Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Why Windows Server sent dns query to Russian Network

Posted on 2010-09-09
30
Medium Priority
?
1,955 Views
Last Modified: 2013-11-29
Hi
I have a pfsense Firewall with snort installed,
I see this kind of log :

7        2        UDP        ET RBN Known Russian Business Network IP UDP (238)         Misc Attack        192.168.1.67        34358        ->        82.146.55.35        53        1:2406475:193        09/09-12:19:02

8       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.7       1068       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:52

9       2       UDP       ET RBN Known Russian Business Network IP UDP (238)       Misc Attack       192.168.1.7       1068       ->       82.146.55.35       53       1:2406475:193       09/09-12:18:48

10       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.67       49339       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:42


let me give a idea how my Dns server setup

All client computer - > SBS 2003 -> Linux Dns

so SBS 2003(192.168.1.7) getting all dns query from client computer, then its forward all to linux dns server(192.168.1.67)

Hence you see 2 log for each dns query .


anyway : by looking at log its like, SBS it self sending those dns query to those IP

so i installed wire-shark , look at udp packet
yes, Server it self sending those Dns query ..

Now i am surprised why  ?

initially i thought, server could be infected. but then i looked at my different network , Same setting. and there i installed brand new SBS 2008,  and i saw snort log, it has same kind log, ( which made me think that my server is not infected )
so its looks like to me.
windows server has it self to sent some random query to those ips ...

its hear funny to me but its my understanding

now can any one please give me some idea what it could be ???
or how can i get more information on this ???

0
Comment
Question by:fosiul01
  • 14
  • 10
  • 4
  • +1
30 Comments
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635675
On Windows DNS select Forwarders only to your Linux DNS address and set Interfaces only to interface connected to computers lan.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635708
On Windows DNS select Forwarders only to your Linux DNS address   : which is our currently dns setup

 
Set Interfaces only to interface connected to computers lan. : What you meant by this ??? where  will i do this ??

0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635731
ohh set Interfaces only to interface connected to computers lan.  : you meant , Listen on opitons on Dns configuration ??

its already select , Only the following IP address  192.168.1.7
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 4

Expert Comment

by:vickzz
ID: 33635738
May be some client machine which is pointing to SBS Serer for DNS is running some app or shareware (torrents) can cause this as well.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635792
May be some client machine which is pointing to SBS Serer for DNS is  running some app or shareware (torrents) can cause this as well.  :

yes, it could be, but then in wires hark, it would of shown from where that dns query is coming

but by looking at log, the server it self sending those query .

have a look at picture .


snort.GIF
0
 
LVL 2

Expert Comment

by:ngmarowa
ID: 33635832
Are your root hints disabled on the windows DNS?
Also how is your internet setup (proxy server or direct connections)?

I did a reverse lookup of the IP and its freedownloadcenter.com Not sure if one of your clients is trying to access this site
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33635840
So everytime you see request to this IP only?

193.132.234.7
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33635857
i am seeing your machines or someone is trying to download something from freedownloadcenter.com and generally these sites have their mirrored servers in Russia and that could the reason for this.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635880
HI i have requested to delete the attached picture as it has one of our IP.

anywa

192.168.1.7 is our Dns server for every clients and 192.168.1.67 is the forwarder set to Windows dns server(192.168.1.7)

and yes, Every times , its going out from 192.168.1.7    (src) to 82.146.33.103(dest)
but it have to go via 192.162.1.67 as it the forwarder .

and you can see from the picture, it going to freedownload.com  ..!!!

but dont understand why


0
 
LVL 4

Expert Comment

by:vickzz
ID: 33635917
Try running wireshark trace to capture HTTP traffic and see if there is any request going to these IPs.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636004
Suppose from my computer if i do a query it will come to wireshark like this


192.168.1.84  -> 192.168.1.7
192.168.1.7 -> 192.168.1.67

192.168.1.67 will resolve the query
then

192.168.1.67-> 192.168.1.7
192.168.1.7->192.168.1.84

so there would be 4 steps to complete dns query

but if i look at wireshark log, i can see only 2 steps

192.168.1.7->82.146.55.35
192.168.1.67->192.168.1.7

so it cant be from internal pc ....

i dont know ... making me mad now ..
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636018
do you know, how to add 2 filter together in wireshark ??

currently i am using port 53 only

udp port 53
i need to add port 80 aswell

how will i add 2 capture rule together ??
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636034
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636037
you should use OR condition in between.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636089
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe

none of them work


0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636136
my apology.

dns or http
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636161
nop that does not work as well.

let me see in google
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636219
its
port 53 or  port 80

but is there any other way to find out what happening..
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33636225
Go to windows DNS Server and under proprieties activate Debug Logging and after that analysis the log.
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636346
What sniffer do you use wireshark correct?
I am using wireshark and i can start another instance of wireshark from Start > Run > wireshark

also i can filter 2 protocols dns or http.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636735
@sibisteanu

i have attached the full debug log from Windows dns

have a look

and you will see, always ips from 192.167.1.7 or 192.168.1.67



20100909 14:08:07 7CC PACKET  UDP Snd 82.146.55.35    0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:11 7CC PACKET  UDP Snd 82.146.33.103   0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 908 PACKET  UDP Rcv 192.168.1.7   2674   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)
UDP question info at 0247F010
  Socket = 460
  Remote addr 192.168.1.7, port 28897
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0024 (36)
  Message:
    XID       0x2674
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 908 PACKET  UDP Snd 192.168.1.67  2120   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)
UDP question info at 02462500
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0024 (36)
  Message:
    XID       0x2120
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 904 PACKET  UDP Rcv 192.168.1.67  2120 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)
UDP response info at 00A25A60
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0060 (96)
  Message:
    XID       0x2120
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0024, RR count = 0
    Name      "[C00C](14)gamblingplanet(3)org(0)"
      TYPE   SOA  (6)
      CLASS  1
      TTL    180
      DLEN   48
      DATA   
		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)
		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)
		SerialNo     = 2009010208
		Refresh      = 43200
		Retry        = 3600
		Expire       = 1209600
		MinimumTTL   = 180
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 904 PACKET  UDP Snd 192.168.1.7   2674 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)
UDP response info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 28897
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0060 (96)
  Message:
    XID       0x2674
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0024, RR count = 0
    Name      "[C00C](14)gamblingplanet(3)org(0)"
      TYPE   SOA  (6)
      CLASS  1
      TTL    180
      DLEN   48
      DATA   
		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)
		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)
		SerialNo     = 2009010208
		Refresh      = 43200
		Retry        = 3600
		Expire       = 1209600
		MinimumTTL   = 180
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 7CC PACKET  UDP Snd 192.168.1.7   2673 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 28893
  Time Query=1453022, Queued=1453032, Expire=1453035
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0x2673
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A29FB0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 908 PACKET  UDP Snd 192.168.1.67  192d   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:16 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:17 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453037, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:19 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453039, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:21 7CC PACKET  UDP Snd 82.146.55.35    192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:23 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453043, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:25 7CC PACKET  UDP Snd 82.146.33.103   192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:27 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:27 908 PACKET  UDP Snd 192.168.1.67  0930   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:28 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:29 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453049, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:29 7CC PACKET  UDP Snd 192.168.1.7   508a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 00A29FB0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=1453046, Expire=1453049
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 02462500
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453051, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.67  0118 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 01EB8540
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453052, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:33 7CC PACKET  UDP Snd 82.146.33.103   0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:35 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453055, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:37 7CC PACKET  UDP Snd 82.146.55.35    0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:41 7CC PACKET  UDP Snd 192.168.1.7   bb8a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=1453058, Expire=1453061
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:45 904 PACKET  UDP Rcv 192.168.1.67  192d R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 01DECCD0
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453066, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:45 908 PACKET  UDP Rcv 192.168.1.67  0930 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 02462500
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453066, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

Open in new window

0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636874
do you have an app which downloads any free S/W from internet?
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636950
there should not be, but if any user installed those, i should be able see  from where those request coming from is not it ??
 

its hard to believe  that the server has compromised .
I dont install anything on the server or nor i do browse ..

funny thing is.. that free download.com is a recursive domain ...

0
 
LVL 29

Author Comment

by:fosiul01
ID: 33637038
hnmmmmmm i know why


This SBS server 2003 is working as EXchange server

and in my mailq , there is 2 sitting in Queue directory

from freedownloadcentere.com

Envelope Recipients:
SMTP:MelodylodgeMcclendon@freedownloadscenter.com;

and
Envelope Recipients:
SMTP:MattabidjanVaughn@gamblingplanet.org;



the sender is : postmaster@ourdomain.com

and hence this server is trying to look at freedownloadcentre.com for MX record


how this end up in my Queue directory as sending postmaster@ourdomain.com ??

any idea??

0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33637181
Delete this mail from queue - and look in you see ips again in dns log.

"If read correctly the log you posted this 2 Russian IP only send DNS packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.
I do not see packets send to this ips."
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33637259
Delete this mail from queue - and look in you see ips again in dns log.  :: I have already delete from mail queue, and i belived i will not see those IP again


If read correctly the log you posted this 2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”. ::

Will you be able to explain me little bit  about your this comments :
2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.

Which log you referring to support your comments, just copy and past the fist line of that log..


From my understanding is : My server was sending Udp packets to 82.146.55.35  right ????

My server should not get any reply from them as my Firewall IPS is blocking those ip

0
 
LVL 2

Assisted Solution

by:sibisteanu
sibisteanu earned 1000 total points
ID: 33637468
Delete the mail from queue and watch the DNS log after that.
You have DNS port open on the server for Exchange Server to function and I’m sure that these DNS packets are generated from the exchange server.
0
 
LVL 4

Accepted Solution

by:
vickzz earned 1000 total points
ID: 33637525
Yes even Spam could be a cause of this log.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33637793
its the spam.

any way thanks for both 's support

i will create another question about postmaster
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question