Originally Posted by Olly-ellogroup
I am 100% with Steve on his theory of local machine hacking.
I am as well.
nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.
He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.
IP's all match the suspect IP's here.
If you have a server affected by this, your workstation has been compromised.