Re: Increase seen in port probes since Tuesday afternoon

[Jeff Kell <jeff-kell () utc edu>]

James C Slora Jr wrote:
> BahdKo wrote Thursday, December 30, 2004 04:23
> > Since Tuesday afternoon EST I've seen a dramatic increase in 
> > the number of machines probing my network on ports 2745, 
> > 1025, 3127, 6129, and usually 80. Each probe involves the 
> > machine sending three packets to each port.
>
> Yes from time to time. The port pattern is typical of many botnets, many of
> which will focus multiple drones against a particular IP space for a while. 

I'm seeing 80, 1025, 6129, and 1433 increases in tcp, and 1434, 1026, 
and 1027 udp.  The usual 135/445 are present as always but I haven't 
paid much attention to a 'marked increase' as they long ago drifted into 
the pool of "background noise".

Jeff