Solved

Why Windows Server sent dns query to Russian Network

Posted on 2010-09-09
30
1,907 Views
Last Modified: 2013-11-29
Hi
I have a pfsense Firewall with snort installed,
I see this kind of log :

7        2        UDP        ET RBN Known Russian Business Network IP UDP (238)         Misc Attack        192.168.1.67        34358        ->        82.146.55.35        53        1:2406475:193        09/09-12:19:02

8       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.7       1068       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:52

9       2       UDP       ET RBN Known Russian Business Network IP UDP (238)       Misc Attack       192.168.1.7       1068       ->       82.146.55.35       53       1:2406475:193       09/09-12:18:48

10       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.67       49339       ->       82.146.33.103       53       1:2406473:193       09/09-12:18:42


let me give a idea how my Dns server setup

All client computer - > SBS 2003 -> Linux Dns

so SBS 2003(192.168.1.7) getting all dns query from client computer, then its forward all to linux dns server(192.168.1.67)

Hence you see 2 log for each dns query .


anyway : by looking at log its like, SBS it self sending those dns query to those IP

so i installed wire-shark , look at udp packet
yes, Server it self sending those Dns query ..

Now i am surprised why  ?

initially i thought, server could be infected. but then i looked at my different network , Same setting. and there i installed brand new SBS 2008,  and i saw snort log, it has same kind log, ( which made me think that my server is not infected )
so its looks like to me.
windows server has it self to sent some random query to those ips ...

its hear funny to me but its my understanding

now can any one please give me some idea what it could be ???
or how can i get more information on this ???

0
Comment
Question by:fosiul01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 10
  • 4
  • +1
30 Comments
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635675
On Windows DNS select Forwarders only to your Linux DNS address and set Interfaces only to interface connected to computers lan.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635708
On Windows DNS select Forwarders only to your Linux DNS address   : which is our currently dns setup

 
Set Interfaces only to interface connected to computers lan. : What you meant by this ??? where  will i do this ??

0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635731
ohh set Interfaces only to interface connected to computers lan.  : you meant , Listen on opitons on Dns configuration ??

its already select , Only the following IP address  192.168.1.7
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:vickzz
ID: 33635738
May be some client machine which is pointing to SBS Serer for DNS is running some app or shareware (torrents) can cause this as well.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635792
May be some client machine which is pointing to SBS Serer for DNS is  running some app or shareware (torrents) can cause this as well.  :

yes, it could be, but then in wires hark, it would of shown from where that dns query is coming

but by looking at log, the server it self sending those query .

have a look at picture .


snort.GIF
0
 
LVL 2

Expert Comment

by:ngmarowa
ID: 33635832
Are your root hints disabled on the windows DNS?
Also how is your internet setup (proxy server or direct connections)?

I did a reverse lookup of the IP and its freedownloadcenter.com Not sure if one of your clients is trying to access this site
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33635840
So everytime you see request to this IP only?

193.132.234.7
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33635857
i am seeing your machines or someone is trying to download something from freedownloadcenter.com and generally these sites have their mirrored servers in Russia and that could the reason for this.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635880
HI i have requested to delete the attached picture as it has one of our IP.

anywa

192.168.1.7 is our Dns server for every clients and 192.168.1.67 is the forwarder set to Windows dns server(192.168.1.7)

and yes, Every times , its going out from 192.168.1.7    (src) to 82.146.33.103(dest)
but it have to go via 192.162.1.67 as it the forwarder .

and you can see from the picture, it going to freedownload.com  ..!!!

but dont understand why


0
 
LVL 4

Expert Comment

by:vickzz
ID: 33635917
Try running wireshark trace to capture HTTP traffic and see if there is any request going to these IPs.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636004
Suppose from my computer if i do a query it will come to wireshark like this


192.168.1.84  -> 192.168.1.7
192.168.1.7 -> 192.168.1.67

192.168.1.67 will resolve the query
then

192.168.1.67-> 192.168.1.7
192.168.1.7->192.168.1.84

so there would be 4 steps to complete dns query

but if i look at wireshark log, i can see only 2 steps

192.168.1.7->82.146.55.35
192.168.1.67->192.168.1.7

so it cant be from internal pc ....

i dont know ... making me mad now ..
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636018
do you know, how to add 2 filter together in wireshark ??

currently i am using port 53 only

udp port 53
i need to add port 80 aswell

how will i add 2 capture rule together ??
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636034
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636037
you should use OR condition in between.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636089
udp.port==53 and tcp.port==80
dns and http

Start > run > wireshark.exe

none of them work


0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636136
my apology.

dns or http
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636161
nop that does not work as well.

let me see in google
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636219
its
port 53 or  port 80

but is there any other way to find out what happening..
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33636225
Go to windows DNS Server and under proprieties activate Debug Logging and after that analysis the log.
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636346
What sniffer do you use wireshark correct?
I am using wireshark and i can start another instance of wireshark from Start > Run > wireshark

also i can filter 2 protocols dns or http.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636735
@sibisteanu

i have attached the full debug log from Windows dns

have a look

and you will see, always ips from 192.167.1.7 or 192.168.1.67



20100909 14:08:07 7CC PACKET  UDP Snd 82.146.55.35    0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:11 7CC PACKET  UDP Snd 82.146.33.103   0118   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 908 PACKET  UDP Rcv 192.168.1.7   2674   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)
UDP question info at 0247F010
  Socket = 460
  Remote addr 192.168.1.7, port 28897
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0024 (36)
  Message:
    XID       0x2674
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 908 PACKET  UDP Snd 192.168.1.67  2120   Q [0001   D   NOERROR] (14)gamblingplanet(3)org(0)
UDP question info at 02462500
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0024 (36)
  Message:
    XID       0x2120
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 904 PACKET  UDP Rcv 192.168.1.67  2120 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)
UDP response info at 00A25A60
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0060 (96)
  Message:
    XID       0x2120
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0024, RR count = 0
    Name      "[C00C](14)gamblingplanet(3)org(0)"
      TYPE   SOA  (6)
      CLASS  1
      TTL    180
      DLEN   48
      DATA   
		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)
		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)
		SerialNo     = 2009010208
		Refresh      = 43200
		Retry        = 3600
		Expire       = 1209600
		MinimumTTL   = 180
    ADDITIONAL SECTION:
      empty

20100909 14:08:14 904 PACKET  UDP Snd 192.168.1.7   2674 R Q [8081   DR  NOERROR] (14)gamblingplanet(3)org(0)
UDP response info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 28897
  Time Query=1453035, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0060 (96)
  Message:
    XID       0x2674
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   1
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(14)gamblingplanet(3)org(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
    Offset = 0x0024, RR count = 0
    Name      "[C00C](14)gamblingplanet(3)org(0)"
      TYPE   SOA  (6)
      CLASS  1
      TTL    180
      DLEN   48
      DATA   
		PrimaryServer: (4)ns10(11)dnsmadeeasy(3)com(0)
		Administrator: (3)dns[C035](11)dnsmadeeasy(3)com(0)
		SerialNo     = 2009010208
		Refresh      = 43200
		Retry        = 3600
		Expire       = 1209600
		MinimumTTL   = 180
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 7CC PACKET  UDP Snd 192.168.1.7   2673 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 28893
  Time Query=1453022, Queued=1453032, Expire=1453035
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0x2673
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A29FB0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:15 908 PACKET  UDP Snd 192.168.1.67  192d   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:16 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:17 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453037, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:19 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453039, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:21 7CC PACKET  UDP Snd 82.146.55.35    192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:23 908 PACKET  UDP Rcv 192.168.1.7   508a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453043, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:25 7CC PACKET  UDP Snd 82.146.33.103   192d   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DF31A0
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:27 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:27 908 PACKET  UDP Snd 192.168.1.67  0930   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:28 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:29 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 01DE22B0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453049, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:29 7CC PACKET  UDP Snd 192.168.1.7   508a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 00A29FB0
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453036, Queued=1453046, Expire=1453049
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0x508a
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 02462500
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453051, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:31 908 PACKET  UDP Rcv 192.168.1.67  0118 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 01EB8540
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453052, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0118
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   MX (15)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:33 7CC PACKET  UDP Snd 82.146.33.103   0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 82.146.33.103, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:35 908 PACKET  UDP Rcv 192.168.1.7   bb8a   Q [0001   D   NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 00A25A60
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453055, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:37 7CC PACKET  UDP Snd 82.146.55.35    0930   Q [0000       NOERROR] (19)freedownloadscenter(3)com(0)
UDP question info at 0247F010
  Socket = 476
  Remote addr 82.146.55.35, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x0000
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:41 7CC PACKET  UDP Snd 192.168.1.7   bb8a R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 020AB110
  Socket = 460
  Remote addr 192.168.1.7, port 15863
  Time Query=1453048, Queued=1453058, Expire=1453061
  Buf length = 0x0200 (512)
  Msg length = 0x0029 (41)
  Message:
    XID       0xbb8a
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:45 904 PACKET  UDP Rcv 192.168.1.67  192d R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 01DECCD0
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453066, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x192d
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

20100909 14:08:45 908 PACKET  UDP Rcv 192.168.1.67  0930 R Q [8281   DR SERVFAIL] (19)freedownloadscenter(3)com(0)
UDP response info at 02462500
  Socket = 476
  Remote addr 192.168.1.67, port 53
  Time Query=1453066, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0029 (41)
  Message:
    XID       0x0930
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(19)freedownloadscenter(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

Open in new window

0
 
LVL 4

Expert Comment

by:vickzz
ID: 33636874
do you have an app which downloads any free S/W from internet?
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33636950
there should not be, but if any user installed those, i should be able see  from where those request coming from is not it ??
 

its hard to believe  that the server has compromised .
I dont install anything on the server or nor i do browse ..

funny thing is.. that free download.com is a recursive domain ...

0
 
LVL 29

Author Comment

by:fosiul01
ID: 33637038
hnmmmmmm i know why


This SBS server 2003 is working as EXchange server

and in my mailq , there is 2 sitting in Queue directory

from freedownloadcentere.com

Envelope Recipients:
SMTP:MelodylodgeMcclendon@freedownloadscenter.com;

and
Envelope Recipients:
SMTP:MattabidjanVaughn@gamblingplanet.org;



the sender is : postmaster@ourdomain.com

and hence this server is trying to look at freedownloadcentre.com for MX record


how this end up in my Queue directory as sending postmaster@ourdomain.com ??

any idea??

0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33637181
Delete this mail from queue - and look in you see ips again in dns log.

"If read correctly the log you posted this 2 Russian IP only send DNS packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.
I do not see packets send to this ips."
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33637259
Delete this mail from queue - and look in you see ips again in dns log.  :: I have already delete from mail queue, and i belived i will not see those IP again


If read correctly the log you posted this 2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”. ::

Will you be able to explain me little bit  about your this comments :
2 Russian IP only send DNS  packets to your server – Snd prefix not Rcv - “Snd 82.146.55.35 ”.

Which log you referring to support your comments, just copy and past the fist line of that log..


From my understanding is : My server was sending Udp packets to 82.146.55.35  right ????

My server should not get any reply from them as my Firewall IPS is blocking those ip

0
 
LVL 2

Assisted Solution

by:sibisteanu
sibisteanu earned 250 total points
ID: 33637468
Delete the mail from queue and watch the DNS log after that.
You have DNS port open on the server for Exchange Server to function and I’m sure that these DNS packets are generated from the exchange server.
0
 
LVL 4

Accepted Solution

by:
vickzz earned 250 total points
ID: 33637525
Yes even Spam could be a cause of this log.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33637793
its the spam.

any way thanks for both 's support

i will create another question about postmaster
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Ready for our next Course of the Month? Here's what's on tap for June.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question