Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Odd DNS TXT Record. Anybody Seen This Before? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd DNS TXT Record. Anybody Seen This Before?

A reader sent us an "odd looking" DNS TXT record. The record was recovered from an old, decommissioned, DNS server. Has anybody seen this before? The zone also include the Google Apps authentication records, so it is possible that this is a similar scheme. According to the reader, the change times on the file are from 2010, but it is not certain that these times are correct. The file was maintained manually, so it is unlikely that a bad ip management script corrupted it.

We have seen DNS TXT records used as a covert channel in the past, so it is is possible this attempts to try something like this, or that these records were used for reflective DNS attacks. At this point, I really have no idea and was wondering if someone else has seen this.

 

bradmbig        TXT "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@Cc::.:::cc:C@@@@@@@@" "@@@@@@@Oc::....:...:::co@@@@@@" "@@@@@@c:::........:::::cc@@@@@" "@@@@@o:::::::c::::c:....:@@@@@" "@@@@O::::oooCoOOoCCOCc...O@@@@" "@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@" "@@@@@c::CCccoooOoooccoo..O@@@@" "@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@" "@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@" "@@@@@OCooCCCCCoooCCCCoooO@@@@@" "@@@OOO@OoooCccoocccCCooO@@@@@@" "@@@@OOOOCcooCCCCCCooco@@@@@@@@" "@@@@OOOOCocccoooCooccO@@@@@@@@" "@@@OOOOOCooocc:c::cooC@@@@@@@@" "@@O@OC..cCCoooCoCooooo.C@@@@@@" "@@O@c..:ooCCCCoocoCooo:.o@O@@@" "c..:....oCCCOCCCOCCoCo...:..cO" ".....:...oCCCCCCOOCOo....:...."
bradbig        TXT "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" "@@@@@@@@@@Cc::.:::cc:C@@@@@@@@" "@@@@@@@Oc::....:...:::co@@@@@@" "@@@@@@c:::........:::::cc@@@@@" "@@@@@o:::::::c::::c:....:@@@@@" "@@@@O::::oooCoOOoCCOCc...O@@@@" "@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@" "@@@@@c::CCccoooOoooccoo..O@@@@" "@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@" "@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@" "@@@@@OCooCCCCCoooCCCCoooO@@@@@" "@@@OOO@OoooCccoocccCCooO@@@@@@" "@@@@OOOOCcooCCCCCCooco@@@@@@@@" "@@@@OOOOCocccoooCooccO@@@@@@@@" "@@@OOOOOCooocc:c::cooC@@@@@@@@" "@@O@OC..cCCoooCoCooooo.C@@@@@@" "@@O@c..:ooCCCCoocoCooo:.o@O@@@" "c..:....oCCCOCCCOCCoCo...:..cO" ".....:...oCCCCCCOOCOo....:...."
bradmsmall      TXT "@@@@@@@@@@@@@@@@@" "@@@@@8c:::cc8@@@@" "@@@O::....:::c@@@" "@@@::c:cc:c:..O@@" "@@8:cCCCOOCCC.8@@" "@@8ooCCCCoCCoo8@@" "@@8CoCCoooCCoo@@@" "@@88CoCoooooo@@@@" "@@88Oocooocc8@@@@" "@88c:CCooooo:O@@@" "Oc..cCCCCCCCc.:O8" ".....cCCCOCc....."
bradm      TXT "@@@@@@@@@@@@@@@@@" "@@@@@8c:::cc8@@@@" "@@@O::....:::c@@@" "@@@::c:cc:c:..O@@" "@@8:cCCCOOCCC.8@@" "@@8ooCCCCoCCoo8@@" "@@8CoCCoooCCoo@@@" "@@88CoCoooooo@@@@" "@@88Oocooocc8@@@@" "@88c:CCooooo:O@@@" "Oc..cCCCCCCCc.:O8" ".....cCCCOCc....."

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3655 Posts
ISC Handler
Got packets? Kinda looks like EBCDIC, but would need to see the hex to verify.
James

34 Posts
ASCII art?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@Cc::.:::cc:C@@@@@@@@
@@@@@@@Oc::....:...:::co@@@@@@
@@@@@@c:::........:::::cc@@@@@
@@@@@o:::::::c::::c:....:@@@@@
@@@@O::::oooCoOOoCCOCc...O@@@@
@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@
@@@@@c::CCccoooOoooccoo..O@@@@
@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@
@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@
@@@@@OCooCCCCCoooCCCCoooO@@@@@
@@@OOO@OoooCccoocccCCooO@@@@@@
@@@@OOOOCcooCCCCCCooco@@@@@@@@
@@@@OOOOCocccoooCooccO@@@@@@@@
@@@OOOOOCooocc:c::cooC@@@@@@@@
@@O@OC..cCCoooCoCooooo.C@@@@@@
@@O@c..:ooCCCCoocoCooo:.o@O@@@
c..:....oCCCOCCCOCCoCo...:..cO
.....:...oCCCCCCOOCOo....:....
Ondemannen

1 Posts
If you insert newlines in the right places, it becomes quite obvious - see http://pastebin.com/cxee44Q9
Habbie

1 Posts
Honestly, looks like ASCII art to me, but I can't make heads or tails of what the oblongs might be...
Jack G.

6 Posts
After I broke the strings out into separate lines, it looks like someone did a conversion on their portrait or something to generate different sizes of ASCII art. Brad in big, medium, small, etc. Not the best likeness, and maybe I'm just making it into something it's not, but that's my $0.02.

A sample:

""@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
"@@@@@@@@@@Cc::.:::cc:C@@@@@@@@"
"@@@@@@@Oc::....:...:::co@@@@@@"
"@@@@@@c:::........:::::cc@@@@@"
"@@@@@o:::::::c::::c:....:@@@@@"
"@@@@O::::oooCoOOoCCOCc...O@@@@"
"@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@"
"@@@@@c::CCccoooOoooccoo..O@@@@"
"@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@"
"@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@"
"@@@@@OCooCCCCCoooCCCCoooO@@@@@"
"@@@OOO@OoooCccoocccCCooO@@@@@@"
"@@@@OOOOCcooCCCCCCooco@@@@@@@@"
"@@@@OOOOCocccoooCooccO@@@@@@@@"
"@@@OOOOOCooocc:c::cooC@@@@@@@@"
"@@O@OC..cCCoooCoCooooo.C@@@@@@"
"@@O@c..:ooCCCCoocoCooo:.o@O@@@"
"c..:....oCCCOCCCOCCoCo...:..cO"
".....:...oCCCCCCOOCOo....:....?\
Jack G.

6 Posts
I think that it may be an X-Face or similar. Wrap it at 30 characters.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@Cc::.:::cc:C@@@@@@@@
@@@@@@@Oc::....:...:::co@@@@@@
@@@@@@c:::........:::::cc@@@@@
@@@@@o:::::::c::::c:....:@@@@@
@@@@O::::oooCoOOoCCOCc...O@@@@
@@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@
@@@@@c::CCccoooOoooccoo..O@@@@
@@@O@oCoCCCCCCCCoCCOCCoCoO@@@@
@@@O@CCoCCOOCCCOCoCOCCoCCO@@@@
@@@@@OCooCCCCCoooCCCCoooO@@@@@
@@@OOO@OoooCccoocccCCooO@@@@@@
@@@@OOOOCcooCCCCCCooco@@@@@@@@
@@@@OOOOCocccoooCooccO@@@@@@@@
@@@OOOOOCooocc:c::cooC@@@@@@@@
@@O@OC..cCCoooCoCooooo.C@@@@@@
@@O@c..:ooCCCCoocoCooo:.o@O@@@
c..:....oCCCOCCCOCCoCo...:..cO
.....:...oCCCCCCOOCOo....:....
Royce

4 Posts
It looks like ASCII art to me.
Kevin

2 Posts
Haha, you have clearly been living in a code yellow world (https://www.schneier.com/blog/archives/2015/09/living_in_a_cod.html) too long. It's ASCII art! With a few well-placed line feeds and carriage returns, and rendered in a monospace font, it's legible as a silhouette of an avatar.

Clearly at least one other person thought of this, because this pastebin popped up today, also.

http://pastebin.com/cxee44Q9
Mark

1 Posts
Looks like ASCII art if you line it all up, perhaps just a place holder record?
Mark
1 Posts
Okay, I can't see the other comments (system says 8, but there's only 1 showing up) if this is a duplicate of someone else's comment, feel free to delete it.

This just looks like ASCII art. If you copy all the blocks from one of the nodes (billmsbig) and put line breaks between the pairs of quotes, it just looks like an old Ascii Art piece (someone's silhouette).

Nigel
Nigel

1 Posts
Looks like ASCII art.
Nigel
1 Posts
Looks like low resolution pictures of head shots to me, but I don't have any idea what the format is.

update:Like Nigel, I could only see the first comment when I posted this. Now I can see all comments.
JimC

17 Posts
The ISC comment system is reputation based. A lot of the commentators to this diary were new, they hadn't passed the reputation test, so they didn't appear until they were moderated by a Handler.

They have all been moderated now.

Rick
Rick

293 Posts
ISC Handler
From everyone's response, I'll totally buy that it's ASCII art. Thing is, why in heaven's name would it be a DNS record on a DNS server?
AJ

1 Posts
Could be it be graffiti by anonymous?
AJ
1 Posts
My guesses would've been
- graffiti (some group's calling card, they just like to leave it everywhere they go)
- message to somebody else (just telling them that hey, I've been here already)
- message to themself (reminding themself that hey, I've been here before)
- sys admin that was bored one day and had nothing else to do
AJ
12 Posts
If you put it into fixed-size font, you can see that it's ASCII art of some kinda face: http://imgur.com/RtNWg0P and if you size that down you can see it almost looks like a passport picture: http://imgur.com/LxY4MIK
AJ
2 Posts
Same Guy?

dig +short TXT bradm.com @ns-323.awsdns-40.com | sed $'s/\" \"/\\\n/g'

bradm.com = Brad Mugford

http://imgur.com/QuMGfgl

http://imgur.com/WHYm7PN
Steve

3 Posts

Sign Up for Free or Log In to start participating in the conversation!