07-18-2012 12:51 PM
Been seeing lots of detection for this threat, but the attackers are external and are trying to reach our internal DNS servers. We have checked those dns servers along with going over other traffic and AV consoles looking for bots/trojans. Any ideas why I would be seeing the Torpig phone home dns request threat from outside attempting to reach internal dns servers?
07-18-2012 02:47 PM
If outside means Internet then you will most likely see all sort of shit thats out there.
It seems not uncommon that the noise level on the Internet (various bots and other junk) is 1-3kbit/s per ipaddress (based on own experience, might vary in your area 😉
So in your case if some internet ipaddresses tries to get to your DNS servers (which happends to have public ip's but security rules will block incoming requests from Internet) then you can use tcpdump through your internet router to verify the content of these packets and if you belive they are false positives then send it to the appid team?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
