odd scan

[Kevin Holmquist <kevinh () NETRONIN ORG>]

Folks,

I detected a scan of one of my systems.  Looks like a typical, automated
scan, but I was curious about some of the ports it hit:

Feb  4 03:20:37 64.218.84.240:3373 -> ***.***.***.145:21 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3374 -> ***.***.***.145:23 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3375 -> ***.***.***.145:25 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3376 -> ***.***.***.145:79 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3377 -> ***.***.***.145:80 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3378 -> ***.***.***.145:81 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3379 -> ***.***.***.145:110 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3380 -> ***.***.***.145:113 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3381 -> ***.***.***.145:139 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3382 -> ***.***.***.145:143 SYN ******S*
Feb  4 03:20:37 64.218.84.240:3383 -> ***.***.***.145:443 SYN ******S*
Feb  4 03:20:38 64.218.84.240:3384 -> ***.***.***.145:8008 SYN ******S*
Feb  4 03:20:39 64.218.84.240:3385 -> ***.***.***.145:8080 SYN ******S*

Any ideas why they would check ports 23, 79, 81? I know 23 is telnet and 79
is finger, but I haven't seen exploits for those lately (other than telnet
being insecure).  Also, why port 81? Any new exploits for these ports?  I've
seen reports of scans for 23 and 81 on sans.org, but noone seemed to know
anything about them.

BTW, this is from snort, using snort.org's full ruleset dated 1/25/2001.
snort didn't recognize the scanner used...

Thanks!

Kevin