I've seen quite a few similar probes, but always on 1025. Previously
i have found information that suggests that this is a Windows NT RPC
service.

My log entries look like this:
Aug 1 16:23:13 ### kernel: Packet log: input DENY ppp0 PROTO=17
65.4.247.60:1158 ###:1025 L=37 S=0x00 I=21911 F=0x0000 T=116 (#66)

I've only ever had one such probe before, but yesterday i got around
20 total, from diverse networks (home.com, kornet.net, hinet.net,
chinanet.cn.net, etc.).

However, i can't see any direct correlation with Code Red - i got 56
probes from Code Red on 20 July, then nothing until today (2 August,
GMT+1000 timezone) - 24 of them so far. Is someone perhaps trying to
hide some other probe activity in Code Red's traffic?

Paul
http://paulgear.webhop.net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]