Could be a part of the bash-exploit botnet that's going around.
(Yes, this could affect home routers as well)
Josh Reynolds, Chief Information Officer
SPITwSPOTS, www.spitwspots.com <http://www.spitwspots.com>
On 09/26/2014 09:41 AM, Bill Prince via Af wrote:
Got a report from someone that had traced a DDoS attack coming from
one of our subscribers. It claimed the IP was going out on port 1900
to various and sundry IPs as part of a distributed attack.
I ran a torch on the IP, and sure enough, a bunch of connections were
going out on port 1900.
Talked to the customer, and eliminated all their PCs/phones/etc. one
by one, at which point it was only their Dlink router connected to the
net.
Turning it off stopped the outbound traffic. Just to be sure, we
re-connected the customer's wired PC, and no traffic.
So at this point, it appears that there was some sort of malware
loaded on their Dlink. It's a DIR-655.
Anyone else seeing this? Seen it? Other comments?