very strange scan patterns

[joe () ITS UNIMELB EDU AU (Joe H)]

Hi all
On three separate reports (on the same day) from the admins of host

"magpie" we got

> Jun  3 14:06:41 magpie telnetd[22385]: refused connect from
pc253-177.ourdomain.com

"magpie" again

> Jun  3 13:41:43 magpie telnetd[21960]: refused connect from
pc253-19.ourdomain.com
> Jun  3 13:42:04 magpie telnetd[22001]: refused connect from
pc253-19.ourdomain.com
> Jun  3 13:44:37 magpie telnetd[22136]: refused connect from
pc253-19.ourdomain.com
> Jun  3 18:05:42 magpie telnetd[25566]: refused connect from
pc253-19.ourdomain.com

"krefti" and "magpie"

> Jun  3 13:41:08 krefti telnetd[7672]: refused connect from tin.ourdomain.com
> Jun  3 13:33:44 magpie telnetd[21859]: refused connect from
tin.ourdomain.com
> Jun  3 13:35:17 magpie telnetd[21874]: refused connect from
tin.ourdomain.com

So we have remote telnet connections from three of our hosts. I have not
overruled
the posssibility that the three ourdomain hosts have been comprimised, but
unlikely.
It looks like a probe (perhaps using nmap with the -sS option
to spoof the source address) - port 23 gets noticed sinced it's obviously
wrappered.  Unless it is some sort of host "bouncing/reflecting" from the
real attacker
to hosts "ourdomain" back to hosts to magpie and kefti.
Can anyone explain this apparent activity or know the signature for this
attack?
Thanks
Joe