On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote:
I saw much more than this *from the same address* starting two days ago, and from several other blocks belonging to the same university starting last week, to my home router and another server. So far my better connected servers haven't been hit hard. (and no non-auto answer from "security" at that university...)
I saw this earlier in the week, along with queries for a domain name which happens to have been registered by Dan Kaminsky, so I emailed him about it. The addresses in question at Georgia Tech appear to be in use as part of Doxpara's scan for unpatched systems, which he confirmed. For those who are bothered, look out for queries from the same netblock of the form: rB6CIo_XgRlScY5K0iGISAAAAAAvygwAAAAAACujBAA=.ports.dns-integrity-scan.com/A/IN It's probably obvious to one and all what they should be for. And the fact that the queries are denied by correctly configured (ie. non-open) resolvers makes it even less of a panic. The sky isn't falling... yet. Graeme