28 Mar
2010
28 Mar
'10
8:34 a.m.
On Sun, Mar 28, 2010 at 02:04:39PM +0200, jul wrote:
Hello,
While watching some parked domains, I recently observed one which has a TXT field containing some crypto value, something like a ssh key/RSA 512 or 1024 output (only the crypto part 'cvxvcvcxvcxv=' ).
If the TXT data is a large wodge which changes, and/or there are fluctuating interesting labels within the zone, then it isn't parked but is being used for IP-over-DNS tunneling. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE