Solved

Why Windows Server sent dns query to Russian Network

Posted on 2010-09-09
30
1,883 Views
Last Modified: 2013-11-29
Hi
I have a pfsense Firewall with snort installed,
I see this kind of log :

7        2        UDP        ET RBN Known Russian Business Network IP UDP (238)         Misc Attack        192.168.1.67        34358        ->        82.146.55.35        53        1:2406475:193        09/09-12:19:02

8       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.7       1068       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:52

9       2       UDP       ET RBN Known Russian Business Network IP UDP (238)       Misc Attack       192.168.1.7       1068       ->       82.146.55.35       53       1:2406475:193       09/09-12:18:48

10       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.67       49339       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:42


let me give a idea how my Dns server setup

All client computer - > SBS 2003 -> Linux Dns

so SBS 2003(192.168.1.7) getting all dns query from client computer, then its forward all to linux dns server(192.168.1.67)

Hence you see 2 log for each dns query .


anyway : by looking at log its like, SBS it self sending those dns query to those IP

so i installed wire-shark , look at udp packet
yes, Server it self sending those Dns query ..

Now i am surprised why  ?

initially i thought, server could be infected. but then i looked at my different network , Same setting. and there i installed brand new SBS 2008,  and i saw snort log, it has same kind log, ( which made me think that my server is not infected )
so its looks like to me.
windows server has it self to sent some random query to those ips ...

its hear funny to me but its my understanding

now can any one please give me some idea what it could be ???
or how can i get more information on this ???

0
Comment
Question by:fosiul01
  • 14
  • 10
  • 4
  • +1
30 Comments
 
LVL 2

Expert Comment

by:sibisteanu
Comment Utility
On Windows DNS select Forwarders only to your Linux DNS address and set Interfaces only to interface connected to computers lan.
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
On Windows DNS select Forwarders only to your Linux DNS address   : which is our currently dns setup

 
Set Interfaces only to interface connected to computers lan. : What you meant by this ??? where  will i do this ??

0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
ohh set Interfaces only to interface connected to computers lan.  : you meant , Listen on opitons on Dns configuration ??

its already select , Only the following IP address  192.168.1.7
0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
May be some client machine which is pointing to SBS Serer for DNS is running some app or shareware (torrents) can cause this as well.
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
May be some client machine which is pointing to SBS Serer for DNS is  running some app or shareware (torrents) can cause this as well.  :

yes, it could be, but then in wires hark, it would of shown from where that dns query is coming

but by looking at log, the server it self sending those query .

have a look at picture .


snort.GIF
0
 
LVL 2

Expert Comment

by:ngmarowa
Comment Utility
Are your root hints disabled on the windows DNS?
Also how is your internet setup (proxy server or direct connections)?

I did a reverse lookup of the IP and its freedownloadcenter.com Not sure if one of your clients is trying to access this site
0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
So everytime you see request to this IP only?

193.132.234.7
0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
i am seeing your machines or someone is trying to download something from freedownloadcenter.com and generally these sites have their mirrored servers in Russia and that could the reason for this.
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
HI i have requested to delete the attached picture as it has one of our IP.

anywa

192.168.1.7 is our Dns server for every clients and 192.168.1.67 is the forwarder set to Windows dns server(192.168.1.7)

and yes, Every times , its going out from 192.168.1.7    (src) to 82.146.33.103(dest)
but it have to go via 192.162.1.67 as it the forwarder .

and you can see from the picture, it going to freedownload.com  ..!!!

but dont understand why


0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
Try running wireshark trace to capture HTTP traffic and see if there is any request going to these IPs.
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
Suppose from my computer if i do a query it will come to wireshark like this


192.168.1.84  -> 192.168.1.7
192.168.1.7 -> 192.168.1.67

192.168.1.67 will resolve the query
then

192.168.1.67-> 192.168.1.7
192.168.1.7->192.168.1.84

so there would be 4 steps to complete dns query

but if i look at wireshark log, i can see only 2 steps

192.168.1.7->82.146.55.35
192.168.1.67->192.168.1.7

so it cant be from internal pc ....

i dont know ... making me mad now ..
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
do you know, how to add 2 filter together in wireshark ??

currently i am using port 53 only

udp port 53
i need to add port 80 aswell

how will i add 2 capture rule together ??
0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe
0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
you should use OR condition in between.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Author Comment

by:fosiul01
Comment Utility
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe

none of them work


0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
my apology.

dns or http
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
nop that does not work as well.

let me see in google
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
its
port 53 or  port 80

but is there any other way to find out what happening..
0
 
LVL 2

Expert Comment

by:sibisteanu
Comment Utility
Go to windows DNS Server and under proprieties activate Debug Logging and after that analysis the log.
0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
What sniffer do you use wireshark correct?
I am using wireshark and i can start another instance of wireshark from Start > Run > wireshark

also i can filter 2 protocols dns or http.
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
@sibisteanu

i have attached the full debug log from Windows dns

have a look

and you will see, always ips from 192.167.1.7 or 192.168.1.67



20100909 14:08:07 7CC PACKET  UDP Snd 82.146.55.35    0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DF31A0

  Socket = 476

  Remote addr 82.146.55.35, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x0118

    Flags     0x0000

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        0

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:11 7CC PACKET  UDP Snd 82.146.33.103   0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DF31A0

  Socket = 476

  Remote addr 82.146.33.103, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x0118

    Flags     0x0000

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        0

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:14 908 PACKET  UDP Rcv 192.168.1.7   2674   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)

UDP question info at 0247F010

  Socket = 460

  Remote addr 192.168.1.7, port 28897

  Time Query=1453035, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0024 (36)

  Message:

    XID       0x2674

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(14)gamblingplanet(3)org(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:14 908 PACKET  UDP Snd 192.168.1.67  2120   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)

UDP question info at 02462500

  Socket = 476

  Remote addr 192.168.1.67, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0024 (36)

  Message:

    XID       0x2120

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(14)gamblingplanet(3)org(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:14 904 PACKET  UDP Rcv 192.168.1.67  2120 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)

UDP response info at 00A25A60

  Socket = 476

  Remote addr 192.168.1.67, port 53

  Time Query=1453035, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0060 (96)

  Message:

    XID       0x2120

    Flags     0x8180

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   1

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(14)gamblingplanet(3)org(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

    Offset = 0x0024, RR count = 0

    Name      "[C00C](14)gamblingplanet(3)org(0)"

      TYPE   SOA  (6)

      CLASS  1

      TTL    180

      DLEN   48

      DATA   

		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)

		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)

		SerialNo     = 2009010208

		Refresh      = 43200

		Retry        = 3600

		Expire       = 1209600

		MinimumTTL   = 180

    ADDITIONAL SECTION:

      empty



20100909 14:08:14 904 PACKET  UDP Snd 192.168.1.7   2674 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)

UDP response info at 00A25A60

  Socket = 460

  Remote addr 192.168.1.7, port 28897

  Time Query=1453035, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0060 (96)

  Message:

    XID       0x2674

    Flags     0x8180

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   1

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(14)gamblingplanet(3)org(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

    Offset = 0x0024, RR count = 0

    Name      "[C00C](14)gamblingplanet(3)org(0)"

      TYPE   SOA  (6)

      CLASS  1

      TTL    180

      DLEN   48

      DATA   

		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)

		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)

		SerialNo     = 2009010208

		Refresh      = 43200

		Retry        = 3600

		Expire       = 1209600

		MinimumTTL   = 180

    ADDITIONAL SECTION:

      empty



20100909 14:08:15 7CC PACKET  UDP Snd 192.168.1.7   2673 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)

UDP response info at 020AB110

  Socket = 460

  Remote addr 192.168.1.7, port 28893

  Time Query=1453022, Queued=1453032, Expire=1453035

  Buf length = 0x0200 (512)

  Msg length = 0x0029 (41)

  Message:

    XID       0x2673

    Flags     0x8182

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     2 (SERVFAIL)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:15 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 00A29FB0

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453036, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x508a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:15 908 PACKET  UDP Snd 192.168.1.67  192d   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DF31A0

  Socket = 476

  Remote addr 192.168.1.67, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x192d

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:16 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DE22B0

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453036, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x508a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:17 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 020AB110

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453037, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x508a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:19 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 00A25A60

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453039, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x508a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:21 7CC PACKET  UDP Snd 82.146.55.35    192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DF31A0

  Socket = 476

  Remote addr 82.146.55.35, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x192d

    Flags     0x0000

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        0

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:23 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DE22B0

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453043, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x508a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:25 7CC PACKET  UDP Snd 82.146.33.103   192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DF31A0

  Socket = 476

  Remote addr 82.146.33.103, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x192d

    Flags     0x0000

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        0

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:27 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 020AB110

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453048, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0xbb8a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:27 908 PACKET  UDP Snd 192.168.1.67  0930   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 0247F010

  Socket = 476

  Remote addr 192.168.1.67, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x0930

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:28 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 00A25A60

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453048, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0xbb8a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:29 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 01DE22B0

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453049, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0xbb8a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:29 7CC PACKET  UDP Snd 192.168.1.7   508a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)

UDP response info at 00A29FB0

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453036, Queued=1453046, Expire=1453049

  Buf length = 0x0200 (512)

  Msg length = 0x0029 (41)

  Message:

    XID       0x508a

    Flags     0x8182

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     2 (SERVFAIL)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 02462500

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453051, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0xbb8a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.67  0118 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)

UDP response info at 01EB8540

  Socket = 476

  Remote addr 192.168.1.67, port 53

  Time Query=1453052, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x0118

    Flags     0x8182

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     2 (SERVFAIL)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   MX (15)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:33 7CC PACKET  UDP Snd 82.146.33.103   0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 0247F010

  Socket = 476

  Remote addr 82.146.33.103, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x0930

    Flags     0x0000

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        0

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:35 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 00A25A60

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453055, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0xbb8a

    Flags     0x0100

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:37 7CC PACKET  UDP Snd 82.146.55.35    0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)

UDP question info at 0247F010

  Socket = 476

  Remote addr 82.146.55.35, port 53

  Time Query=0, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x0930

    Flags     0x0000

      QR        0 (QUESTION)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        0

      RA        0

      Z         0

      RCODE     0 (NOERROR)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:41 7CC PACKET  UDP Snd 192.168.1.7   bb8a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)

UDP response info at 020AB110

  Socket = 460

  Remote addr 192.168.1.7, port 15863

  Time Query=1453048, Queued=1453058, Expire=1453061

  Buf length = 0x0200 (512)

  Msg length = 0x0029 (41)

  Message:

    XID       0xbb8a

    Flags     0x8182

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     2 (SERVFAIL)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:45 904 PACKET  UDP Rcv 192.168.1.67  192d R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)

UDP response info at 01DECCD0

  Socket = 476

  Remote addr 192.168.1.67, port 53

  Time Query=1453066, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x192d

    Flags     0x8182

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     2 (SERVFAIL)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty



20100909 14:08:45 908 PACKET  UDP Rcv 192.168.1.67  0930 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)

UDP response info at 02462500

  Socket = 476

  Remote addr 192.168.1.67, port 53

  Time Query=1453066, Queued=0, Expire=0

  Buf length = 0x0500 (1280)

  Msg length = 0x0029 (41)

  Message:

    XID       0x0930

    Flags     0x8182

      QR        1 (RESPONSE)

      OPCODE    0 (QUERY)

      AA        0

      TC        0

      RD        1

      RA        1

      Z         0

      RCODE     2 (SERVFAIL)

    QCOUNT    1

    ACOUNT    0

    NSCOUNT   0

    ARCOUNT   0

    QUESTION SECTION:

    Offset = 0x000c, RR count = 0

    Name      "(19)freedownloadscenter(3)com(0)"

      QTYPE   A (1)

      QCLASS  1

    ANSWER SECTION:

      empty

    AUTHORITY SECTION:

      empty

    ADDITIONAL SECTION:

      empty

Open in new window

0
 
LVL 4

Expert Comment

by:vickzz
Comment Utility
do you have an app which downloads any free S/W from internet?
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
there should not be, but if any user installed those, i should be able see  from where those request coming from is not it ??
 

its hard to believe  that the server has compromised .
I dont install anything on the server or nor i do browse ..

funny thing is.. that free download.com is a recursive domain ...

0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
hnmmmmmm i know why


This SBS server 2003 is working as EXchange server

and in my mailq , there is 2 sitting in Queue directory

from freedownloadcentere.com

Envelope Recipients:
SMTP:MelodylodgeMcclendon@freedownloadscenter.com;

and
Envelope Recipients:
SMTP:MattabidjanVaughn@gamblingplanet.org;



the sender is : postmaster@ourdomain.com

and hence this server is trying to look at freedownloadcentre.com for MX record


how this end up in my Queue directory as sending postmaster@ourdomain.com ??

any idea??

0
 
LVL 2

Expert Comment

by:sibisteanu
Comment Utility
Delete this mail from queue - and look in you see ips again in dns log.

"If read correctly the log you posted this 2 Russian IP only send DNS packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.
I do not see packets send to this ips."
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
Delete this mail from queue - and look in you see ips again in dns log.  :: I have already delete from mail queue, and i belived i will not see those IP again


If read correctly the log you posted this 2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”. ::

Will you be able to explain me little bit  about your this comments :
2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.

Which log you referring to support your comments, just copy and past the fist line of that log..


From my understanding is : My server was sending Udp packets to 82.146.55.35  right ????

My server should not get any reply from them as my Firewall IPS is blocking those ip

0
 
LVL 2

Assisted Solution

by:sibisteanu
sibisteanu earned 250 total points
Comment Utility
Delete the mail from queue and watch the DNS log after that.
You have DNS port open on the server for Exchange Server to function and I’m sure that these DNS packets are generated from the exchange server.
0
 
LVL 4

Accepted Solution

by:
vickzz earned 250 total points
Comment Utility
Yes even Spam could be a cause of this log.
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
its the spam.

any way thanks for both 's support

i will create another question about postmaster
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now