Tracing where it started

Graphs of our observances are available at:
  http://people.ists.dartmouth.edu/~gbakos/sapphire

Here's the earliest port 1434 probe that I find. Localtimes are EST. Pay
no attention to the port 123 business; I like to include ntp with my dumps
to facilitate correlation:

[root@bunta hpot]# tcpslice 1041153985 1041154648 ../tcpdump.1041060689 | tcpdump -ttttnr - port 1434 or port 123 or port 53
12/29/2002 09:26:25.248240 140.162.8.25.123 > 64.222.84.217.123: v4 server strat 2 poll 10 prec -16 (DF) [tos 0x10]
12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain]

And the dump:

12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain]
                         4500 0021 c8ef 0000 7b11 6d83 d896 9b0b
                         40de 54d9 0035 059a 000d eeab 0200 0000
                         00

I ran through packet logs from several networks starting Dec 1. This is
the earliest I can find. As indicated above, there was certainlny no prior
dns request.

Just for poops & snickers, let's have a peek at 216.150.155.11, shall we?

NetRange: 216.150.150.0 - 216.150.157.255
CIDR: 216.150.150.0/23, 216.150.152.0/22, 216.150.156.0/23
NetName: EASYCGI-150-157
NetHandle: NET-216-150-150-0-1
Parent: NET-216-150-128-0-1
NetType: Reassigned
NameServer: NS1.EASY-CGI.COM
NameServer: NS2.EASY-CGI.COM
Comment:
RegDate: 2002-06-19
Updated: 2002-08-08

[gbakos@lt1 gbakos]$ nc 216.150.155.11 80
GET / HTTP/1.0

HTTP/1.0 404 Not Found
Server: Microsoft-IIS/5.0
Content-Type: text/html
Content-Length: 111
Age: 440
X-Cache: HIT from bunta.alpinista.dyndns.org
Connection: close

<html><head><title>Site Not Found</title></head>
<body>No web site is configured at this address.</body></html>

Why doesn't this surprise me? Anyone want to run this guy down and apply
the "sucker rod" section of syslogd(8) ?