Hello everyone.
I wanted to first ask this question. I assume most of you know about the DNS changer malware that is going around. If not visit this link. ---> http://www.dcwg.org/
Does anyone have a procedure to check to see if they're servers have been affected?
If not I am currently working on one I haven't finsihed it yet. I'm new to Java and struggling along to make a script.
Normal 0 false false false EN-US X-NONE X-NONE
IF Ture THEN Execute shell command Parameter1 : netsh interface ip show dnsservers
That's where I am at so far. The netsh interface ip show dnsservers is going to give you what your current dns address is but then you need to compare it to the list of ip's that are supplied. After you have it compare to the current list of bad IP's I was going to have it throw an alert if any where changed and send me an emal. Here is the current list of bad IP's that the dns changer changes them to:
64.28.176.0
64.28.176.0/20
Here's a simple script that should get you going (it only searches for one subnet but you can easily add the rest):
Dim i, x, objWMIService
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colNicConfigs = objWMIService.ExecQuery _
("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True")
For Each objNicConfig In colNicConfigs
If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
For Each strDNSServer In objNicConfig.DNSServerSearchOrder
' ************** Search the first subnet 85.255.112.0/20 ************
For i=112 to 127
For x = 1 to 254
If strDNSServer = "85.255." & i & "." & x Then
WScript.Echo "Big Problem Here - " & strDNSServer
End If
Next
' **************************************************************************
There is a full example VBS script that seems to work well that I'm using on our systems.
I got it from www.chrisdunn.name/.../162-dnschanger-malware-infection-test-script
You could make a custom view to quickly see if any of your agents have those DNS servers. It's not perfect, but you could use something like this in the "DNS Server 1" field (and second view for "DNS Server 2"):
"213.109.*" OR "64.28.*" OR "67.210.*" OR "77.67.*" OR "85.255.*" OR "93.188.*"
You'll have to look carefully from the Agent Status page and make sure any matches truly fit in those ranges.
Not quite what I was after but I will do that if it comes down to it.
Has anyone had any luck with testing this? I setup a test machine with an agent and set the DNS to:
DNS Servers . . . . . . . . . . . : 85.255.112.0
85.255.127.255
For a View Filter I used
Advanced agent data filter > Define Filter
DNS Server 1: "85.255.*" OR "67.210.*" OR "93.188.*" OR "77.67.*" OR "213.109.*" OR "64.28.*"
I then used Kaseya Live Connect and clicked the "Audit Now" button under Audit Information section. Maybe I ran the wrong audit because Kaseya still shows the PC with the "normal DNS" settings instead of the "infected DNS" settings.
I guess I'll let it sit for a bit and see how it goes :D but I thought I'd check to see if anyone else had any luck getting this to work.
SMason,
I thought about this and not sure it would work as some workstations can have more then 2 DNS addresses. You can only view two in the agent status filters.
True... there are potentially multiple adapters.
From a scripting standpoint, this is a bit of an interesting challenge. Mainly because the IP ranges in question are huge. I'll think about it.
I like it. Goooood.
Perfect thank you very much Jonathan!