[61893] in North American Network Operators' Group
Re: dns.exe virus?
daemon@ATHENA.MIT.EDU (bmanning@karoshi.com)
Mon Sep 8 17:37:29 2003
From: bmanning@karoshi.com
To: clewis@nortelnetworks.com (Chris Lewis)
Date: Mon, 8 Sep 2003 14:36:47 -0700 (PDT)
Cc: nanog@merit.edu
In-Reply-To: <3F5CF4F4.4030108@americasm01.nt.com> from "Chris Lewis" at Sep 08, 2003 05:30:28 PM
Errors-To: owner-nanog-outgoing@merit.edu
> Christopher J. Wolff wrote:
>
> > Chris,
> >
> > It was really odd. Here is an example of what the two hosts .3 and .4
> > were up to.
>
> For grins, I ran that through our blacklist tool to see what it coughed up.
>
> Nothing was on our blacklists.
>
> Had rDNS's like *.google.com, *.akamai.com, sprintbbsd,
> ns2.granitecanyon.com, DNS root servers and a few non-resolving IPs.
>
> DNS resolution loop perchance?
From here, they all show up in the logs attemptin
dynamic updates of the in-addr.arpa domain. :)
Time to suck pkts... although I 'spect they are
trying to perform stupid DNS tricks like:
floss.local.in-addr.arpa. A 10.10.10.10
--bill
