[dns-operations] Lots of queries for TXT records?
Michael Sinatra
michael at rancid.berkeley.edu
Wed Apr 8 05:41:55 UTC 2009
On 4/7/09 9:56 PM, Rob Thomas wrote:
>> Right now it's parked at Cheapnames.com, but when domain registration data
>> shows "timjunk at mail.ru" as the tech contact, my Russkrainian cyber criminal
>> radar starts red-lining. :-)
>
> Ohhh yeah. :)
>
> The first query we see is on 2009-03-28 23:09:23 UTC. It's a TXT query
> and the result is (pardon the long string):
>
> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
>
> This continues to be the answer until approximately 2009-04-02 15:00:08
> UTC when the answer changes to:
>
> fworld.net
>
> Presently deepholeforyou.info is an alias for fworld.net.
>
> More to come.
There were some hosts on the UCB campus participating. The one common
thing I noticed was that all of them always used port 1024 as the source
port for the query. Anyone else seeing that?
More information about the dns-operations
mailing list