Odd connection attempts from many addresses

[John Bland <shrike () cmp liv ac uk>]

Hi,

I've been seeing, over the past week, a constant
stream of odd connection attempts to two of my
machines. The firewall logs show things like
(where A,B,C,D are addresses in quite separate
address spaces and X is the local machine):

A:1200  X:41000
A:1200  X:41000
A:1200  X:41000
B:1340  X:41001
B:1340  X:41001
B:1340  X:41001
C:2100  X:41002C:2100  X:41002
C:2100  X:41002
D:1130  X:41003
D:1130  X:41003
D:1130  X:41003
(all TCP)

ie we're receiving connection attempts from quite
varied addresses (all types of uk dialup and adsl,
the odd ac.uk and even some .edu) always to the
same machine from random high ports to a
monotonically increasing destination port.
However, the destination port seems a bit of an
odd one to be trying to connect to.

I 'investigated' some of the connecting machines
and what I can tell from those that were on static
ips is that they are Windows machines (surprise!)
running a whole gamete of services including
netbios-ns, ldap and irc-serv as well as dns and
http etc etc. And stateless firewalls.

Basically, has anyone seen this sort of thing
before? And if so what form of exploit is it
attempting? It's all bouncing off the firewall atm
and is pretty low traffic so I'm not overly
concerned, just puzzled.

Cheers,
               JB

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com