OT: Anyone seeing these sorts of probes? Port 46993 udp?

Joe jbfixurpc at gmail.com
Fri Mar 12 06:18:23 UTC 2010


Not to distract from the IPV4/IPV6 thread, but just wondering if anyone has
seen this beavior or perhaps can enlighten me to its orgin/virus/meaning?

Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
(192.168.1.52)
User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
Data (101 bytes)

0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
0060  79 31 3a 71 65                                    y1:qe


Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
(192.168.1.52)
User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
Data (101 bytes)

0000  64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3   d1:ad2:id20:I.x.
0010  9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30   .?.#u~.5.......0
0020  39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61   9:info_hash20:.a
0030  e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72   .....j.2.B.s.A.r
0040  c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72   ..e1:q9:get_peer
0050  73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a   s1:t8:100042551:
0060  79 31 3a 71 65                                    y1:qe

I'm seeing thousands of these per minute at one location, hundreds of unique
ip addresses. Some sort of bot net maybe?


Thanks much

Joe





More information about the NANOG mailing list