[root@local teste]# tcpdump -i eth1 port 123
tcpdump: listening on eth1
23:38:01.217966 172.16.11.129.1738 > 218.234.22.154.4242: S 2026688793:2026688793(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:01.918971 172.16.11.129.1739 > 66.111.39.21.4242: S 3784490075:3784490075(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:02.797564 172.16.11.129.1742 > 64.246.54.76.4660: S 4227154250:4227154250(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:03.235073 172.16.11.129.1743 > 218.234.22.154.4242: S 3378970714:3378970714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:05.751773 172.16.11.129.1741 > cm162-156.liwest.at.4672: udp 35
23:38:05.751927 172.16.11.129.1737 > p508A7EF9.dip.t-dialin.net.4672: udp 35
23:38:08.813501 172.16.11.129.1742 > 64.246.54.76.4660: S 4227154250:4227154250(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:09.251019 172.16.11.129.1743 > 218.234.22.154.4242: S 3378970714:3378970714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:13.144063 172.16.11.129.1744 > domain.ohporn.com.4661: S 349022057:349022057(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:13.845242 172.16.11.129.1745 > 193.111.199.183.4242: S 3852758782:3852758782(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:15.596237 172.16.11.129.1746 > OL184-185.fibertel.com.ar.4672: udp 35
23:38:15.596363 172.16.11.129.1740 > bzq-82-80-190-250.red.bezeqint.net.29189: udp 35
23:38:16.138810 172.16.11.129.1744 > domain.ohporn.com.4661: S 349022057:349022057(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:16.839785 172.16.11.129.1745 > 193.111.199.183.4242: S 3852758782:3852758782(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:20.849879 172.16.11.129.1747 > 66.79.184.80.4661: S 1537582885:1537582885(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:21.178029 172.16.11.129.1748 > razorback.ed2k.ch.4661: S 450373228:450373228(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:22.147195 172.16.11.129.1744 > domain.ohporn.com.4661: S 349022057:349022057(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:22.848165 172.16.11.129.1745 > 193.111.199.183.4242: S 3852758782:3852758782(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:23.798682 172.16.11.129.1747 > 66.79.184.80.4661: S 1537582885:1537582885(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:24.236186 172.16.11.129.1748 > razorback.ed2k.ch.4661: S 450373228:450373228(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:38:25.440335 172.16.11.129.1749 > 230.Red-80-59-112.pooles.rima-tde.net.4672: udp 35
23:38:25.440463 172.16.11.129.1750 > 218-168-138-45.HINET-IP.hinet.net.4672: udp 35
Pacotes capturados pelo tcpdump em uma rede minha, esse ip(172.16.11.129) esta consumindo um link de + ou - 200k. Isso sem navegação alguma. O sistema operacional é um windows 2000.
Acredito que seja algum tipo de ataque de vírus, mas nao tenho ideia de qual virus poderia atacar nessas portas. Ja pesquisei mas nao encontrei nada relacionado.
Então pergunto, alguem tem noçao do que é isso???
Desde já agradeço a atenção dispensada.
Obrigado