On Dec 5, 2006, at 1:48 PM, Henry Nelson wrote:
> I wonder how these guys get the address for the web server in the  
> first
> place.  Within a few days of starting up the server, before I had told
> anyone of the site's name, there were people trying to access it.   
> In your
> case it's not even on port 80.  Mystery.

No mystery.  Most automated worms use algorithms to scan the network,  
including a mix of local and semi-randomized non-local IP addresses  
to attempt to make connections to.  Every routable IP address on the  
network is likely to receive at least a handful of malicious  
connection attempts per day.

Set up a honeynet which accepts all incoming traffic, and you might  
log several thousand connection attempts per IP per day, as malicious  
software will try over and over again with different URLs and exploit  
attempts if you accept the initial connection request...

-- 
-Chuck