We're looking for any info or packets that target port 51616. After witnessing a spike yesterday on his network and checking that our port data  corroborated his event, Andrew has written in asking what we know.
The most useful snapshot of port activity can be seen in this graph image. I ran the graphs as far back as 2006 and nothing more signifcant was illustrated. The image below highlights yesterdays events as well as a more curious spike back in March. These counts do not seem very significant at first look, but they could clearly be telling us something.
So drop us a comment to share what you know. We're interested to attribute this traffic to something useful.
Update 1: ISC reader Jim suggested that port 51616 is Xsan is Apple Inc.'s storage area network (SAN) or clustered file system for Mac OS X. Xsan enables multiple Mac desktop and Xserve systems to access shared block storage over a Fibre Channel network. With the Xsan file system installed, these computers can read and write to the same storage volume at the same time.(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
On May 16, 2013, US-CERT was notified that both www.federalnewsradio[.]com and www.wtop[.]com had been compromised to redirect Internet Explorer users to an exploit kit. As of May 17, 2013, US-CERT analysis confirms that no malicious code remains on either site.Description
Any systems visiting running vulnerable versions of Adobe Reader or Acrobat or Oracle Java may have been compromised.Impact
The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to open source reporting, the malware also downloads and installs a variant of FakeAV/Kazy malware.
The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.
After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port 16464/udp to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.Solution
Updated software that addresses the vulnerabilities referenced in this incident has been available for years. It is imperative to apply current security updates to software that is commonly targeted by attackers.
In order to defend against additional vulnerabilities, install the most recent versions of Adobe Reader, Acrobat, and Oracle Java. At the time of publication, Adobe Security Bulletin APSB13-15 documents current security updates for Adobe Reader and Acrobat, and Oracle Java SE Critical Patch Update Advisory - April 2013 documents vulnerabilities addressed by Java 7 Update 21.
Identify Compromised Systems
Monitor activity to the following IP addresses as a potential indicator of compromise where permitted and practical: