Odd scan

[Tadas Miniotas <tadas () ipv6 lt>]

Hello,

Just some snort logs I found interesting. Time is GMT+2, and the source 
IP comes from Malaysia.

Earliest: 15:43:39 on 7/20/2002
Latest: 16:16:45 on 7/20/2002
     * 584 instances of TCP ******S* scan
Jul 20 15:43:39 202.151.224.13:2029 -> xxx.xxx.32.15:79 SYN ******S*
Jul 20 15:43:39 202.151.224.13:2030 -> xxx.xxx.32.15:161 SYN ******S*
Jul 20 15:43:39 202.151.224.13:2031 -> xxx.xxx.32.15:1524 SYN ******S*
Jul 20 15:43:40 202.151.224.13:2024 -> xxx.xxx.32.13:161 SYN ******S*
Jul 20 15:43:40 202.151.224.13:2025 -> xxx.xxx.32.13:1524 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2035 -> xxx.xxx.32.69:79 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2036 -> xxx.xxx.32.69:161 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2037 -> xxx.xxx.32.69:1524 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2033 -> xxx.xxx.32.62:161 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
<snip>

What seems odd to me is quite unusual set of ports for a scan. Quite a 
few vulnerabilities have been discovered in SNMP (port 161), an 
ingreslock service (port 1524) is reported to be used as an backdoor 
for several exploits against RPC services, finger is a rarely used 
service these days. So far, so good, but I fail to see what these three 
ports have in common. Has anyone seen something similar? Any insight 
would be greatly appreciated.

Best regards,
--
Tadas Miniotas
LitNET NOC

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com