nmap to port 36688

[Mike Cojocea <msc39 () georgetown edu>]

Hello,

Now and then I see nmap scans to port 36688 to a web server running
*NIX.
Only a web server was "targeted". Was puzzles me is that the source
ports are 80, 81 or 83.

Does somebody have an explanation for this scan?

Thanks,
Mike 


09/14-06:36:45.129936  [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
61.232.48.66:80 -> my.net:36688

09/14-06:36:45.414710  [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
202.102.145.229:81 -> my.net:36688

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
 [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS28]
Event ID: 1672     Event Reference: 1672
09/14/03-10:36:45.414710 202.102.145.229:81 -> my.net:36688
TCP TTL:41 TOS:0x0 ID:7715 IpLen:20 DgmLen:40
***A**** Seq: 0x2C6  Ack: 0x0  Win: 0x578  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 [**] [1:628:2] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS28]
Event ID: 1672     Event Reference: 1672
09/14/03-10:36:45.414710 202.102.145.229:81 -> my.net:36688
TCP TTL:41 TOS:0x0 ID:7715 IpLen:20 DgmLen:40
***A**** Seq: 0x2C6  Ack: 0x0  Win: 0x578  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users