What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

PRTG Probe Looking Up Malicious Sites

Votes:

0

We've been getting frequent occurrences of PRTG Probe.exe sending out DNS lookups for sites Cisco Umbrella flags as malicious. For example it's looked up mail.kb8zgl.net and hourmediagroup.com within the past 24 hours. Both of these requests were blocked by Cisco Umbrella.

Could anyone shed some light on why this could be happening? I don't see how this behavior is tied to any sensor.

dns malware security

Created on Sep 23, 2019 3:29:36 PM



7 Replies

Votes:

0

Hello Ryan,

Thank you for your post.

Do you have any sensors that are set up to lookup those sites?

Kind regards,
Sasa Ignjatovic, Tech Support Team

Created on Sep 24, 2019 10:08:20 AM by Sasa Ignjatovic [Paessler Support]

Last change on Sep 24, 2019 10:08:58 AM by Sasa Ignjatovic [Paessler Support]



Votes:

0

Not intentionally. The only sensors I can think of that would be looking up host addresses are the built in Office 365 sensor, a couple HTTPS sensors for some cloud service endpoints which we have the A records for, and a HTTPS sensor for our website that is hosted by hubspot.

Is there a way to see which sensor is making the requests? Like some debug logging?

Created on Sep 24, 2019 12:55:59 PM



Votes:

0

Hello Ryan,

We are not able to find any connection between PRTG and the mentioned sites. So if the sites are not entered in any sensors then it is unlikely that it comes from PRTG.

Does this happen in regular intervals, for example 60 seconds, or 5 minutes? Since if it does come from a sensor it would happen every scanning interval of that sensor.

Created on Sep 24, 2019 1:49:24 PM by Sasa Ignjatovic [Paessler Support]



Votes:

0

That's the fun part, it does not happen at any regular interval. Do any sensors like Netflow attempt to resolve dns names that come across?

Created on Sep 24, 2019 2:14:56 PM



Votes:

0

hard to say but if there is no sensor for this page then most likely your Probe system got compromised.

I work in a highly restricted environment with audits and so on PRTG does not use such websites also the mentioned interval is important because every sensor is polled at its intervall (as long as the probe is not overloaded with sensors :) )

so the next option is that the system got compromised

another option is that some other colleague tried to resolve these domains

Created on Sep 25, 2019 5:59:18 AM



Votes:

0

So I figured out it is definitely related to NetFlow/sFlow sensors. If I pause all my flow sensors the PRTG Probe.exe process stops resolving seemingly random addresses.

I can still see the expected DNS sensor queries but those are using a svchost.exe process. These suspicious queries are coming from the PRTG Probe.exe process itself. I have pcap traces and process monitor logs I can share if you are interested.

Image description

I am thinking PRTG attempts to find IP addresses for the urls it sees in flow logs. Can you confirm this?

If that is correct it indicates there is something rotten in my environment but these queries are a symptom, not the cause.

Created on Sep 25, 2019 1:08:21 PM



Votes:

0

Can you send us your Pcap file at [email protected] to further investigate the issue? Please refer to this thread.

Created on Sep 26, 2019 8:57:30 AM by Sasa Ignjatovic [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.