Analysis – DNS Logs: Hi-Jacking

ADD Employment Agency states that somebody seems to be stealing usernames and passwords, but they can’t determine if what’s happening exactly.  The only thing strange that they can see is that the volume on their web server seems to be very slow.

• How would you be able to determine where the intruder was obtaining their intrusion tools from?
• How would you be able to determine where the intruder may have off loaded the stolen information to?

Sample A –

10:54:12.423228 66.121.2.33748 > 171.159.193.173: 21345 [1au] A? www.bankofamerica.com. (42) (DF)
10:54:21.313293 66.121.2.33748 > 216.239.38.66.53: 53735 [1au] A? www.google.com. (43) (DF)
10:54:27.182852 66.121.2.33748 > 149.174.213.7.53: 19315 [1au] A? www.netscape.com. (45) (DF)
10:54:43.252461 66.121.2.33748 > 66.35.250.11.53: 43129 [1au] A? www.linux.com. (42) (DF) 

Sample B –

10:55:01.193847 66.121.2.33748 > 12.115.29.29: 21345 [1au] A? www.bankofamerica.com. (42) (DF) 

10:55:03.834839 66.121.2.33748 > 216.239.38.66.53: 53735 [1au] A? www.google.com. (43) (DF) 

10:55:18.382739 66.121.2.33748 > 149.174.213.7.53: 19315 [1au] A? www.netscape.com. (45) (DF)

10:55:21.726354 66.121.2.33748 > 66.35.250.11.53: 43129 [1au] A? www.linux.com. (42) (DF)