IT discussion: Is malware the cause of a DNS server error?

Introducing the new IT Knowledge Exchange Take a look at the brand-new ITKE, which now provides instant access to thousands of questions and answers created by your peers. The revamped design allows you to share real-world information and knowledge in real time. Take a tour of the new ITKE today.

ITKE member kfettig posed the following question:
There are two users in my office who are suddenly unable to access some Internet sites that they have always been able to access before. I am able to navigate to the sites from other machines in the office with no problems. The two users who are having problems are receiving the "page cannot be displayed" message when they attempt to go to some sites; at the bottom of the error page, it states "DNS error or server cannot be found."

They are able to access other Internet sites with no problems. It's not the sites themselves having problems because I am able to get to them from other computers...I've tried adjusting the security settings in the browsers, but it has not made a difference. Nothing has changed on the network or on the machines; no new software or hardware has been installed. There are no viruses resident on either machine. Please help if you can!

ITKE member ghigbee responded:
A quick test to see if [the problem computers] have cached bad DNS entries would be to ping one of the Web sites from a machine that works and compare the resolved address to the address resolved on a machine that didn't work. If the entries don't match, [perform] ipconfig /flushdns [,a command that resets the contents of the DNS client resolver cache,] and try it again to see if that clears up the issue.

You can also check their hosts file, [a computer file that maps host names to IP addresses], to see if something has placed entries in there. There have been some viruses that write entries to your hosts file.

ITKE member astronomer added:
[Ghigbee] had a good idea about checking the hosts file, but I suggest you use nslookup, [a program used to find a host's corresponding IP address], on both working and non-working systems. Are they getting information from the same DNS server? If the systems are the same, they should get identical information. If they do, and there are still differences, I would suspect redirection or similar malware causes.

Start your own security blog Let us host your blog on a network where thousands of IT professionals gather to ask questions, search for answers and collaborate with other IT pros.

kfettig replied:
Thank you, astronomer. I never thought to compare DNS servers, and sure enough, the machines that weren't working were pointing to a different DNS server. I don't believe that anyone changed those settings. Could malware have done it? I can't tell you how appreciative I am...

astronomer wrote back:
Malware could definitely have done it. You would be shocked and disturbed at what is now happening with Javascript. I watched a demo where the presenter uploaded script to an IIS server, downloaded it with an innocent client, (just by clicking on the link), and compromised the client. He installed a keylogger and showed the recent common [Web sites that were visited]. After this, he showed, on his hack server, the username and password used for the e-commerce site. Then he scanned the local net, found the DSL modem, and cracked it using the manufacturer's default admin and password. This is the next big vulnerability area.

Read all of today's featured ITKE tip, and keep the discussion alive.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Server Threats and Countermeasures,   Web Application and Web 2.0 Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security Web Application and Web 2.0 Threats Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Massive phishing scheme affects Microsoft Hotmail accounts Phishing websites, rogue antivirus skyrocket in 2009 An enterprise strategy for Web application security threats RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.