[80791] in North American Network Operators' Group
Re: Malicious DNS request?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Thu May 12 05:41:28 2005
Date: Thu, 12 May 2005 15:09:00 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
Reply-To: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Joe Shen <joe_hznm@yahoo.com.sg>
Cc: NANGO <nanog@merit.edu>
In-Reply-To: <20050512081135.52153.qmail@web53609.mail.yahoo.com>
Errors-To: owner-nanog@merit.edu
On 5/12/05, Joe Shen <joe_hznm@yahoo.com.sg> wrote:
> By tcpdump, it's found a remote computer keep asking
> address for record like
> 999d38e693b9e6293b450.0existence.com,
> 60d38e693b9e6293b450.0be6c1xfa.net.
>=20
> is that a virus affacted computer?
Sure looks like some kind of massmailer trojan, or a affiliate program
based spam sending software like Atriks.
These two domains you quoted have rather interesting whois records,
particularly 0existence.com ..
Domain Name.......... 0existence.com
Creation Date........ 2004-10-23
Registration Date.... 2004-10-23
Expiry Date.......... 2009-10-23
Organisation Name.... William Peter
Organisation Address. 52 THIRD AVENUE
Organisation Address.
Organisation Address. Woonsocket
Organisation Address. 02895
Organisation Address. RI
Organisation Address. UNITED STATES
Admin Name........... William Peter
Admin Address........ 52 THIRD AVENUE
Admin Address........
Admin Address........ Woonsocket
Admin Address........ 02895
Admin Address........ RI
Admin Address........ UNITED STATES
Admin Email.......... doi.looklikeafucktardtoyou@0existence.com
Admin Phone.......... +1.4067672231
Admin Fax............
Tech Name............ Existence Corporation
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... doi.looklikeafucktardtoyou@0existence.com
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
--=20
Suresh Ramasubramanian (ops.lists@gmail.com)
