Malicious DNS request?
Suresh Ramasubramanian
ops.lists at gmail.com
Thu May 12 09:39:00 UTC 2005
On 5/12/05, Joe Shen <joe_hznm at yahoo.com.sg> wrote:
> By tcpdump, it's found a remote computer keep asking
> address for record like
> 999d38e693b9e6293b450.0existence.com,
> 60d38e693b9e6293b450.0be6c1xfa.net.
>
> is that a virus affacted computer?
Sure looks like some kind of massmailer trojan, or a affiliate program
based spam sending software like Atriks.
These two domains you quoted have rather interesting whois records,
particularly 0existence.com ..
Domain Name.......... 0existence.com
Creation Date........ 2004-10-23
Registration Date.... 2004-10-23
Expiry Date.......... 2009-10-23
Organisation Name.... William Peter
Organisation Address. 52 THIRD AVENUE
Organisation Address.
Organisation Address. Woonsocket
Organisation Address. 02895
Organisation Address. RI
Organisation Address. UNITED STATES
Admin Name........... William Peter
Admin Address........ 52 THIRD AVENUE
Admin Address........
Admin Address........ Woonsocket
Admin Address........ 02895
Admin Address........ RI
Admin Address........ UNITED STATES
Admin Email.......... doi.looklikeafucktardtoyou at 0existence.com
Admin Phone.......... +1.4067672231
Admin Fax............
Tech Name............ Existence Corporation
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... doi.looklikeafucktardtoyou at 0existence.com
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
--
Suresh Ramasubramanian (ops.lists at gmail.com)
More information about the NANOG
mailing list