Could it have anything to do with recursion and the Internet's root servers?
Your client may be passing bad DNS requests to the .com, .net, and .org,
root servers.
Just a thought.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 19, 2001 11:04 AM
To: [EMAIL PROTECTED]
Subject: Is this a known Trojan?
I've got an unknown process/program running from a workstation on my
network. The symptom is that it continuously sends requests to the nearest
internal DNS server that causes the DNS server to issue ICMP Packets on
Port 53 destined for Port 53 of 13 servers (always the same 13, randomly
requested) that turn out to be defense installations, research sites and
major educational institutions. My firewall blocks the outbound requests,
but because of the continuous nature of the requests, my logs are getting
filled rapidly. Another quirk is that whatever it is starts at the same
time each hour (xx:45) and runs for about 35 minutes, then stops until the
next xx:45. We're hunting it down now, but have seen this pop-up in
different locations from time to time. It also appears to run very well
unattended, as it runs around the clock. Trying to get some of my users to
keep their anti-virus up to date is like trying to get blood from the
proverbial turnip! Any assistance would be greatly appreciated.
Warner Watkins
Information Security Specialist
Coca-Cola Bottling Co. Consolidated
Charlotte NC
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
