Code red probe followed by udp port 10xx

["Thompson, John J" <ThompsonJJ () mail medicine uiowa edu>]

--Im using blackice server agent on my iis5 box--

Ive noticed that the ISAPI overflow attempts are being followed by (within a
minute) a udp port probe to ports 1094,1028, or 1143 (perhaps dynamicaly
changing). Ive detected 4 of these for 4 scans since 11:30am CST. The udp
probe is usually a ten count. 

Anyone else seen this?

John

Note: I do have Ip filtering enabled and blocking all but tcp 21,80,137-139.
Same blocks apply on blackice.

------------------------------------
John Thompson
Network Administrator
Dept. of Biochemistry
University of Iowa

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com