nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Malicious DNS request?

From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Thu, 12 May 2005 15:09:00 +0530

On 5/12/05, Joe Shen <joe_hznm () yahoo com sg> wrote:

By tcpdump, it's found a remote computer keep asking
address for record like
999d38e693b9e6293b450.0existence.com,
60d38e693b9e6293b450.0be6c1xfa.net.

is that a virus affacted computer?


Sure looks like some kind of massmailer trojan, or a affiliate program
based spam sending software like Atriks.

These two domains you quoted have rather interesting whois records,
particularly 0existence.com ..

Domain Name.......... 0existence.com
  Creation Date........ 2004-10-23
  Registration Date.... 2004-10-23
  Expiry Date.......... 2009-10-23
  Organisation Name.... William Peter
  Organisation Address. 52 THIRD AVENUE
  Organisation Address.
  Organisation Address. Woonsocket
  Organisation Address. 02895
  Organisation Address. RI
  Organisation Address. UNITED STATES

Admin Name........... William Peter
  Admin Address........ 52 THIRD AVENUE
  Admin Address........
  Admin Address........ Woonsocket
  Admin Address........ 02895
  Admin Address........ RI
  Admin Address........ UNITED STATES
  Admin Email.......... doi.looklikeafucktardtoyou () 0existence com
  Admin Phone.......... +1.4067672231
  Admin Fax............

Tech Name............ Existence Corporation
  Tech Address......... 701 First Ave.
  Tech Address.........
  Tech Address......... Sunnyvale
  Tech Address......... 94089
  Tech Address......... CA
  Tech Address......... UNITED STATES
  Tech Email........... doi.looklikeafucktardtoyou () 0existence com
  Tech Phone........... +1.6198813096
  Tech Fax............. +1.6198813010

-- 
Suresh Ramasubramanian (ops.lists () gmail com)
Previous By Date Next
Previous By Thread Next

Current thread: