[wasipwned]

Yeah. That's definitely the plan, but I want to see if there's anything I can learn from the machine before I even do so.

The IP address was 107.122.31.71.

[cyberpunk]

It looks like a consumer IP address (AT&T US); ungood. Either your attacker is unsophisticated and they actually had that IP, or they're bouncing through a pwned machine.

Kill it. Kill it with fire.

[ehPReth]

one open port it seems: https://www.shodan.io/host/107.122.31.71

[KomoD]

Well, I've dug around, there's no hostname associated with it or pointing to it.

There's no obvious connections to any orgs or sites, and no entries in virustotal or abuseipdb, however there is an open port 179 (looks like BGP??).

[Atlas22]

Its a carrier grade NAT IP for ATT's cellular service, the BGP is likely just the ATT router.

[wasipwned]

Yeah, I'm now realizing that this might be multicast traffic I'm seeing from another device, and I do use AT&T which is making me think this may not actually be malicious.

[wasipwned]

Out of curiosity, how do you know it's CGNAT? Is it just because all of AT&T's mobile traffic is through CGNAT?