Re: Random nx name queries, anyone see this before?
Alan Clegg wrote: ponga2...@gmail.com wrote: I'm seeing name queries from a couple clients on the network that occur around every two minutes - the queries are evidently random and are looking for A IN records of this form, as an example: ungzbvyf.lzghmccim They always look like this, 8 lowercase chars, dot, then 9 lowercase chars - never an FQDN. I can't find what this might be - has anyone seen this before or have any ideas? I've seen this and told a couple of people, but nobody has really shown interest. In addition to the regular format that you see, I've also picked up a pattern when you start seeing the queries from multiple sources... I've seen it as well. The only pattern I've noticed is that the same name is commonly queried by multiple sources within an about 30-60 second window. Other than that window, the queries aren't repeated in at least 48 hours. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Random nx name queries, anyone see this before?
Do you get an injected response at the same time not from the relevant root server? The only way would be to gather a tetheral dump to see if that is the case? On 16 Dec 2008, at 14:20, Alan Clegg wrote: Frank Behrens wrote: ponga2...@gmail.com ponga2...@gmail.com wrote on 15 Dec 2008 16:34: I'd be very interested in what others find. I do have an update and correction to my original post: The format is 9chars.8chars - as an example: qjnqrtfun.wxsifmgj Sometimes a colon appears, so the char list seems to be [a-z:] Also, I was wrong about the FQDN - they do appear in named/bind logs - so whatever app it is, the suffix search order is being used. My apologies for the incorrect info the first time. I had never seen any suffixes on the ones that I captured in the past (note that I first noticed this in March of 2008 and I don't see any of the odd traffic at the moment). Thre are a couple clients that do this - so thanks for the tip AlanC, I will look for a pattern. Other than that, I'm stumped. Thanks for any hints provided!! Look for patterns in the source UDP port -- also the timing of the queries was rather interesting, with some of the queries actually matching even when the sources of the requests were on different subnets and on machines that were owned by different organizations. Is it possible that a bot net tries to connect? http://www.heise-online.co.uk/security/Botnet-rises-again--/news/112118 I don't want to make a panic, it's an idea only... I had originally thought the same thing, but I can't see how it would be used. The problem with that theory is that the queries would only make it from the infected machine to the upstream resolver, and then to the root and an NXDOMAIN response would be elicited. 07-Mar-2008 02:01:31.516 queries: info: client A#1067: query: 4wmn1f4:t.g5u97dc9 IN A + 07-Mar-2008 02:03:11.317 queries: info: client B#42637: query: 9ra4hmm9s.u5j87tb6 IN A + 07-Mar-2008 02:03:23.049 queries: info: client C#1031: query: gxmikjfn4.v5w70um3 IN A + 07-Mar-2008 02:03:31.558 queries: info: client A#1067: query: 8m2zdm:4c.k3u86uf1 IN A + 07-Mar-2008 02:05:11.501 queries: info: client B#42638: query: fug8xatrs.w7m65zq4 IN A + 07-Mar-2008 02:05:23.112 queries: info: client C#1031: query: ek3hfaui:.t2o91ir1 IN A + AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Random nx name queries, anyone see this before?
Frank Behrens wrote: ponga2...@gmail.com ponga2...@gmail.com wrote on 15 Dec 2008 16:34: I'd be very interested in what others find. I do have an update and correction to my original post: The format is 9chars.8chars - as an example: qjnqrtfun.wxsifmgj Sometimes a colon appears, so the char list seems to be [a-z:] Also, I was wrong about the FQDN - they do appear in named/bind logs - so whatever app it is, the suffix search order is being used. My apologies for the incorrect info the first time. I had never seen any suffixes on the ones that I captured in the past (note that I first noticed this in March of 2008 and I don't see any of the odd traffic at the moment). Thre are a couple clients that do this - so thanks for the tip AlanC, I will look for a pattern. Other than that, I'm stumped. Thanks for any hints provided!! Look for patterns in the source UDP port -- also the timing of the queries was rather interesting, with some of the queries actually matching even when the sources of the requests were on different subnets and on machines that were owned by different organizations. Is it possible that a bot net tries to connect? http://www.heise-online.co.uk/security/Botnet-rises-again--/news/112118 I don't want to make a panic, it's an idea only... I had originally thought the same thing, but I can't see how it would be used. The problem with that theory is that the queries would only make it from the infected machine to the upstream resolver, and then to the root and an NXDOMAIN response would be elicited. 07-Mar-2008 02:01:31.516 queries: info: client A#1067: query: 4wmn1f4:t.g5u97dc9 IN A + 07-Mar-2008 02:03:11.317 queries: info: client B#42637: query: 9ra4hmm9s.u5j87tb6 IN A + 07-Mar-2008 02:03:23.049 queries: info: client C#1031: query: gxmikjfn4.v5w70um3 IN A + 07-Mar-2008 02:03:31.558 queries: info: client A#1067: query: 8m2zdm:4c.k3u86uf1 IN A + 07-Mar-2008 02:05:11.501 queries: info: client B#42638: query: fug8xatrs.w7m65zq4 IN A + 07-Mar-2008 02:05:23.112 queries: info: client C#1031: query: ek3hfaui:.t2o91ir1 IN A + AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Random nx name queries, anyone see this before?
ponga2...@gmail.com wrote: I'm seeing name queries from a couple clients on the network that occur around every two minutes - the queries are evidently random and are looking for A IN records of this form, as an example: ungzbvyf.lzghmccim They always look like this, 8 lowercase chars, dot, then 9 lowercase chars - never an FQDN. I can't find what this might be - has anyone seen this before or have any ideas? I've seen this and told a couple of people, but nobody has really shown interest. In addition to the regular format that you see, I've also picked up a pattern when you start seeing the queries from multiple sources... I'll be more than happy to start collecting data again if anyone has interest. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
