I came in to work this morning to find that multiple people had DNS issues resolving names that normally have no problems, and nobody could get into our ERP system. I rebooted the clients, and I rebooted the ERP database server, and I shut down a clone of the ERP Database server that I started to set up, which fixed the issue.
Now I’m going back to diagnosing what happened. I am seeing errors in /var/log/messages like this. If I read this correctly this is just an attempted break in by a trojan, not a compromised host on the LAN that is transmitting, can anyone confirm this for me?
Dec 21 08:30:22 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE msiexec.exe command execution over DNS attempt"; flow:to_client,no_stream; byte_test:1,&,0x80,2,bitmask 0x87; content:"|00 10 00 01|"; content:"msiexec /i"; within:20; distance:7; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/gui/file/32b8afb4deb90660514214df426f38a92ba24fbc92a834a8b8bfa55371aeda48; classtype:trojan-activity; sid:53985; rev:1;)" from file /var/lib/suricata/indicator-compromise.rules at line 35