Why Windows Server sent dns query to Russian Network

Hi
I have a pfsense Firewall with snort installed,
I see this kind of log :

7        2        UDP        ET RBN Known Russian Business Network IP UDP (238)         Misc Attack        192.168.1.67        34358        ->        82.146.55.35        53        1:2406475:193        09/09-12:19:02

8       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.7       1068       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:52

9       2       UDP       ET RBN Known Russian Business Network IP UDP (238)       Misc Attack       192.168.1.7       1068       ->       82.146.55.35       53       1:2406475:193       09/09-12:18:48

10       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.67       49339       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:42


let me give a idea how my Dns server setup

All client computer - > SBS 2003 -> Linux Dns

so SBS 2003(192.168.1.7) getting all dns query from client computer, then its forward all to linux dns server(192.168.1.67)

Hence you see 2 log for each dns query .


anyway : by looking at log its like, SBS it self sending those dns query to those IP

so i installed wire-shark , look at udp packet
yes, Server it self sending those Dns query ..

Now i am surprised why  ?

initially i thought, server could be infected. but then i looked at my different network , Same setting. and there i installed brand new SBS 2008,  and i saw snort log, it has same kind log, ( which made me think that my server is not infected )
so its looks like to me.
windows server has it self to sent some random query to those ips ...

its hear funny to me but its my understanding

now can any one please give me some idea what it could be ???
or how can i get more information on this ???

LVL 29
fosiul01Asked:
Who is Participating?
 
vickzzCommented:
Yes even Spam could be a cause of this log.
0
 
sibisteanuCommented:
On Windows DNS select Forwarders only to your Linux DNS address and set Interfaces only to interface connected to computers lan.
0
 
fosiul01Author Commented:
On Windows DNS select Forwarders only to your Linux DNS address   : which is our currently dns setup

 
Set Interfaces only to interface connected to computers lan. : What you meant by this ??? where  will i do this ??

0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
fosiul01Author Commented:
ohh set Interfaces only to interface connected to computers lan.  : you meant , Listen on opitons on Dns configuration ??

its already select , Only the following IP address  192.168.1.7
0
 
vickzzCommented:
May be some client machine which is pointing to SBS Serer for DNS is running some app or shareware (torrents) can cause this as well.
0
 
fosiul01Author Commented:
May be some client machine which is pointing to SBS Serer for DNS is  running some app or shareware (torrents) can cause this as well.  :

yes, it could be, but then in wires hark, it would of shown from where that dns query is coming

but by looking at log, the server it self sending those query .

have a look at picture .


snort.GIF
0
 
ngmarowaCommented:
Are your root hints disabled on the windows DNS?
Also how is your internet setup (proxy server or direct connections)?

I did a reverse lookup of the IP and its freedownloadcenter.com Not sure if one of your clients is trying to access this site
0
 
vickzzCommented:
So everytime you see request to this IP only?

193.132.234.7
0
 
vickzzCommented:
i am seeing your machines or someone is trying to download something from freedownloadcenter.com and generally these sites have their mirrored servers in Russia and that could the reason for this.
0
 
fosiul01Author Commented:
HI i have requested to delete the attached picture as it has one of our IP.

anywa

192.168.1.7 is our Dns server for every clients and 192.168.1.67 is the forwarder set to Windows dns server(192.168.1.7)

and yes, Every times , its going out from 192.168.1.7    (src) to 82.146.33.103(dest)
but it have to go via 192.162.1.67 as it the forwarder .

and you can see from the picture, it going to freedownload.com  ..!!!

but dont understand why


0
 
vickzzCommented:
Try running wireshark trace to capture HTTP traffic and see if there is any request going to these IPs.
0
 
fosiul01Author Commented:
Suppose from my computer if i do a query it will come to wireshark like this


192.168.1.84  -> 192.168.1.7
192.168.1.7 -> 192.168.1.67

192.168.1.67 will resolve the query
then

192.168.1.67-> 192.168.1.7
192.168.1.7->192.168.1.84

so there would be 4 steps to complete dns query

but if i look at wireshark log, i can see only 2 steps

192.168.1.7->82.146.55.35
192.168.1.67->192.168.1.7

so it cant be from internal pc ....

i dont know ... making me mad now ..
0
 
fosiul01Author Commented:
do you know, how to add 2 filter together in wireshark ??

currently i am using port 53 only

udp port 53
i need to add port 80 aswell

how will i add 2 capture rule together ??
0
 
vickzzCommented:
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe
0
 
vickzzCommented:
you should use OR condition in between.
0
 
fosiul01Author Commented:
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe

none of them work


0
 
vickzzCommented:
my apology.

dns or http
0
 
fosiul01Author Commented:
nop that does not work as well.

let me see in google
0
 
fosiul01Author Commented:
its
port 53 or  port 80

but is there any other way to find out what happening..
0
 
sibisteanuCommented:
Go to windows DNS Server and under proprieties activate Debug Logging and after that analysis the log.
0
 
vickzzCommented:
What sniffer do you use wireshark correct?
I am using wireshark and i can start another instance of wireshark from Start > Run > wireshark

also i can filter 2 protocols dns or http.
0
 
fosiul01Author Commented:
@sibisteanu

i have attached the full debug log from Windows dns

have a look

and you will see, always ips from 192.167.1.7 or 192.168.1.67



20100909 14:08:07 7CC PACKET  UDP Snd 82.146.55.35    0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:11 7CC PACKET  UDP Snd 82.146.33.103   0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 908 PACKET  UDP Rcv 192.168.1.7   2674   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)
UDP question info at 0247F010
  Socket = 460
  Remote addr 192.168.1.7, port 28897
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0024 (36)
  Message:
    XID       0x2674
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 908 PACKET  UDP Snd 192.168.1.67  2120   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)
UDP question info at 02462500
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0024 (36)
  Message:
    XID       0x2120
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 904 PACKET  UDP Rcv 192.168.1.67  2120 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)
UDP response info at 00A25A60
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0060 (96)
  Message:
    XID       0x2120
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0024, RR count = 0
    Name      "[C00C](14)gamblingplanet(3)org(0)"
      TYPE   SOA  (6)
      CLASS  1
      TTL    180
      DLEN   48
      DATA   
		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)
		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)
		SerialNo     = 2009010208
		Refresh      = 43200
		Retry        = 3600
		Expire       = 1209600
		MinimumTTL   = 180
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 904 PACKET  UDP Snd 192.168.1.7   2674 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)
UDP response info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 28897
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0060 (96)
  Message:
    XID       0x2674
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0024, RR count = 0
    Name      "[C00C](14)gamblingplanet(3)org(0)"
      TYPE   SOA  (6)
      CLASS  1
      TTL    180
      DLEN   48
      DATA   
		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)
		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)
		SerialNo     = 2009010208
		Refresh      = 43200
		Retry        = 3600
		Expire       = 1209600
		MinimumTTL   = 180
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 7CC PACKET  UDP Snd 192.168.1.7   2673 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 28893
  Time Query=1453022, Queued=1453032, Expire=1453035
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0x2673
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A29FB0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 908 PACKET  UDP Snd 192.168.1.67  192d   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:16 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:17 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453037, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:19 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453039, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:21 7CC PACKET  UDP Snd 82.146.55.35    192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:23 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453043, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:25 7CC PACKET  UDP Snd 82.146.33.103   192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:27 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:27 908 PACKET  UDP Snd 192.168.1.67  0930   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:28 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:29 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453049, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:29 7CC PACKET  UDP Snd 192.168.1.7   508a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 00A29FB0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=1453046, Expire=1453049
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 02462500
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453051, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.67  0118 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 01EB8540
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453052, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:33 7CC PACKET  UDP Snd 82.146.33.103   0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:35 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453055, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:37 7CC PACKET  UDP Snd 82.146.55.35    0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:41 7CC PACKET  UDP Snd 192.168.1.7   bb8a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=1453058, Expire=1453061
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:45 904 PACKET  UDP Rcv 192.168.1.67  192d R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 01DECCD0
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453066, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:45 908 PACKET  UDP Rcv 192.168.1.67  0930 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 02462500
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453066, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

Open in new window

0
 
vickzzCommented:
do you have an app which downloads any free S/W from internet?
0
 
fosiul01Author Commented:
there should not be, but if any user installed those, i should be able see  from where those request coming from is not it ??
 

its hard to believe  that the server has compromised .
I dont install anything on the server or nor i do browse ..

funny thing is.. that free download.com is a recursive domain ...

0
 
fosiul01Author Commented:
hnmmmmmm i know why


This SBS server 2003 is working as EXchange server

and in my mailq , there is 2 sitting in Queue directory

from freedownloadcentere.com

Envelope Recipients:
SMTP:MelodylodgeMcclendon@freedownloadscenter.com;

and
Envelope Recipients:
SMTP:MattabidjanVaughn@gamblingplanet.org;



the sender is : postmaster@ourdomain.com

and hence this server is trying to look at freedownloadcentre.com for MX record


how this end up in my Queue directory as sending postmaster@ourdomain.com ??

any idea??

0
 
sibisteanuCommented:
Delete this mail from queue - and look in you see ips again in dns log.

"If read correctly the log you posted this 2 Russian IP only send DNS packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.
I do not see packets send to this ips."
0
 
fosiul01Author Commented:
Delete this mail from queue - and look in you see ips again in dns log.  :: I have already delete from mail queue, and i belived i will not see those IP again


If read correctly the log you posted this 2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”. ::

Will you be able to explain me little bit  about your this comments :
2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.

Which log you referring to support your comments, just copy and past the fist line of that log..


From my understanding is : My server was sending Udp packets to 82.146.55.35  right ????

My server should not get any reply from them as my Firewall IPS is blocking those ip

0
 
sibisteanuCommented:
Delete the mail from queue and watch the DNS log after that.
You have DNS port open on the server for Exchange Server to function and I’m sure that these DNS packets are generated from the exchange server.
0
 
fosiul01Author Commented:
its the spam.

any way thanks for both 's support

i will create another question about postmaster
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.