Full Disclosure mailing list archives
Re: FW: Question for DNS pros
From: "Ian Latter" <Ian.Latter () mq edu au>
Date: Wed, 04 Aug 2004 13:37:47 +1000
Glad you guys found it.
Gotta response from my friend, he doesn't recall all of the
detail (4-5years is a bit hard), but remembers that if you used a
certain DNS server ("digger" at the time) that served the
Australian DSTO site, as your default W2K DNS host, he
believed that the act of 2K attempting to register itself in the
foreign DNS was what resulted in a probe of some description
(enough to agitate the buggery out of BlackIce Defender).
Don't ask me why he was using .gov/.mil DNS servers for his
stinky w2k boxen ... I was building ISPs at the time and thought
he was a bit broken.
----- Original Message -----
From: "Ian Latter" <Ian.Latter () mq edu au> To: "Frank Knobbe" <frank () knobbe us> Subject: Re: FW: [Full-disclosure] Question for DNS pros Date: Wed, 04 Aug 2004 12:24:50 +1000So, I'm speculating that a DNS lookup to something somewhere results in these IP's performing the observed theatrics (two UDP DNS queries, one TCP SYN scan with payload, and one ICMP ping).This doesn't sound like nstx ... but it does sound familiar. I've put a call to a friend who I recall mentioning a response like this from one of the .mil sites four-five years ago .. I'll see if he recalls the sequence for the trigger .. may help .. he did demonstrate it, but I wasn't so interested at the time ...If it turns out that all mystery come from China, what do you make out of that?... that you'll need two bytes and a dictionary to read each char from the payload? ;-) -- Ian Latter Internet and Networking Security Officer Macquarie University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Ian Latter Internet and Networking Security Officer Macquarie University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: FW: Question for DNS pros, (continued)
- Re: FW: Question for DNS pros Nils Ketelsen (Aug 04)
- Re: FW: Question for DNS pros John Hall (Aug 05)
- Re: FW: Question for DNS pros Mark (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 04)
- Re: FW: Question for DNS pros Gary E. Miller (Aug 04)
- Re: FW: Question for DNS pros John Hall (Aug 05)
- Re: FW: Question for DNS pros Gary E. Miller (Aug 05)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)