Full Disclosure mailing list archives

Re: FW: Question for DNS pros

From: "Ian Latter" <Ian.Latter () mq edu au>
Date: Wed, 04 Aug 2004 12:24:50 +1000

So, I'm speculating that a DNS lookup to something somewhere results in
these IP's performing the observed theatrics (two UDP DNS queries, one
TCP SYN scan with payload, and one ICMP ping).


This doesn't sound like nstx ... but it does sound familiar.  I've put a 
call to a friend who I recall mentioning a response like this from one
of the .mil sites four-five years ago .. I'll see if he recalls the 
sequence for the trigger .. may help .. he did demonstrate it, but I
wasn't so interested at the time ...

If it turns out that all mystery come from China, what do you make out
of that?


.. that you'll need two bytes and a dictionary to read each char from 
the payload? ;-)
 

--
Ian Latter
Internet and Networking Security Officer
Macquarie University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: FW: Question for DNS pros, (continued)
- - - Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
    - Re: FW: Question for DNS pros John Hall (Aug 04)
    - Re: FW: Question for DNS pros John Hall (Aug 04)
    - Re: FW: Question for DNS pros Nils Ketelsen (Aug 04)
    - Re: FW: Question for DNS pros John Hall (Aug 05)
    - Re: FW: Question for DNS pros Mark (Aug 03)
    - Re: FW: Question for DNS pros John Hall (Aug 04)
    - Re: FW: Question for DNS pros Gary E. Miller (Aug 04)
    - Re: FW: Question for DNS pros John Hall (Aug 05)
    - Re: FW: Question for DNS pros Gary E. Miller (Aug 05)
- Re: FW: Question for DNS pros Ian Latter (Aug 03)
- Re: FW: Question for DNS pros Ian Latter (Aug 03)
  - Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Ian Latter (Aug 03)