> The sources are all Windows boxes listening on TCP
port 1025.

Not surprising at all. MS has documentation that
states that the ports from 1025-1030 are used by RPC.

Have you checked your own machine w/ fport? I've got
ports open in that range on my system right now, but
they're all used by MS processes.

> The ramp up in volume from widely separated source
IPs looks wormy.

How so? The log extract you provided doesn't show any
data...it looks as if the initial SYN packet was
denied. This could easily be a port scanner.

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]