Jump to content

122.228.198.140 on DNS server


Recommended Posts

Hello, I'm hoping you can help me with this. I'm a rookie at IT stuff, but I help my company as best that I can. We have Malwarebytes business installed on every computer in our company including our server called WCNCSERVER. This server is also our DNS and DHCP server. I think that when someone tries to access a bad site I get notified that WCNCSERVER had a website blocked. I assume that is because all of the traffic is going through this server.

How can I identify a rogue user or computer? I would assume if it is a company computer that Malwarebytes would have identified the site on the company computer and notified me before it ever made it to the WCNCSERVER. We do not have WiFi so it's not a mobile device.

 I have tried Wireshark, but it also shows that the WCNCSERVER is the one trying to access the malicious website.

I've contacted Malwarebytes and they've told me that Malwarebytes is good for blocking the threat, but not for identifying the culprit. The only thing I'm interested in is finding the rouge computer.

 

Any ideas?

Thank you.

Email:

Alert Time: 5/10/2016 9:59:30 AM
Server Hostname: ENGINEERING-
Server Domain/Workgroup: ENGINEERING
Server IP: 10.10.50.234
Notification Catalog: Client
Description:
Malware threat detected, see details below:

5/10/2016 9:58:36 AM    WCNCSERVER      10.10.50.12     Blocked web site        Type: outgoing, Port: 53936, Process: dns.exe   122.228.198.140

Link to post
Share on other sites

Hi Eric, 

 

With the ip protection enabled on the server their wont be a way to identify the culprit trying to reach out if all traffic is filtered through that server machine.  Any traffic that is deemed malicious will be stopped on the machine that the network traffic originated from.  

I did a quick lookup on Virustotal, the ip is hosted in china it seems. https://www.virustotal.com/en/ip-address/122.228.198.140/information/

If you really want to find out which host machine is trying to access that ip, you could disable the protection on the server machine, let the host machine touch it, then you will see which machine is the culprit in the client view of the console. But I would highly recommend against it as it sounds like it is a production server. 

Link to post
Share on other sites

I just temporarily disabled Malwarebytes on WCNCSERVER as well as on a client.I went to 122.228.198.140 and Chrome told me it refused to connect. I then tried "ksmobile.net" and that popped up on Wireshark on the server. The Destination was 122.228.198.140 however the source is still the WCNCSERVER ip address.

The site appears to be related to a mobile app software provider. I'm thinking that there was a phone plugged into a computer at my company that installed something that is talking to this IP address. How else can I make the server log where the incoming connection came from?

Link to post
Share on other sites

  • 2 weeks later...

Hi Eric, 

 

Apologies for the delay, I'm just starting to warm up to frequenting the forums more often. 

There really isn't another way to log where the connection came from as we do not have any forensics in the program as of yet as we are focused more on detection and remediation at this time. 

I'm not sure what would be a better solution for gaining more details on the connection, though you may consider to ask our business success team for more possible information. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.