Does anybody know of anything (malware, hackware, other?) that would cause a machine to put out traffic with the first octet of the destination address (re)set to ZERO?
The traffic I saw all was headed for port 443, and wasn't decipherable. The variation in packet size looked like a real conversation, although return packets (if any) weren't passing my sniffer. The destination addresses, sans the bogus first octet, looked like addresses of a couple of real internal servers (source address was internal) -- which, however, do not have HTTPS service active. [This traffic correlated with various intermittent disruptions of our network, which stopped when the source machine dropped off the network. It later reappeared -- and so did a brief disruption -- long enough for me to pinpoint and ban it.] David Gillett
