« Reverend Jim | Main | Lions and Tigers and Bears »

03/30/2007

Comments

White Roses

And before you say it, BD, you're not a system administrator.  We all know you're Apollo avec un chapeau rouge.

simplyRik

Ahhh the infamous Windows Ghost in the Machine!  I almost think that every icon on a widows box tries to "call home."  Call me paranoid, but like you, is the exact reason I don't use it at home.

White Roses

Paranoia: the gift of Microsoft to the users.  Where's Tron when you need him?

Blood Dragon

First...watch that "sys admin = Vogon" stuff. I don't want to have to spar you (though if we ever did, we should bloody well sell tickets!).
:-)

Second...guess who's computer had EXACTLY THE SAME ISSUE today? (For those of you elsewhere...he's a contractor at the same $CORP for which I am a full-time employee (a sys admin, but not one he'd be dealing with).
Yeah. Mine.
My not-in-the-regular-active-directory-group, heavily-firewalled, ridiculously-overprotected, rigorously-cleaned, belonging-to-an-insanely-paranoid-sys-admin laptop was doing exactly that. I got a call from The Goon Squad (er, the security guys). My machine was thrashing the DNS server. I checked my firewall (filseclab, at the moment). Yep. It sure was. Now...when it started doing this...I hadn't started any new processes for over an hour. You know me; you KNOW I don't go to questionable sites (at least not with THAT machine - I use my even-more-protected Linux box for that). I had made NO changes to anything in the OS for over a day.
Yet, there it was. Good ol' svchost, trying to query the DNS server to death.
WTF?
I can't turn off DNS. Duh. I can't deny net access to svchost. Duh. I ran the latest Stinger from McAfee. Nothing. I ran Windows Defender (you can get it updated through Windows Update (or Microsoft update, the newer version, but you have to have Automatic Updates turned on for that), by the way. Nothing. None of my forensics tools show ANYTHING WRONG with my machine.
I wish I had more time to work on my "replace Work-Windows with Fedora and VMware" project. That would stop this sort of thing. Maybe in another week or two.

Anyway, I join you in having Zero Clue regarding our DNS-Hammering Episodes.

White Roses

Alright, alright, "Windows Admin = Vogon."  Better?


This is anecdotal at best, but one of the things which might have stopped the situation is that I replaced Filseclab with Comodo.  If you are of an inquisitive nature, and have the time for such an exercise, switch over to Comodo.  It's not a guarantee of a fix, but that appears to be the major change I made.  Does it make sense that a firewall would be repeatedly pinging the DNS server?  Maybe . . . if it was trying to isolate another machine that was repeatedly hitting it . . . maybe.


Oh, and I know I can update through Windows Update . . . the problem is, my system is locked out of Windows Update.  I kid you not.  When I try to open the page, it says, "You cannot access this website based on network policy," or some such nonsense.  Hence the title.  Point is, $CORP won't allow me to get to the site in question.  Unbelieveable.  I wonder how much longer the latest zero-day exploit will be live on my system because of this policy.

The comments to this entry are closed.