slow, persistant probes to port tcp 33496 on appearantly random addreses

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Over the last couple of weeks I have been seeing probes (about 5 a day)
to appearantly random addresses in out /16 address space poking at tcp
33496.  The probes appear to be 'normal' tcp connection attempt (with 3
retries) as opposed to some specialist scanning tool.

The traffic patterns look very like all the windows based trojans that
poke at 137, 139 and various netbus ports.

I'm curious as to what this particular one is looking for on port 33496.
(I've checked http://www.simovits.com/nyheter9902.html)

If it was UDP then I would have guessed that someone was using
traceroute to map our network, abeit slowly.

I have bitched to gblx.net over a week ago and got an acknowledgement,
but the traffic persists.

Here is a dump of yesterday's traffic:

31 Jan 01 05:02:44    tcp 206.132.245.141.4916   ->   130.216.203.108.33496 3        0         0            0           
S_
31 Jan 01 05:49:44    tcp 206.132.245.141.4568   ->     130.216.59.55.33496 3        0         0            0           
S_
31 Jan 01 11:07:37    tcp 206.132.245.141.1658   ->   130.216.176.230.33496 3        0         0            0           
S_
31 Jan 01 21:11:49    tcp 206.132.245.141.2205   ->     130.216.98.14.33496 3        0         0            0           
S_


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand