We've been getting frequent occurrences of PRTG Probe.exe sending out DNS lookups for sites Cisco Umbrella flags as malicious. For example it's looked up mail.kb8zgl.net and hourmediagroup.com within the past 24 hours. Both of these requests were blocked by Cisco Umbrella.
Could anyone shed some light on why this could be happening? I don't see how this behavior is tied to any sensor.
Article Comments
Not intentionally. The only sensors I can think of that would be looking up host addresses are the built in Office 365 sensor, a couple HTTPS sensors for some cloud service endpoints which we have the A records for, and a HTTPS sensor for our website that is hosted by hubspot.
Is there a way to see which sensor is making the requests? Like some debug logging?
Sep, 2019 - Permalink
Hello Ryan,
We are not able to find any connection between PRTG and the mentioned sites. So if the sites are not entered in any sensors then it is unlikely that it comes from PRTG.
Does this happen in regular intervals, for example 60 seconds, or 5 minutes? Since if it does come from a sensor it would happen every scanning interval of that sensor.
Sep, 2019 - Permalink
That's the fun part, it does not happen at any regular interval. Do any sensors like Netflow attempt to resolve dns names that come across?
Sep, 2019 - Permalink
hard to say but if there is no sensor for this page then most likely your Probe system got compromised.
I work in a highly restricted environment with audits and so on PRTG does not use such websites also the mentioned interval is important because every sensor is polled at its intervall (as long as the probe is not overloaded with sensors :) )
so the next option is that the system got compromised
another option is that some other colleague tried to resolve these domains
Sep, 2019 - Permalink
So I figured out it is definitely related to NetFlow/sFlow sensors. If I pause all my flow sensors the PRTG Probe.exe process stops resolving seemingly random addresses.
I can still see the expected DNS sensor queries but those are using a svchost.exe process. These suspicious queries are coming from the PRTG Probe.exe process itself. I have pcap traces and process monitor logs I can share if you are interested.
I am thinking PRTG attempts to find IP addresses for the urls it sees in flow logs. Can you confirm this?
If that is correct it indicates there is something rotten in my environment but these queries are a symptom, not the cause.
Sep, 2019 - Permalink
Can you send us your Pcap file at support@paessler.com to further investigate the issue? Please refer to this thread.
Sep, 2019 - Permalink
Hello Ryan,
Thank you for your post.
Do you have any sensors that are set up to lookup those sites?
Kind regards,
Sasa Ignjatovic, Tech Support Team
Sep, 2019 - Permalink