large number of probes from 210.97.123.3

[security () WOAF NET (Jonathan)]

This morning I'm seeing a large number of SYN probes from 210.97.123.3.
They all seem to be directed at port 109 (pop2). They also run up our IP
range so I think they're searching our subnet for something.....

Apr 30 06:30:55 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.120:109
Apr 30 06:42:40 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.120:109
Apr 30 06:52:35 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.121:109
Apr 30 07:04:20 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.121:109
Apr 30 07:14:16 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.122:109
Apr 30 07:26:01 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.122:109
Apr 30 07:35:56 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.123:109
Apr 30 07:47:41 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.123:109
Apr 30 07:57:37 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.124:109
Apr 30 08:09:22 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.124:109
Apr 30 08:19:18 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.125:109
Apr 30 08:31:02 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.125:109
Apr 30 08:40:58 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.126:109
Apr 30 08:52:43 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.126:109
Apr 30 09:02:39 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.127:109

Does anyone have any idea what they'd be looking for by using SYN scans
against port 109 ?

210.97.123.3 seems to be a web server... but it's Korean and the only words
I understand on there are 'Web accelerator'.


---
Jonathan Oddy
Senior system administrator
Woaf Tech
Jonathan () woaf net