a-wall wrote:
> I have most of the hacked system on my nfs server and am bringing it
> backup
> to watch traffic.
> the trojan was sending data to ip address 224.0.0.251 on port 5353
> I cannot find who owns this IP address and it could be a decoy.



Read RFC 3171. That IP addr is part of the "Local Network
Control Block" of the "IPv4 multicast address".

A properly configured router should not allow a packet with
this destination address outside. Kind of like 192.168.*.*