Meraki

Community

MX Events: IDS Alerts: INDICATOR COMPROMISE: Suspicious .top dns query

Solved
mcoomber
Getting noticed
‎Sep 21 2021 9:17 AM
‎Sep 21 2021 9:17 AM

MX Events: IDS Alerts: INDICATOR COMPROMISE: Suspicious .top dns query

Hi,

The MX Events constantly gives me the IDS Alerts: INDICATOR COMPROMISE: Suspicious .top dns query event.

Whats worrying is that the source is from my Domain Controller and the destination is to dns.google. 

I've also got an android device which I am yet to identify since it appears with its mac address having the same alert.

 

Added to that, today, I have seen an event from an external IP Address source to a device within my network with a SERVER-WEBAPP: PHPUnit PHP remote code execution attempt and a GPON Router authentication bypass and command injection attempt. 

 

Any help is welcome.

Thanks

Labels:
0 Kudos
1 Accepted Solution
Greenberet
Head in the Cloud
‎Sep 22 2021 5:56 AM
‎Sep 22 2021 5:56 AM

Hey,

 

about the .top dns query: I think it's completely normal, that it comes from your DC.

Is your DC also a DNS Server for your clients?

The request ist probably going from the Client to the DC and the DC doesn't know anything about the .top domain -> it is requesting the information from a public dns query.

From my experience these .top domain requests are coming from android apps which are having ads.

 

Sadly the other 2 attacks are completely normal.

You have a webservice which is available from the world over e.g. port 80. Attackers are trying to breach into your network with different techniques. The MX has detected in this case 2 attempts and has blocked/reported them (depending on your configuration).

Btw to 99% it's not that they want to breach into YOUR network. They are just trying it on public reachable services all over the world and your network was just part of the try.

View solution in original post

3 Replies 3
Greenberet
Head in the Cloud
‎Sep 22 2021 5:56 AM
‎Sep 22 2021 5:56 AM

Hey,

 

about the .top dns query: I think it's completely normal, that it comes from your DC.

Is your DC also a DNS Server for your clients?

The request ist probably going from the Client to the DC and the DC doesn't know anything about the .top domain -> it is requesting the information from a public dns query.

From my experience these .top domain requests are coming from android apps which are having ads.

 

Sadly the other 2 attacks are completely normal.

You have a webservice which is available from the world over e.g. port 80. Attackers are trying to breach into your network with different techniques. The MX has detected in this case 2 attempts and has blocked/reported them (depending on your configuration).

Btw to 99% it's not that they want to breach into YOUR network. They are just trying it on public reachable services all over the world and your network was just part of the try.

In response to Greenberet
mcoomber
Getting noticed
‎Sep 23 2021 3:18 AM
‎Sep 23 2021 3:18 AM

Hi,

Thanks for your response.

Yes, my DC is also a DNS Server for my clients. 

 

Your answer gives me some relief. 

0 Kudos
ravipatel
Conversationalist
a month ago
a month ago

How to protect our inhouse AD server because coming multiple IDS alret in our AD DNS   

Ravi
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.