeus.ru
    zlmfxgwgqdieahvsgtfylrcgufy.com
    
    As you can see, it is a long string of gibberish, followed by a top level domain. ".ru" is very common, as are .co.uk and .biz or .info. Try scanning for a domain that's unlikely to be used much in your area (particularly .ru), and search for queries of gibberish names like this. The IP issuing the query will be the infected machine[s].Warning: in larger environments with multiple DNS servers, the IP address _may_ be from one of the other DNS servers.

    Important note on Sinkholes IP addresses

    A number of our data sources are having difficulties telling us the IP address of their sinkholes. Further, it is the nature of these botnets that they will be trying multiple sinkholes in sequence or in series, so if you concentrate on watching traffic for one sinkhole, you may miss the traffic to a different sinkhole. The list below is all of the Gameover Zeus and Cryptolocker sinkholes we know about, and when we last got a detection from them. it is suggested that you check traffic to all of these IP addresses, but, if you can only do one or two at a time, start with at the top and work downwards.

    The temptation will be great to simply firewall off these IPs and ignore the problem without getting rid of the infection. This is a bad idea:

    • This list is not complete and there are new sinkholes being created as well so you will get relisted anyway.
    • By about June 13, the GOZ and Cryptolocker botnet will change to a new set of C&Cs that are controlled by the criminals. You do not want these botnets on your network when that happens.
    Sinkhole IP Last seen (UTC) Age (Minutes)
    212.71.250.4 Mon Jun 16 00:45:10 2014 82
    54.83.43.69 Mon Jun 16 00:10:45 2014 116
    198.98.103.253 Sun Jun 15 09:30:08 2014 997
    192.42.116.41 Sun Jun 15 07:26:41 2014 1120
    208.64.121.161 Sun Jun 15 04:41:09 2014 1286
    85.159.211.119 Sat Jun 14 19:38:41 2014 1828
    192.42.119.41 Wed Jun 11 17:34:04 2014 6273
    142.0.36.234 Wed Jun 4 22:00:00 2014 16087

    However, any process or host sending/receiving large numbers of UDP or TCP packets on high ports should be looked at closely.

    Zbot/Zeus is a banking trojan, and specializes in stealing personal information (passwords, account information, etc) from interactions with banking sites through the use of "formgrabs". Zeus is also a common vector for downloading and controlling of Cutwail (email spambot) and Pushdo (DDoS).

    Further (technical) information about this Trojan type can be obtained here:

    • fbi.gov - Malware Targets Bank Accounts
    • abuse.ch - FBI disrupts GameOver ZeuS and CryptoLocker Botnet
    • cert.pl - ZeuS P2P+DGA variant mapping out and understanding the threat



    2014年6月16日 6:30

答案

全部回复

  • 可以直接通過域控內置 DNS 服務器的日誌功能來排查, 但是開啟該日誌會對系統性能造成不小影響, 而且其日誌文件也會變得很大.

    此外也可以考慮啟域控防火牆的日誌統計信息.


    Folding@Home

    2014年6月16日 11:39
  • 假設確實存在惡意程序, 還要看那些程序是否只是使用客戶端 DNS 解析 IP, 如果不是, 那麼通過域控 DNS 日誌或防火牆日誌也是監控不出來的.

    Folding@Home

    2014年6月16日 11:43
  • 日志功能默认不收集要申请的客户端ip 及请求域名,如何打开?
    2014年6月17日 4:55
  • 無論是 DNS 服務器還是 Windows 高級防火牆日誌都會記錄客戶端 IP, 至於請求的域名, 需要客戶端使用 AD 集成 DNS 服務器進行解析, 如果是直接通過外部 DNS 服務器解析, 那麼是日誌是不會記錄的. 此外要找出可能的惡意軟件的請求, 需要對日誌文件進行分析, 找出最頻繁的客戶端 IP, 請求解析的域名同樣如此.

    Folding@Home

    2014年6月17日 10:40
  • 您好,

    您可以开启DNS服务器的调试日志。


    注意:

    1. 请按需勾选需要的选项。

    2. 开启调试日志后,会对系统系能造成一定的影响。

    使用服务器调试日志记录选项

    http://technet.microsoft.com/zh-CN/library/cc776361(v%3Dws.10).aspx

    The Fun in DNS Debug Logging - Read the DNS Debug Log

    http://social.technet.microsoft.com/wiki/contents/articles/13640.the-fun-in-dns-debug-logging-read-the-dns-debug-log.aspx

    谢谢。


    Jeremy Wu

    TechNet Community Support

    • 已标记为答案 FisherCui 2014年6月19日 3:50
    2014年6月19日 1:50
    版主
  • 兄弟问题解决了嘛!我也出现了这个问题,反垃圾邮件组织好可怕,查好了好多问题。头大中

    2014年7月9日 5:04
  • 我申请试用了梭子鱼的垃圾邮件防火墙,发现跟smtp25 邮箱服务器关系不大. 每天晚上还是被CBL黑命单. 说是有到 72.52.116.52 on port 4643 UDP.

    "the infected PC will alsosend a UDP packet to IP address 72.52.116.52 on port 4643 "

    不清楚内网什么垃圾程序在发包  在排查中.....

    2014年7月15日 5:37
  • 我朋友买了套类似于中继的服务,好像可以搞定,拉黑也能发,我也查了所有的邮件记录都ok,包括spf也做了,真不知道该死的反垃圾邮件组织是个什么策略,郁闷中,发现很多人碰见这个问题

    2014年7月17日 9:49
  • 如果好用请告诉我一下!我还是想查查到底根源在哪里
    2014年7月17日 9:50
  • 你加我扣/扣吧 这个论坛上的不多 1.6.7.2.1.0.8.8.5
    2014年7月21日 2:33