use*_*825 2 dns malware windows-server-2012
当我试图从我的托管虚拟服务器之一对我的一个域名进行 nslookup 时,我刚刚注意到一些非常奇怪和令人担忧的结果。
域 [mydomain].info 解析为 [mydomain].info.com.au 并列出了 4 个我不使用的 IP。
这仅发生在一台服务器上,并且仅针对此域和子域(来自我所做的测试)。
我尝试过的事情...
1) “ipconfig /flushdns”。没有效果。
2)检查主机文件。没什么可疑的。
3) 我已经检查了注册表中与 DNSChanger 病毒相关的条目,但我看不到任何可疑的东西。
4) 更改了连接接口的 DNS 服务器。nslookup 显示了新的 DNS 服务器,但结果是一样的。
5) 扫描 dnslookup.exe 是否有病毒,但什么也没出现。此外,如果我使用另一台计算机上的此可执行文件运行查询,结果是正确的。
我不知道这是否意味着我的服务器实际上受到了威胁,或者我的托管服务提供商是否可能在出站 dns 查找方面做了一些狡猾的事情。
服务器是 Windows Server 2012
除了这个 dns 问题之外,服务器运行良好。我没有观察到任何其他奇怪的行为。
如果有人有任何建议,他们将不胜感激。这是一个实时的生产服务器,托管许多客户端网站,所以这让我感到压力很大。
根据要求,这是输出。很抱歉,我不想显示实际的域名,因为它是个人可识别的。但是我已经验证域记录是正确的。
PS C:\scripts> nslookup [mydomain].info
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: [mydomain].info.com.au
Addresses: 52.3.124.67
52.201.189.141
54.85.85.70
52.5.111.221
PS C:\scripts>
经过更多调查,看来这不仅仅是我的域。它发生在任何 .info 域中。我已经包含了调试打开的 nslookup 结果......
> somedomain123123.info
Server: google-public-dns-a.google.com
Address: 8.8.8.8
------------
Got answer:
HEADER:
opcode = QUERY, id = 74, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
somedomain123123.info.hosting24.com.au, type = A, class = IN
AUTHORITY RECORDS:
-> hosting24.com.au
ttl = 1799 (29 mins 59 secs)
primary name server = ns1.web24.net.au
responsible mail addr = dns.web24.net.au
serial = 2016060205
refresh = 7200 (2 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 75, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
somedomain123123.info.hosting24.com.au, type = AAAA, class = IN
AUTHORITY RECORDS:
-> hosting24.com.au
ttl = 1799 (29 mins 59 secs)
primary name server = ns1.web24.net.au
responsible mail addr = dns.web24.net.au
serial = 2016060205
refresh = 7200 (2 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 76, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 4, authority records = 0, additional = 0
QUESTIONS:
somedomain123123.info.com.au, type = A, class = IN
ANSWERS:
-> somedomain123123.info.com.au
internet address = 52.5.111.221
ttl = 59 (59 secs)
-> somedomain123123.info.com.au
internet address = 52.201.189.141
ttl = 59 (59 secs)
-> somedomain123123.info.com.au
internet address = 52.3.124.67
ttl = 59 (59 secs)
-> somedomain123123.info.com.au
internet address = 54.85.85.70
ttl = 59 (59 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 77, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
somedomain123123.info.com.au, type = AAAA, class = IN
AUTHORITY RECORDS:
-> info.com.au
ttl = 899 (14 mins 59 secs)
primary name server = ns1.info.com.ru
responsible mail addr = hostmaster.info.com
serial = 2016052612
refresh = 7200 (2 hours)
retry = 900 (15 mins)
expire = 1209600 (14 days)
default TTL = 86400 (1 day)
------------
Name: somedomain123123.info.com.au
Addresses: 52.5.111.221
52.201.189.141
52.3.124.67
54.85.85.70
我的托管服务提供商是 web24.com.au,这大概是 hosts24.com.au 的来源。
用:
nslookup
> set debug
> [mydomain].info
查看您的 DNS 查询的详细信息。
您可能已将服务器上的主 DNS 后缀配置为com.au. 问题可能是,[mydomain].info.com.au存在,所以这就是你得到的结果。
| 归档时间: |
|
| 查看次数: |
1976 次 |
| 最近记录: |