scans for port 4000 udp

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Over the past 10 days I have seen 3 scans for udp port 4000.  In each
case the scan had source addresses registered to ISPs in mainland
China.  Two, over the weekend, were from blocks registered by
chinanet.cn.net.

Here is an ascii dump of data from the start of packets (that were 313
chars long)

< Data-Ascii =
"....x..521531...0.15.2000-11-26.4919.:.........................." />

The ".15." then changed to 33, 54, 75, 87 and back to 15, 24, 51...
7 or 8 packets were sent with each number and the last number (4919)
was incremented each time the middle number changed.  Destination IP
address were incremented sequentially.  The same /24 network was
targeted in all scans. (This network is not part of our /16, it belongs
to a private company for whom we host some servers).

Anyone have any idea what they are looking for?

Cheers, Russell.