• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

receiving random dns queries from behind firewall

G

globalrevolt

Junior Member
Hello,

I have a firewall setup at home (runs m0n0wall v1.235) and I notice that one of the computers behind the firewall receives random DNS queries every 5 seconds for non-existent domain names .... like etihxdxh.com or dxiitidd.com (ususally 8 letters long). I can capture these packets using Wireshark and it appears that these packets are from the router (192.168.1.1:53) to my desktop (192.168.1.198:anything). No other computers behind the same firewall (same subnet) receive these packets. Antivirus software hasn't picked anything suspicious on this desktop. Any ideas what could be going on?

addendum: Just wanted to add that m0n0wall is setup with DNS forwarding and I have manually entered in Level3 nameservers (4.2.2.x). My ISP is Charter and connecting to their nameservers seems to pass on even more DNS "garbage" to my computer.
 
I believe you are reading the Wireshark data backwards (I looked at your screenshot on the Monowall website). You are seeing a response from your router's DNS Service (192.168.1.1:53) responding to your PC, telling your PC that the DNS name it asked about doesn't exist.
 
I guess I wasn't so clear initially, but your right...it looks as though this particular computer is infected with a worm that is sending out the phony DNS requests. I haven't got the slightest clue what's initiating these requests though..
 
Originally posted by: globalrevolt
I haven't got the slightest clue what's initiating these requests though..
Click to expand...
You should be able to use a combination of netstat (built into XP and Vista) and Task Manager to identify the PID (Process ID) of the requesting process and figure out what process is making the requests. If iit turns out to be rundll32.exe, you can still determine the actual process with a bit more effort.
 
RM,

I checked to see what it was that that's running in the background using 'netstat -ano'
Turns out that four items are 'LISTENING':

port 135 - svchost.exe (network service)
port 445 - System
5729 - services.exe
5734 - services.exe

I've stopped as many services as possible via the MMC, but it appears certain things can't be shutdown.
I've tried three different antivirus scanners and antispyware, none of which detect anything unusual.

Any ideas? I'd rather not have to go through the hassle of a reinstall of winxp, etc.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top