Got a report from someone that had traced a DDoS attack coming from one of our subscribers. It claimed the IP was going out on port 1900 to various and sundry IPs as part of a distributed attack.
I ran a torch on the IP, and sure enough, a bunch of connections were going out on port 1900.
Talked to the customer, and eliminated all their PCs/phones/etc. one by one, at which point it was only their Dlink router connected to the net.
Turning it off stopped the outbound traffic. Just to be sure, we re-connected the customer's wired PC, and no traffic.
So at this point, it appears that there was some sort of malware loaded on their Dlink. It's a DIR-655.
Anyone else seeing this? Seen it? Other comments? -- bp