Hello, I'm hoping you can help me with this. I'm a rookie at IT stuff, but I help my company as best that I can. We have Malwarebytes business installed on every computer in our company including our server called WCNCSERVER. This server is also our DNS and DHCP server. I think that when someone tries to access a bad site I get notified that WCNCSERVER had a website blocked. I assume that is because all of the traffic is going through this server.
How can I identify a rogue user or computer? I would assume if it is a company computer that Malwarebytes would have identified the site on the company computer and notified me before it ever made it to the WCNCSERVER. We do not have WiFi so it's not a mobile device.
I have tried Wireshark, but it also shows that the WCNCSERVER is the one trying to access the malicious website.
I've contacted Malwarebytes and they've told me that Malwarebytes is good for blocking the threat, but not for identifying the culprit. The only thing I'm interested in is finding the rouge computer.
Any ideas?
Thank you.
Email:
Alert Time: 5/10/2016 9:59:30 AM
Server Hostname: ENGINEERING-
Server Domain/Workgroup: ENGINEERING
Server IP: 10.10.50.234
Notification Catalog: Client
Description:
Malware threat detected, see details below:
5/10/2016 9:58:36 AM WCNCSERVER 10.10.50.12 Blocked web site Type: outgoing, Port: 53936, Process: dns.exe 122.228.198.140