> 13:58:36.620000 207.109.151.249.9999 > 207.109.151.1.domain: 1341+ (46)
> (ttl 32, id 14354)
> 13:58:36.620000 207.109.151.249.9999 > jaguar.spectrumpub.com.domain:
> 1341+ (46) (ttl 32, id 14610)
> 13:58:36.620000 207.109.151.249.9999 > 207.109.151.3.domain: 1341+ (46)
That is an application. its issuing DNS queries aimed at the DNS port
of every machine on the class C.
My first guess is that the Lizard installer is trying to find the router
by spamming the entire class C at high speed.
> 13:58:36.640000 207.109.151.249.9999 > 207.109.151.255.domain: 1341+
> (46) (ttl 32, id 13843)
It even sends to the broadcast for the network (totally out of order)
> 13:58:36.640000 207.109.151.249.9999 > 207.109.151.0.domain: 1341+ (46)
And the network address.
> 13:58:36.640000 207.109.151.249.9999 > 207.109.151.1.domain: 1341+ (46)
One second later the app spams the network again
If I got that trace from a customer I'd probably demand a written promise that
they would not be running this software on their ISP connected network again
until fixed.
It could be glibc but I think its a broken app
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 29 2000 - 21:00:14 EST