> 13:58:36.620000 18.104.22.168.9999 > 22.214.171.124.domain: 1341+ (46)
> (ttl 32, id 14354)
> 13:58:36.620000 126.96.36.199.9999 > jaguar.spectrumpub.com.domain:
> 1341+ (46) (ttl 32, id 14610)
> 13:58:36.620000 188.8.131.52.9999 > 184.108.40.206.domain: 1341+ (46)
That is an application. its issuing DNS queries aimed at the DNS port
of every machine on the class C.
My first guess is that the Lizard installer is trying to find the router
by spamming the entire class C at high speed.
> 13:58:36.640000 220.127.116.11.9999 > 18.104.22.168.domain: 1341+
> (46) (ttl 32, id 13843)
It even sends to the broadcast for the network (totally out of order)
> 13:58:36.640000 22.214.171.124.9999 > 126.96.36.199.domain: 1341+ (46)
And the network address.
> 13:58:36.640000 188.8.131.52.9999 > 184.108.40.206.domain: 1341+ (46)
One second later the app spams the network again
If I got that trace from a customer I'd probably demand a written promise that
they would not be running this software on their ISP connected network again
It could be glibc but I think its a broken app
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 29 2000 - 21:00:14 EST