I've seen quite a few similar probes, but always on 1025. Previously i have found information that suggests that this is a Windows NT RPC service. My log entries look like this: Aug 1 16:23:13 ### kernel: Packet log: input DENY ppp0 PROTO=17 65.4.247.60:1158 ###:1025 L=37 S=0x00 I=21911 F=0x0000 T=116 (#66) I've only ever had one such probe before, but yesterday i got around 20 total, from diverse networks (home.com, kornet.net, hinet.net, chinanet.cn.net, etc.). However, i can't see any direct correlation with Code Red - i got 56 probes from Code Red on 20 July, then nothing until today (2 August, GMT+1000 timezone) - 24 of them so far. Is someone perhaps trying to hide some other probe activity in Code Red's traffic? Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 13:48:31 PDT