|
A reader sent us an "odd looking" DNS TXT record. The record was recovered from an old, decommissioned, DNS server. Has anybody seen this before? The zone also include the Google Apps authentication records, so it is possible that this is a similar scheme. According to the reader, the change times on the file are from 2010, but it is not certain that these times are correct. The file was maintained manually, so it is unlikely that a bad ip management script corrupted it. We have seen DNS TXT records used as a covert channel in the past, so it is is possible this attempts to try something like this, or that these records were used for reflective DNS attacks. At this point, I really have no idea and was wondering if someone else has seen this.
--- |
Johannes 4511 Posts ISC Handler Oct 21st 2015 |
| Thread locked Subscribe |
Oct 21st 2015 6 years ago |
|
Got packets? Kinda looks like EBCDIC, but would need to see the hex to verify.
|
James 35 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
ASCII art?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@Cc::.:::cc:C@@@@@@@@ @@@@@@@Oc::....:...:::co@@@@@@ @@@@@@c:::........:::::cc@@@@@ @@@@@o:::::::c::::c:....:@@@@@ @@@@O::::oooCoOOoCCOCc...O@@@@ @@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@ @@@@@c::CCccoooOoooccoo..O@@@@ @@@O@oCoCCCCCCCCoCCOCCoCoO@@@@ @@@O@CCoCCOOCCCOCoCOCCoCCO@@@@ @@@@@OCooCCCCCoooCCCCoooO@@@@@ @@@OOO@OoooCccoocccCCooO@@@@@@ @@@@OOOOCcooCCCCCCooco@@@@@@@@ @@@@OOOOCocccoooCooccO@@@@@@@@ @@@OOOOOCooocc:c::cooC@@@@@@@@ @@O@OC..cCCoooCoCooooo.C@@@@@@ @@O@c..:ooCCCCoocoCooo:.o@O@@@ c..:....oCCCOCCCOCCoCo...:..cO .....:...oCCCCCCOOCOo....:.... |
Ondemannen 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
If you insert newlines in the right places, it becomes quite obvious - see http://pastebin.com/cxee44Q9
|
Habbie 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
Honestly, looks like ASCII art to me, but I can't make heads or tails of what the oblongs might be...
|
Jack G. 6 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
After I broke the strings out into separate lines, it looks like someone did a conversion on their portrait or something to generate different sizes of ASCII art. Brad in big, medium, small, etc. Not the best likeness, and maybe I'm just making it into something it's not, but that's my $0.02.
A sample: ""@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@Cc::.:::cc:C@@@@@@@@" "@@@@@@@Oc::....:...:::co@@@@@@" "@@@@@@c:::........:::::cc@@@@@" "@@@@@o:::::::c::::c:....:@@@@@" "@@@@O::::oooCoOOoCCOCc...O@@@@" "@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@" "@@@@@c::CCccoooOoooccoo..O@@@@" "@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@" "@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@" "@@@@@OCooCCCCCoooCCCCoooO@@@@@" "@@@OOO@OoooCccoocccCCooO@@@@@@" "@@@@OOOOCcooCCCCCCooco@@@@@@@@" "@@@@OOOOCocccoooCooccO@@@@@@@@" "@@@OOOOOCooocc:c::cooC@@@@@@@@" "@@O@OC..cCCoooCoCooooo.C@@@@@@" "@@O@c..:ooCCCCoocoCooo:.o@O@@@" "c..:....oCCCOCCCOCCoCo...:..cO" ".....:...oCCCCCCOOCOo....:....?\ |
Jack G. 6 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
I think that it may be an X-Face or similar. Wrap it at 30 characters.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@Cc::.:::cc:C@@@@@@@@ @@@@@@@Oc::....:...:::co@@@@@@ @@@@@@c:::........:::::cc@@@@@ @@@@@o:::::::c::::c:....:@@@@@ @@@@O::::oooCoOOoCCOCc...O@@@@ @@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@ @@@@@c::CCccoooOoooccoo..O@@@@ @@@O@oCoCCCCCCCCoCCOCCoCoO@@@@ @@@O@CCoCCOOCCCOCoCOCCoCCO@@@@ @@@@@OCooCCCCCoooCCCCoooO@@@@@ @@@OOO@OoooCccoocccCCooO@@@@@@ @@@@OOOOCcooCCCCCCooco@@@@@@@@ @@@@OOOOCocccoooCooccO@@@@@@@@ @@@OOOOOCooocc:c::cooC@@@@@@@@ @@O@OC..cCCoooCoCooooo.C@@@@@@ @@O@c..:ooCCCCoocoCooo:.o@O@@@ c..:....oCCCOCCCOCCoCo...:..cO .....:...oCCCCCCOOCOo....:.... |
Royce 4 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
It looks like ASCII art to me.
|
Kevin 2 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
Haha, you have clearly been living in a code yellow world (https://www.schneier.com/blog/archives/2015/09/living_in_a_cod.html) too long. It's ASCII art! With a few well-placed line feeds and carriage returns, and rendered in a monospace font, it's legible as a silhouette of an avatar.
Clearly at least one other person thought of this, because this pastebin popped up today, also. http://pastebin.com/cxee44Q9 |
Mark 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
Looks like ASCII art if you line it all up, perhaps just a place holder record?
|
Mark 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
Okay, I can't see the other comments (system says 8, but there's only 1 showing up) if this is a duplicate of someone else's comment, feel free to delete it.
This just looks like ASCII art. If you copy all the blocks from one of the nodes (billmsbig) and put line breaks between the pairs of quotes, it just looks like an old Ascii Art piece (someone's silhouette). Nigel |
Nigel 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
Looks like ASCII art.
|
Nigel 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
Looks like low resolution pictures of head shots to me, but I don't have any idea what the format is.
update:Like Nigel, I could only see the first comment when I posted this. Now I can see all comments. |
JimC 17 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
The ISC comment system is reputation based. A lot of the commentators to this diary were new, they hadn't passed the reputation test, so they didn't appear until they were moderated by a Handler.
They have all been moderated now. Rick |
Rick 324 Posts ISC Handler |
| Quote |
Oct 21st 2015 6 years ago |
|
From everyone's response, I'll totally buy that it's ASCII art. Thing is, why in heaven's name would it be a DNS record on a DNS server?
|
AJ 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
Could be it be graffiti by anonymous?
|
AJ 1 Posts |
| Quote |
Oct 21st 2015 6 years ago |
|
My guesses would've been
- graffiti (some group's calling card, they just like to leave it everywhere they go) - message to somebody else (just telling them that hey, I've been here already) - message to themself (reminding themself that hey, I've been here before) - sys admin that was bored one day and had nothing else to do |
AJ 12 Posts |
| Quote |
Oct 22nd 2015 6 years ago |
|
If you put it into fixed-size font, you can see that it's ASCII art of some kinda face: http://imgur.com/RtNWg0P and if you size that down you can see it almost looks like a passport picture: http://imgur.com/LxY4MIK
|
AJ 2 Posts |
| Quote |
Oct 22nd 2015 6 years ago |
|
Same Guy?
dig +short TXT bradm.com @ns-323.awsdns-40.com | sed $'s/\" \"/\\\n/g' bradm.com = Brad Mugford http://imgur.com/QuMGfgl http://imgur.com/WHYm7PN |
Steve 3 Posts |
| Quote |
Oct 23rd 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
