On 10/25/2012 6:23 PM, Jason Lewis wrote: > Does anyone recognize what is going on here? > > I suspect it's malicious, but I can't figure out what the goal is. Is > it just an attempt to hide bad guy infrastructure? > > trexcil.info. IN NS ns3.urqwk.info. > trexcil.info. IN NS ns4.urqwk.info. > trexcil.info. IN NS ns1.rcbiil.info. > trexcil.info. IN NS ns2.rcbiil.info. > trexcil.info. IN CNAME d51.aczdmxkgr1ik.trexcil.info. > trexcil.info. IN CNAME d5a.b1w8xqzktn6h.trexcil.info. > trexcil.info. IN CNAME d5a.c5383kpdz8zo.trexcil.info. > trexcil.info. IN CNAME d5a.c8kn44b8axpm.trexcil.info. > trexcil.info. IN CNAME d5a.cztm14bsw1rn.trexcil.info. > trexcil.info. IN CNAME d5a.df81qezk2khs.trexcil.info. > trexcil.info. IN CNAME dv8.afyb1y7ihhix.trexcil.info. > trexcil.info. IN CNAME dva.beq1iktr59qe.trexcil.info. > trexcil.info. IN CNAME d518.adv3uyrx32g.trexcil.info. > <snip>
this is more likely a protocol-violating load balancer than a bad guy. --paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
