Very Computer

Can anyone figure out why someone would want to do this for MONTHS:  (Over
half a year now!)

tcpdump shows:

13:39:15.227310 0:e0:29:47:25:6b Broadcast ip 60: 5.0.0.4.2301 >
255.255.255.255.2301: udp 12
13:39:53.199088 0:e0:29:47:25:6b Broadcast ip 60: 24.19.207.26.2301 >
255.255.255.255.2301: udp 12
13:40:15.204580 0:e0:29:47:25:6b Broadcast ip 60: 5.0.0.4.2301 >
255.255.255.255.2301: udp 12
13:40:19.161950 0:e0:29:47:25:6b Broadcast arp 60: arp who-has 24.19.207.1
tell 24.19.207.26
13:40:53.218519 0:e0:29:47:25:6b Broadcast ip 60: 24.19.207.26.2301 >
255.255.255.255.2301: udp 12
13:41:15.229264 0:e0:29:47:25:6b Broadcast ip 60: 5.0.0.4.2301 >
255.255.255.255.2301: udp 12
13:41:53.241442 0:e0:29:47:25:6b Broadcast ip 60: 24.19.207.26.2301 >
255.255.255.255.2301: udp 12

Notice that there are two IP addresses and only 1 MAC address.  Further an
NSLOOKUP of 24.19.207.26 reveals nothing.  Im pretty sure that its part of

64 bytes from 24.19.207.26: icmp_seq=1 ttl=127 time=1363.1 ms
64 bytes from 24.19.207.26: icmp_seq=2 ttl=127 time=1173.3 ms
64 bytes from 24.19.207.26: icmp_seq=3 ttl=127 time=1293.9 ms
64 bytes from 24.19.207.26: icmp_seq=4 ttl=127 time=1030.8 ms
64 bytes from 24.19.207.26: icmp_seq=5 ttl=127 time=1150.6 ms
64 bytes from 24.19.207.26: icmp_seq=6 ttl=127 time=964.6 ms

But look at those times!  Not what I would expect from a PC on my subnet.
(Which would be the only way a broadcast could show up.)

Traceroute gives:
traceroute to 24.19.207.26 (24.19.207.26), 30 hops max, 38 byte packets
 1  r1-fe1-0-100bt.olmpi1.wa.home.net (24.1.26.1)  24.416 ms  18.972 ms
22.063 ms
2 24.19.207.26 (24.19.207.26)  2302.833 ms  1203.157 ms  1532.508 ms

Any ideas?

What interface of yours was this on? Fear greatly, for 5.0.0.0/8 is a class
A network reserved by IANA; if you see stuff coming or going from/to it,
worry.

Quote:> 13:39:53.199088 0:e0:29:47:25:6b Broadcast ip 60: 24.19.207.26.2301 >
> 255.255.255.255.2301: udp 12

UDP broadcasts? What are you running that would do that sort of thing? In
particular, what that would want to do it at 15 and 53s past the minute?

Quote:> 64 bytes from 24.19.207.26: icmp_seq=1 ttl=127 time=1363.1 ms
> 64 bytes from 24.19.207.26: icmp_seq=2 ttl=127 time=1173.3 ms

> But look at those times!  Not what I would expect from a PC on my subnet.
> (Which would be the only way a broadcast could show up.)

Er... no, broadcasts would show up if your router is fscked. Routers

who knows?

If those things with IP# 5.0.0.4 were coming from inside your network,

to get their act together.

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

I did a whois on 5.0.0.4 and got an email server at emecube.com
Doug Holtz