Hello,
I have been dealing with this issue for several days now ever since Microsoft removed XP support from their list of supported products. I have not found anyone else with this issue yet and I am not sure which way I should go here.
First of all, the details of my setup. I have a firewall which is protecting my domain network. This is a closed network with no servers on the other side of the firewall and no DMZ.
It all started last week when I began to see an alert for DNS queries in the firewall logs.
I started analyzing packets and I found it was coming from the inside of my firewall so I enabled logging on my internal DNS servers. I found that the DNS queries were originating from many of my internal workstations. And they were querying our internal DNS server for the location of the following domain: "(6)update(9)microsoft(3)com(0)." Of course our internal DNS server was forwarding this information on to our ISP's DNS server.
I then proceeded to get a hex dump of both outgoing queries and the incoming responses.
The outgoing query had this as a hex dump:
"*.......update.microsoft.*
*com.nsatc.net......!....*
The incoming responses from the ISP's DNS server were slightly different:
"*.......update.microsoft.*
*com.nsatc.net......!....*
*...o...admin.!.fixme.exa*
*mple.com.SE....*0.....6.*"
Does anyone have any idea what the "fixme" means inside of the hex dump? It looks to be the cause of the alerts as the "example.com" inside of the packet registers as an attack signature. Something is obviously wrong, but I am not sure where to start looking. Should I contact my ISP or do I need to do something to the configuration of automatic updates for the workstations? All searches on the internet for anything even remotely resembling this have turned up empty.
I would really appreciate any help I can get here since it is about to drive me insane.
Thanks
I have been dealing with this issue for several days now ever since Microsoft removed XP support from their list of supported products. I have not found anyone else with this issue yet and I am not sure which way I should go here.
First of all, the details of my setup. I have a firewall which is protecting my domain network. This is a closed network with no servers on the other side of the firewall and no DMZ.
It all started last week when I began to see an alert for DNS queries in the firewall logs.
I started analyzing packets and I found it was coming from the inside of my firewall so I enabled logging on my internal DNS servers. I found that the DNS queries were originating from many of my internal workstations. And they were querying our internal DNS server for the location of the following domain: "(6)update(9)microsoft(3)com(0)." Of course our internal DNS server was forwarding this information on to our ISP's DNS server.
I then proceeded to get a hex dump of both outgoing queries and the incoming responses.
The outgoing query had this as a hex dump:
"*.......update.microsoft.*
*com.nsatc.net......!....*
The incoming responses from the ISP's DNS server were slightly different:
"*.......update.microsoft.*
*com.nsatc.net......!....*
*...o...admin.!.fixme.exa*
*mple.com.SE....*0.....6.*"
Does anyone have any idea what the "fixme" means inside of the hex dump? It looks to be the cause of the alerts as the "example.com" inside of the packet registers as an attack signature. Something is obviously wrong, but I am not sure where to start looking. Should I contact my ISP or do I need to do something to the configuration of automatic updates for the workstations? All searches on the internet for anything even remotely resembling this have turned up empty.
I would really appreciate any help I can get here since it is about to drive me insane.
Thanks