[Intrusions] Data in a SYN Packet

Mon Jun 21 13:35:17 GMT 2004

Has anyone noticed SYN packets to their DNS servers with 00 in the payload?

202.103.67.196:1456 -> a.b.c.d:53 TCP TTL:50 TOS:0x0 ID:1 IpLen:20 DgmLen:64
******S* Seq: 0xBB56ADE4  Ack: 0x3B3F1A76  Win: 0x800  TcpLen: 20
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/21-00:03:45.861218 0:1:42:71:5A:C1 -> 8:0:20:82:53:F3 type:0x800 len:0x4E
202.103.67.196:1462 -> a.b.c.d:53 TCP TTL:50 TOS:0x0 ID:2 IpLen:20 DgmLen:64
******S* Seq: 0x48DEE137  Ack: 0xB79D486  Win: 0x800  TcpLen: 20
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/21-00:03:46.314303 0:1:42:71:5A:C1 -> 8:0:20:82:53:F3 type:0x800 len:0x4E
202.103.67.196:1464 -> a.b.c.d:53 TCP TTL:50 TOS:0x0 ID:3 IpLen:20 DgmLen:64
******S* Seq: 0x9CFB8F01  Ack: 0x525AA02B  Win: 0x800  TcpLen: 20
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00                          ........

This is happening every 10-15 minutes from 4 different hosts, all
located in China:

61.135.158.28
61.135.158.29
218.30.23.100
202.103.67.196

Any ideas?