Update! Just talked to the client and he found the following code in:
/dev/.cas/
It was named binfo.c
I'm willing to bet that this may have something to do with the thrashing on A as well as on various nameservers around the net.
i doubt it. i, completely coincidentally, heard about binfo five days ago. binfo.c = Bind Version Checker 'binfo' is a quick little script to pull back the version of named running on a remote nameserver. This is handy for comparing it to a list of known vulnerable versions of named/bind. Previous to this, it took a few commands to extract out the version. http://www.attrition.org/tools/other/binfo.c it also tries to determine if the given server supports iquery. -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."