[Intrusions] 3803/udp from broadband boxes?

[Michael]

I think it will probably have to go down as an interesting oddity--I'd
ruled out SoniqSync already (no windows machines on this network) , and
the IP these were hitting hasn't had anything running on it except smtp
and ssh in about seven months. 

It might be an artifact from a previous IP assignment, but, again, funny
that so many different networks would show up instead of the one guy who
just started up Azureus for the first time in eight months.

I'm leaning towards the boxes doing the probing having been compromised
somehow, but as you said, without actually getting at one it'd be hard
to say for sure. 

Anyone out there in security for a broadband provider? I may have some
of your customers in here, let me know if you're curious and I can send
you the IPs that have shown up so far.

My only real concern was that some clown had put the wrong IP address in
his 1337 skript, his botnet thought I was mama, and I was suddenly going
to end up wanted in Norway or something :-)  As of right now it's slowed
down, I'm getting one new IP every three hours or so.

Thanks for the input!

On Sat, 2005-04-02 at 12:48 -0600, Earnhart, Benjamin J wrote:
> Do you know for a fact that it's not SoniqSync
> http://www.soniqcast.com/site/FAQ%20Support/Getting_Started_FAQ.htm  
> 
> That seems the most likely origin to me, though that's based purely on
> port number.  Most chatty protocols (game servers and multi-media stuff
> can be really chatty) only broadcast or multicast on the subnet if the
> ISPs have their routers configured correctly, so it does seem odd to
> have packets from several *different* networks coming in.

-- 
Michael <blackavar at citizensofgravity.com>