[TriLUG] I'm being scanned? What are they trying to do?

[Sinner from the Prairy]

Hi there,

You know, security, log checking... all this stuff . Afterall, I was tricked 
to give the security talk <*grin*>

So, I was reviewing the logs today (somepeople mows the grass, others have a 
brunch, then a few compile 2.4.12+patch... I review logs).

And this is what I found:

Oct  5 22:05:33 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=62.73.5.136 
DST=65.80.201.58 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63121 PROTO=TCP SPT=22 
DPT=22 WINDOW=40 RES=0x00 SYN URGP=0

Oct  7 00:25:23 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=134.226.1.29 
DST=65.80.201.58 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=3795 PROTO=TCP SPT=22 
DPT=22 WINDOW=11227 RES=0x00 SYN URGP=0

Several more occurrences from different addresses on 10/7, 10/10, 10/11, 
10/12, and then still some more:

Oct 13 15:41:57 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=211.169.82.130 
DST=65.80.203.36 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=17668 DF PROTO=TCP 
SPT=4768 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0

Oct 13 20:28:14 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=200.207.209.210 
DST=65.80.203.36 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=49474 DF PROTO=TCP 
SPT=4504 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0

Oct 14 17:14:26 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=192.118.7.166 
DST=65.80.205.204 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18863 DF PROTO=TCP 
SPT=35915 DPT=21 WINDOW=4422 RES=0x00 SYN URGP=0

Oct 14 22:33:38 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=211.185.195.1 
DST=65.80.202.72 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=57516 DF PROTO=TCP 
SPT=3282 DPT=21 WINDOW=32120 RES=0x00 SYN URGP=0
(this one, several times)

Through http://samspade.org, nmap, queso on origin IPs I discovered some 
Linux 2.1.x (211.185.195.1), a Novell Server (12.40.93.133)... mixed OSs.

So, what's going on? 

How can I learn by myself what are they trying to do?

Thank you in advance,



Salut,
Sinner
--
http://www.geocities.com/sinner_prairy/
Running on Mandrake 8.1 - Kernel  2.4.8-26mdk