Tracing where it started

Graphs of our observances are available at:

Here's the earliest port 1434 probe that I find. Localtimes are EST. Pay
no attention to the port 123 business; I like to include ntp with my dumps
to facilitate correlation:

[root@bunta hpot]# tcpslice 1041153985 1041154648 ../tcpdump.1041060689 | tcpdump -ttttnr - port 1434 or port 123 or port 53
12/29/2002 09:26:25.248240 > v4 server strat 2 poll 10 prec -16 (DF) [tos 0x10]
12/29/2002 09:37:23.203055 > [|domain]

And the dump:

12/29/2002 09:37:23.203055 > [|domain]
                         4500 0021 c8ef 0000 7b11 6d83 d896 9b0b
                         40de 54d9 0035 059a 000d eeab 0200 0000

I ran through packet logs from several networks starting Dec 1. This is
the earliest I can find. As indicated above, there was certainlny no prior
dns request.

Just for poops & snickers, let's have a peek at, shall we?

NetRange: -
NetName: EASYCGI-150-157
NetHandle: NET-216-150-150-0-1
Parent: NET-216-150-128-0-1
NetType: Reassigned
NameServer: NS1.EASY-CGI.COM
NameServer: NS2.EASY-CGI.COM
RegDate: 2002-06-19
Updated: 2002-08-08

[gbakos@lt1 gbakos]$ nc 80
GET / HTTP/1.0

HTTP/1.0 404 Not Found
Server: Microsoft-IIS/5.0
Content-Type: text/html
Content-Length: 111
Age: 440
X-Cache: HIT from
Connection: close

<html><head><title>Site Not Found</title></head>
<body>No web site is configured at this address.</body></html>

Why doesn't this surprise me? Anyone want to run this guy down and apply
the "sucker rod" section of syslogd(8) ?