Well I have no idea what the name of the Trojan horse was.
But, our DNS server was down.
And I still had DNS querys over the network.
I thought that was strange. But I thought.. "Oh Well"
So, some time later on some PCs started to show Trojan behavior.
(Minesweeper autostarting etc)
I thought, oh damn.
So I started scanning for problems.
Till I found something with a sniffer.
We did send a DNS Query that did held Critical data..
Our work statsions do run a Virus Scanner.
But I think its not yet logged. I confiscated a PC that did show that weird
behavior and I am looking for the infected files.
If found Ill share it with the net.
Tek Bahadur Limbu wrote:
>
> Hi Robin,
>
> Robin-Vossen wrote:
>> Hello,
>> I wonder is there a way to log all DNS requests that go out of our
>> network
>> with Squid.
>> Since I noticed that we had a Trojan Horse on our Company Network.
>> And well it didnt send it self the data out.
>> It did send DNS Querys to there DNS Server..
>> And a Firewall doesnt detect that.
>> Is there a way to Log the DNS Querys with Squid so I can Monitor that
>> myself?
>
> Are you runing Squid transparently? As Thomas pointed out, Squid does
> not see DNS queries on your network. That's the job of your DNS servers
> and your gateway firewall.
>
> You can only log the DNS queries that your Squid box actually makes to
> your DNS servers.
>
> You can use the following option in your squid.conf:
>
> dns_nameservers IP.OF.YOUR.DNSSERVER
>
> One way is to run a local DNS caching name server on the Squid box
> itself and point your clients machines to this caching name server which
> then forwards the DNS requests to your actual DNS servers.
>
> Probably the better way is to block the unwanted DNS queries on your DNS
> servers or gateway firewall.
>
> Just curious, which Trojan Horse did you detect in your network? When
> you say that your firewall does not detect them, do you mean a firewall
> running on your clients' machines or on your Gateway firewall itself?
>
> Thanking you...
>
>
>>
>> Thanks alot.
>> Cheers,
>> Robin
>
>
> --
>
> With best regards and good wishes,
>
> Yours sincerely,
>
> Tek Bahadur Limbu
>
> System Administrator
>
> (TAG/TDG Group)
> Jwl Systems Department
>
> Worldlink Communications Pvt. Ltd.
>
> Jawalakhel, Nepal
>
> http://www.wlink.com.np
>
> http://teklimbu.wordpress.com
>
>
-- View this message in context: http://www.nabble.com/Squid-to-Log-DNS-Querys-tf4730318.html#a13531298 Sent from the Squid - Users mailing list archive at Nabble.com.Received on Thu Nov 01 2007 - 09:45:18 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST