Random nx name queries, anyone see this before?

ponga2112 at gmail.com ponga2112 at gmail.com
Tue Dec 16 00:34:43 UTC 2008


I'd be very interested in what others find. I do have an update and
correction to my original post:

The format is 9chars.8chars - as an example:
qjnqrtfun.wxsifmgj
Sometimes a colon appears, so the char list seems to be [a-z:]
Also, I was wrong about the FQDN - they do appear in named/bind logs -
so whatever app it is, the suffix search order is being used. My
apologies for the incorrect info the first time.

Thre are a couple clients that do this - so thanks for the tip AlanC,
I will look for a pattern. Other than that, I'm stumped. Thanks for
any hints provided!!

ponga

On Dec 15, 3:05 pm, Alan Clegg <Alan_Cl... at isc.org> wrote:
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --===============8205490644561799063==
> Content-Type: multipart/signed; micalg=pgp-sha1;
>         protocol="application/pgp-signature";
>         boundary="------------enigFED1ACD7ADB6EFE6DBD2651F"
>
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enigFED1ACD7ADB6EFE6DBD2651F
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> ponga2... at gmail.com wrote:
> > I'm seeing name queries from a couple clients on the network that
> > occur around every two minutes - the queries are evidently random and
> > are looking for A IN records of this form, as an example:
> >=20
> > ungzbvyf.lzghmccim
> >=20
> > They always look like this, 8 lowercase chars, dot, then 9 lowercase
> > chars - never an FQDN.
> > I can't find what this might be - has anyone seen this before or have
> > any ideas?
>
> I've seen this and told a couple of people, but nobody has really shown
> interest.
>
> In addition to the regular format that you see, I've also picked up a
> pattern when you start seeing the queries from multiple sources...
>
> I'll be more than happy to start collecting data again if anyone has
> interest.
>
> AlanC
>
> --------------enigFED1ACD7ADB6EFE6DBD2651F
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAklG1K4ACgkQcKpYUrUDCYfXbACgqRz5Fun88QI4Vd5cT+HkDfoM
> 4vYAnAkWYFdminMBqCzD/bIuPZ58zqA3
> =eO8g
> -----END PGP SIGNATURE-----
>
> --------------enigFED1ACD7ADB6EFE6DBD2651F--
>
> --===============8205490644561799063==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> bind-users mailing list
> bind-us... at lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
> --===============8205490644561799063==--




More information about the bind-users mailing list