FYI, I put the suspect file up at http://www.bblabs.com/dns.exe Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of bmanning@karoshi.com Sent: Monday, September 08, 2003 2:37 PM To: Chris Lewis Cc: nanog@merit.edu Subject: Re: dns.exe virus?
Christopher J. Wolff wrote:
Chris,
It was really odd. Here is an example of what the two hosts .3 and .4 were up to.
For grins, I ran that through our blacklist tool to see what it coughed up.
Nothing was on our blacklists.
Had rDNS's like *.google.com, *.akamai.com, sprintbbsd, ns2.granitecanyon.com, DNS root servers and a few non-resolving IPs.
DNS resolution loop perchance?
From here, they all show up in the logs attemptin dynamic updates of the in-addr.arpa domain. :) Time to suck pkts... although I 'spect they are trying to perform stupid DNS tricks like: floss.local.in-addr.arpa. A 10.10.10.10 --bill