andrew@ledge.co.za wrote:
This question, and also the last one on the same theme (port 199) *could* both be caused by the computer that previously used the same IP address. If the previous user of the IP address had a FTP session (or server) to the named machine, then this may be an attempt to establish a data connection. RPC also dynamically assigns port numbers ...
Ageed, in general good points, but it was rather a coincidence that probes for 27374 _only_ were being logged on numerous destination IPs from numerous source IPs.
If there are a large number of IP addresses involved, then it is possible that the last user of the IP address was running a server (back orifice?:) which was used by a large number of machines. Alternative, one (or none) of those IP addresses is the machine that is performing a general port scan for something like:
Trinoo_Bcast 27444/udp # Trinoo distributed attack tool Master -> Bcast Daemon communicationTrinoo_Master 27665/tcp # Trinoo distributed attack tool Master server control port Quake3Server 27960/udp # Quake 3 Arena Server
No - my logs would have recorded them along with those for port 27374. Only port 27374 was probed during these sessions. Some of the probes came from my ISP's IP range, some came from elsewhere. As others have suggested, I'm inclined to think the Windows Subseven Trojan was being searched. Thanks to you and all others for your replies ... Cheers - Les Catterall