Strange traffic...

[John Oliver <john.oliver () hosting com>]

I noticed one of my clients' machines seeing a lot more traffic than
normal.  tcpdump on the firewall got me stuff like:

13:27:20.932382 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
487424:488884(1460) ack 1 win 17520 (DF)
13:27:20.932530 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: .
487424:488884(1460) ack 1 win 17520 (DF)
13:27:20.933615 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
488884:490344(1460) ack 1 win 17520 (DF)
13:27:20.933757 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: .
488884:490344(1460) ack 1 win 17520 (DF)
13:27:20.934845 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: P
490344:491804(1460) ack 1 win 17520 (DF)
13:27:20.934983 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: P
490344:491804(1460) ack 1 win 17520 (DF)
13:27:20.936076 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
491804:493264(1460) ack 1 win 17520 (DF)
13:27:20.936214 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: .
491804:493264(1460) ack 1 win 17520 (DF)
13:27:20.936835 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: P
494724:495616(892) ack 1 win 17520 (DF)
13:27:20.936968 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: P
494724:495616(892) ack 1 win 17520 (DF)

And:

13:27:21.224434 eth0 < gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: .
432432:433892(1460) ack 1 win 17520 (DF)
13:27:21.224585 eth1 > gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: .
432432:433892(1460) ack 1 win 17520 (DF)
13:27:21.225191 eth0 < gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: P
433892:434784(892) ack 1 win 17520 (DF)
13:27:21.225324 eth1 > gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: P
433892:434784(892) ack 1 win 17520 (DF)

I can't find any references to port 2800 or 4059, at least in Google. 
Is there a better source to search for possible intrusion attempts?

nmap for hostx says:

Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
 Interesting ports on hostx (www.xxx.yyy.zzz):
(The 65512 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                     
80/tcp     open        http                    
99/tcp     open        metagram                
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
443/tcp    open        https                   
808/tcp    open        unknown                 
881/tcp    open        unknown                 
1029/tcp   open        unknown                 
1081/tcp   open        unknown                 
1082/tcp   open        unknown                 
1083/tcp   open        ansoft-lm-1             
1433/tcp   open        ms-sql-s                
1720/tcp   filtered    unknown                 
2080/tcp   open        unknown                 
2429/tcp   open        unknown                 
4080/tcp   open        unknown                 
4899/tcp   open        unknown                 
5631/tcp   open        pcanywheredata          
31333/tcp  open        unknown                 
44442/tcp  open        unknown                 
44443/tcp  open        unknown                 
65301/tcp  open        pcanywhere              

Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds

Hostx is an NT Server 4.0 box, SP6a, running IIS, Cold Fusion, and some
other webhosting-related stuff.I'm not extremely familiar with NT, so
could use some thoughts here.

-- 
John Oliver
System Administrator
hosting.com, an Allegiance Telecom company
mailto:john.oliver () hosting com
(858) 637-3600
http://www.hosting.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com