none
server 2003 R2 firewall reporting my DC/DNS server spyware activity

    General discussion

  • on my Palo Alto Firewall it is reporting under the threats the following with the ip address of my primary DC in my office:

    <label class="x-form-item-label" for="ext-comp-1246" id="ext-gen603" style="width:80px;">Name</label>
    Suspicious DNS Query (Trojan.patched:cybeitrapp.info)
    <label class="x-form-item-label" for="ext-comp-1247" id="ext-gen605" style="width:80px;">ID</label>
    4000360
    <label class="x-form-item-label" for="ext-comp-1248" id="ext-gen607" style="width:80px;">Description</label>
    This DNS signature detects a DNS query to the domain cybeitrapp.info. Palo Alto Networks has observed this domain to be associated with malware and malicious activity. If multiple threat signatures from a single host are present, this may indicate that the host is compromised.
    <label class="x-form-item-label" for="ext-comp-1249" id="ext-gen609" style="width:80px;">Severity</label>

    I do not use this server to browse the internet, but i am not sure what my boss does  (He doesnt . i have ESET NOD32 running on it doing a scan daily at night but it is not finding anything.  Debating on whether i should install malwarebytes on my DC temporarily to do a scan and see if it finds anything.  Any reason i should not go down this road?

    Monday, August 26, 2013 6:08 PM

All replies

  • Hello,

    please contact Palo Alto for support to be sure about correct setup/installation on a DC.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, August 26, 2013 6:14 PM
  • I will but i would like to make sure there is nothing on that DC first. Is there any concern/reservation about installing malwarebytes onto the DC to do a full scan before calling them?
    Monday, August 26, 2013 6:53 PM
  • Is there any concern/reservation about installing malwarebytes onto the DC to do a full scan before calling them?

    AFAIK, there's no problem running malwarebytes anti malware on a DC.

    Before that, I would suggest you to install MS Malicious Software Removal Tool and scan the server and make sure all the latest windows updates are installed.

    http://www.microsoft.com/security/pc-security/malware-removal.aspx


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own and posted AS IS.

    Tuesday, August 27, 2013 7:01 AM
  • i ran theMS Malicious Software Removal Tool and it found nothing. i ran malwarebytes and it found these. the four on the top are from a symantec utility we have sitting in that folder. but then it found this. not sure where it came from or what it does.

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.08.26.06

    Windows Server 2003 Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: FTLFS2 [administrator]

    8/26/2013 5:06:45 PM
    MBAM-log-2013-08-27 (14-56-15).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 323230
    Time elapsed: 44 minute(s), 47 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20D6FE0C-6CD5-4F92-8251-F0948CBB3399} (PUP.Optional.Tarma.A) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.Tarma.A) -> No action taken.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 2
    C:\Documents and Settings\All Users\Application Data\Tarma Installer (PUP.Optional.Tarma.A) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{20D6FE0C-6CD5-4F92-8251-F0948CBB3399} (PUP.Optional.Tarma.A) -> No action taken.

    Files Detected: 8
    C:\Symtemp\ESUGReg.exe (Malware.Gen) -> No action taken.   - Symantec
    C:\Symtemp\ESUGRegClient2.exe (Trojan.Dropper) -> No action taken.   - Symantec
    C:\Symtemp\ESUGRegEx.exe (Trojan.Dropper) -> No action taken.  - Symantec
    C:\Symtemp\ESUGRemote.exe (Trojan.Dropper) -> No action taken.  - Symantec
    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{20D6FE0C-6CD5-4F92-8251-F0948CBB3399}\Setup.dat (PUP.Optional.Tarma.A) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{20D6FE0C-6CD5-4F92-8251-F0948CBB3399}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{20D6FE0C-6CD5-4F92-8251-F0948CBB3399}\Setup.ico (PUP.Optional.Tarma.A) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\Tarma Installer\{20D6FE0C-6CD5-4F92-8251-F0948CBB3399}\_Setup.dll (PUP.Optional.Tarma.A) -> No action taken.

    (end)

    Tuesday, August 27, 2013 7:01 PM
  • Hi,

    Based on your description, I know you had ran the Microsoft Malicious Software Removal Tool, but find nothing.

    In addition, you ran malwarebytes and it found some entries related to Symantec Utilities and Tarma Installer. Since you found the DNS query info from Palo Alto Firewall, as Meinolf mentioned, you’d better contact the Palo Alto support. We will get a better assistance there.

    Palo Alto support

    https://support.paloaltonetworks.com/

    Hope this helps.

    Best regards,

    Justin Gu

    Wednesday, August 28, 2013 11:56 AM