Scans on 1240/tcp?

[blackavar () citizensofgravity com]

Anyone recognise the following...?

08:36:21.267966 130.225.xxx.xxx.40497 > 24.157.xxx.xxx.1240: S
3374685220:3374685220(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
0x0000   4500 0030 7073 4000 2d06 c5aa 82e1 xxxx        E..0ps@.-.....3E
0x0010   189d xxxx 9e31 04d8 c925 9c24 0000 0000        ..H..1...%.$....
0x0020   7002 60f4 022d 0000 0101 0402 0204 05b4        p.`..-..........

My home connection is getting whacked with this basically 24/7 from a limited
set of attack IPs. The scanner sends 7 SYNs to 1240/tcp, all looking like normal
Windows SYN packets, no data. IPID is incrementing normally. Source port and
sequence number are incrementing between each series of connection attempts, so
I think he must be scanning other IPs as well. The router is catching it all, so
it's not a threat, but I am wondering what the heck it is.

I googled the port and found a couple of references to a Windows trojan that I
have never heard of, nor seen in the wild. I only see this scanning on my home
IP. (I don't even HAVE any Windoze boxes here.)

Anyone else seeing and/or recognise this?


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------