> So, I'm speculating that a DNS lookup to something somewhere results in > these IP's performing the observed theatrics (two UDP DNS queries, one > TCP SYN scan with payload, and one ICMP ping).
This doesn't sound like nstx ... but it does sound familiar. I've put a call to a friend who I recall mentioning a response like this from one of the .mil sites four-five years ago .. I'll see if he recalls the sequence for the trigger .. may help .. he did demonstrate it, but I wasn't so interested at the time ... > If it turns out that all mystery come from China, what do you make out > of that? .. that you'll need two bytes and a dictionary to read each char from the payload? ;-) -- Ian Latter Internet and Networking Security Officer Macquarie University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
