Security Incidents mailing list archives
Re: Malformed DNS or something odd (or just me)
From: "Paul Daniel" <paul () pdaniel co uk>
Date: Sat, 13 Nov 2004 09:16:55 -0000
-----Original Message----- From: Butterworth, Jim [mailto:jim.butterworth () guidancesoftware com] Sent: 10 November 2004 21:45 To: Paul Daniel Subject: RE: Malformed DNS or something odd (or just me) You got the whole TCPDUMP output? r/Jim These are 3 separate packets (slightly obscured) using Windump: 10:54:34.211423 mac1 > mac2, ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl 112, id 4591, offset 0, flags [none], length: 46) 203.206.52.94.53
myipadd.53: [udp sum ok] 258 [b2&3=0x7] [16323a] [53638q] [9748n]
[257au][|domain]
0x0000: 0080 c8f2 fc7a 00d0 2b75 018c 0800 4500 .....z..+u....E.
0x0010: 002e 11ef 0000 7011 3663 cbce 345e 5225 ......p.6c..4^R%
0x0020: b01b 0035 0035 001a 9e7a 0102 0007 d186 ...5.5...z......
0x0030: 3fc3 2614 0101 449d ab62 3500 ?.&...D..b5.
11:03:31.411671 mac1 > mac2, ethertype IPv4 (0x0800), length 60: IP (tos
0x0, ttl 117, id 6509, offset 0, flags [none], length: 46) 4.138.224.106.53
myipadd.53: [udp sum ok] 258 [b2&3=0x7] [16323a] [53638q] [9748n]
[257au][|domain]
0x0000: 0080 c8f2 fc7a 00d0 2b75 018c 0800 4500 .....z..+u....E.
0x0010: 002e 196d 0000 7511 451d 048a e06a 5225 ...m..u.E....jR%
0x0020: b01b 0035 0035 001a c85e 0102 0007 d186 ...5.5...^......
0x0030: 3fc3 2614 0101 40c9 a08a 3500 ?.&...@...5.
11:13:29.914292 mac1 > mac2, ethertype IPv4 (0x0800), length 510: IP (tos
0x0, ttl 111, id 273, offset 0, flags [none], length: 496) 202.231.176.70.38
myipadd.53: 258 [b2&3=0x7] [16323a] [53638q] [9748n] [332au][|domain]
0x0000: 0080 c8f2 fc7a 00d0 2b75 018c 0800 4500 .....z..+u....E.
0x0010: 01f0 0111 0000 6f11 cb7d cae7 b046 5225 ......o..}...FR%
0x0020: b01b 0026 0035 01dc 58a0 0102 0007 d186 ...&.5..X.......
0x0030: 3fc3 2614 014c 184a aac0 3500 5037 483a ?.&..L.J..5.P7H:
0x0040: 3500 4253 bd66 3500 401a 4452 3500 c829 5.BS.f5.@.DR5..)
0x0050: 33e2 3500 c27e 6e82 3500 4416 5aee 3500 3.5..~n.5.D.Z.5.
Regards
Paul Daniel
P.S. Over 24 hours after I sent this it had not appeared in the list, so
this is a resend. Apologies if it ends up appearing twice.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.795 / Virus Database: 539 - Release Date: 12/11/2004
Current thread:
- Re: Malformed DNS or something odd (or just me) Paul Daniel (Nov 10)
- Re: Malformed DNS or something odd (or just me) Chip Mefford (Nov 10)
- Re: Malformed DNS or something odd (or just me) Erik Fichtner (Nov 10)
- <Possible follow-ups>
- Re: Malformed DNS or something odd (or just me) Paul Daniel (Nov 14)
- Re: Malformed DNS or something odd (or just me) Chip Mefford (Nov 10)