|
Posted by Will on October 17, 2007, 8:37 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Do you see any unusual volumes of outgoing SMTP traffic, or possibly SMTP
originating from inappropriate hosts? If this is a hack, one reason to do
the DNS lookups on a controlled machine might be to guarantee the ability to
do MX record lookups at higher speeds for sending spam from the machine.
If the target host is controlled by the same group, then all bets are off
and you would need to look at the actual traffic. They could run telnet on
port 53 and just be trying to bypass the firewall ruleset over well known
ports.
Anyway, sounds like you have some fun debugging ahead. :)
--
Will
I'm seeing strange DNS traffic from one of my windows hosts.
Specifically I have a WinXP client on a Windows domain that his
attmepting to communicate to external hosts on port 53.
Here's a single line from my firewall log:
2:08:56 Default DROP TCP 10.1.10.5:2818 ? 193.0.14.129 : 53 [SYN]
len=52 ttl=127 tos=0x00 srcmac=00:09:5b:89:d2:0a
dstmac=00:13:46:e6:13:5e
The target hosts is a root server in the Netherlands so it appears
that this client is acting as a DNS Server and ignoring the local
server that it understands to be its own server. Using traditional
command line tools, it queries the local DNS server while continuing
to attempt communications externally to the root DNS servers.
Does anyone have hints as to why this would be?
I've tried the usual suspects of network protocol settings (DHCP-
defined servers and explicit definitions of DNS servers).
Thanks
| 
XML site map