Server is sending out dns requests to suspicious sites

Latest response

Server is sending out dns requests to some suspicious sites but unable to find the process generating the request.
Methods to find out the offending process was not successful.
E.g. - Tried checking the tcpdump output.
By the time I check the port number from the output with the netstat
or lsof command, can't see any process using the port.
Any other ideas?

Responses

Hi Gladson,

I am not aware of any specific single-tool to do it without using heavy setup like auditd.

At the first impression, nethogs + iftop + lsof did not seem to help you a lot.

Is your server running as active DNS server?

Maybe this can get you started:

watch -n1 netstat -puntea |grep :53

This person had similar problem to yours. He cam up with simple solution:

Based on the fact that the sending process would be waiting for a DNS response to come, on the same port it sent the request from:

a) Find out the source port of the outgoing DNS request, with iptables -j LOG

b) Use lsof -i UDP: to find out which process is waiting for response on that port.

As the response arrives within milliseconds, he configured the kernel Traffic Controller to delay outgoing packets directed to a specific ip/port (using the tc module netem). This allows to control the time window to query the system about which PID is waiting for the DNS response, on the source UDP port obtained in step a).

https://github.com/mvitale1989/ptrap

Regards,

Dusan Baljevic (amateur radio VK2COT)

Systemtap can be used to find which process sent udp packets to dns using the example systemtap script who_sent_it.stp, though you may want to extend it to output additional information. This script hooks into netfilter, though you could modify it to hook into udp.sendmsg.

Another systemtap script, nssdns-watch-question places hooks into a library that is used for obtaining dns information. Of course malicious code could avoid calling library code.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.