Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
New Contributor

Fortianalyzer shows DC as compromised host

Hi,

I have internal domain dns server on domain controller, Fortianalyzer shows this host as compromised with multiple attempts to websites like:

zmarsa.com Malware CnC Spyware and Malware infected-domain
com.tr Malware CnC Not Rated infected-domain
techcdn.com Malware CnC Spyware and Malware infected-domain
and others.
First of all, my all servers have blocked internet access, and the second when I check Cached Lookups on my domain controller dns I can't find neither of these domains from Fortianalyzer logs.
Could anyone could me explain how could I troubleshoot these attempts and source of them?
 
 
2 REPLIES 2
Mohit_S
Moderator
Moderator

Hello Tutek,

 

Do you also log on Syslog server? Hope you will find some information in there.

 

Also, can you check if all the logs are been forwarded from the firewall to the Fortianalyzer, can you check on the firewall if you can find anything from the logs in the firewall.

Let us know if that helps.

Mohit - Fortinet Community Team
Debbie_FTNT
Staff
Staff

Hey Tutek,

 

if you check the compromised host details on FortiAnalyzer, by right-clicking you should be able to get to the underlying logs FortiAnalyzer received, which made it reach the compromised verdict.

I would suggest checking traffic and/or security logs with source IP of your domain controller to figure out if there is in fact any traffic going to the internet from your DCs. If there is such traffic, the logs should tell you what policy allows that traffic, you can lock down the access, and then figure out if your domain controllers are actually compromised or not.

Hope this helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++