Jump to content

MBAM Protection Log - what is it telling me


Recommended Posts

Hello - 

 

I am seeing these type of event logged on a server within my infrastructure.  The server is a Windows 2K8 R2 server with DNS running.

 

What I am trying to determine is whether or not the server is compromised OR is this blocked as a result of a desktop using this server for DNS.  The ID (PKEA) looks interesting as well.

 

 

Logged event - 

 

2013/11/06 09:56:14 -0600 SWANKMPXXX PKEA IP-BLOCK 95.211.117.206 (Type: outgoing, Port: 54385, Process: dns.exe)

 

 

 

Link to post
Share on other sites

  • Root Admin

DNS did a lookup on that IP which is not uncommon.

 

Network Ports Used by DNS

 

If you open the Logs tab of the program and find the most recent Protection log then copy all and post it back here that will help to see what's going on.

If the file is too big you can attach it by clicking on the "More reply Options" button on the bottom right.

Link to post
Share on other sites

Hi Ron - thanks for the viewing.  Here is the entire log contents:

 

2013/11/06 09:00:39 -0600 SWANKMPDC5 pkea IP-BLOCK 195.39.196.43 (Type: outgoing, Port: 53780, Process: dns.exe)

2013/11/06 09:00:47 -0600 SWANKMPDC5 pkea IP-BLOCK 195.39.196.43 (Type: outgoing, Port: 55617, Process: dns.exe)
2013/11/06 09:55:50 -0600 SWANKMPDC5 (null) IP-BLOCK 216.55.178.173 (Type: outgoing, Port: 54096, Process: dns.exe)
2013/11/06 09:55:50 -0600 SWANKMPDC5 (null) IP-BLOCK 95.211.117.206 (Type: outgoing, Port: 54096, Process: dns.exe)
2013/11/06 09:55:58 -0600 SWANKMPDC5 (null) IP-BLOCK 216.55.178.173 (Type: outgoing, Port: 54043, Process: dns.exe)
2013/11/06 09:55:58 -0600 SWANKMPDC5 (null) IP-BLOCK 95.211.117.206 (Type: outgoing, Port: 54043, Process: dns.exe)
2013/11/06 09:55:58 -0600 SWANKMPDC5 (null) IP-BLOCK 95.211.117.206 (Type: outgoing, Port: 54847, Process: dns.exe)
2013/11/06 09:55:58 -0600 SWANKMPDC5 (null) IP-BLOCK 216.55.178.173 (Type: outgoing, Port: 54847, Process: dns.exe)
2013/11/06 09:56:06 -0600 SWANKMPDC5 (null) IP-BLOCK 95.211.117.206 (Type: outgoing, Port: 54456, Process: dns.exe)
2013/11/06 09:56:14 -0600 SWANKMPDC5 (null) IP-BLOCK 216.55.178.173 (Type: outgoing, Port: 54456, Process: dns.exe)
2013/11/06 09:56:14 -0600 SWANKMPDC5 (null) IP-BLOCK 95.211.117.206 (Type: outgoing, Port: 54385, Process: dns.exe)
2013/11/06 09:56:14 -0600 SWANKMPDC5 (null) IP-BLOCK 216.55.178.173 (Type: outgoing, Port: 54385, Process: dns.exe)
2013/11/06 11:04:55 -0600 SWANKMPDC5 (null) IP-BLOCK 195.39.196.43 (Type: outgoing, Port: 55193, Process: dns.exe)
2013/11/06 11:42:12 -0600 SWANKMPDC5 (null) IP-BLOCK 75.126.200.234 (Type: outgoing, Port: 53912, Process: dns.exe)
2013/11/06 15:00:29 -0600 SWANKMPDC5 kevind IP-BLOCK 89.108.64.2 (Type: outgoing, Port: 54925, Process: dns.exe)
2013/11/06 15:00:29 -0600 SWANKMPDC5 kevind IP-BLOCK 89.108.64.2 (Type: outgoing, Port: 54242, Process: dns.exe)
2013/11/06 15:00:29 -0600 SWANKMPDC5 kevind IP-BLOCK 89.108.64.2 (Type: outgoing, Port: 56072, Process: dns.exe)
2013/11/06 15:07:42 -0600 SWANKMPDC5 kevind IP-BLOCK 220.90.213.240 (Type: outgoing, Port: 54633, Process: dns.exe)
2013/11/06 15:07:42 -0600 SWANKMPDC5 kevind IP-BLOCK 220.90.213.240 (Type: outgoing, Port: 56075, Process: dns.exe)
2013/11/06 15:07:42 -0600 SWANKMPDC5 kevind IP-BLOCK 220.90.213.240 (Type: outgoing, Port: 54633, Process: dns.exe)
Link to post
Share on other sites

  • Root Admin

Well its not a massive ongoing block.  Is this a Domain Controller or does it host DNS Services for your network?

It might warrant looking at it further in the malware removal forum.

 

IP address: 95.211.117.206
Host name: hosted-by.leaseweb.com
95.211.117.206 is from Netherlands(NL) in region Western Europe

 

IP address: 216.55.178.173
Host name: 216-55-178-173.dedicated.codero.net
216.55.178.173 is from United States(US) in region North America

 

IP address: 195.39.196.43
Host name: ns1.imena.com.ua
195.39.196.43 is from Ukraine(UA) in region Eastern Europe

 

Please start a new topic in this forum:   https://forums.malwarebytes.org/index.php?showforum=7

 

Include a link to this topic as well.

 

Thanks

Link to post
Share on other sites

That is great feedback.  I will open a thread like you have suggested.  This is a DC with DNS services running . Are you saying these events indicate 100% that the machine has been compromised.  Is it possible that a client machine is compromised and that machine is using this DNS server for name resolution?  Thanks Ron

Link to post
Share on other sites

  • Root Admin

No, on the contrary I don't think it is infected.   A DC with DNS has to map the zones for all kinds of sites as that's its job.  So the fact of it reaching out to that site can trigger a block.

 

Having someone assist you though to double check may be prudent but you have to realize that the vast majority of tools and the training of Helpers is all geared towards desktop computers not servers.  So testing a server will sometimes require other tools and when it comes time for a reboot that can be difficult to coordinate for a server.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.