What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

Published: 2010-01-09. Last Updated: 2010-01-09 23:30:00 UTC
by G. N. White (Version: 1)
16 comment(s)

We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies.  One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.

While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.

The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!

Has anyone had similar experiences with this type of port scanning traffic?  I welcome
your comments and feedback.

G.N. White
ISC Handler on Duty
 

Keywords: port 6000 scanning
16 comment(s)

Comments

Checking my home Linux firewall logs I get:
/var/log# grep SPT=6000 * | wc -l
554

Thats about 10 days traffic on a low volume box... so yes it is a bit odd.

Chester Wisniewski - Sophos

Jan 10th 2010
1 decade ago

What are the destinations and can you put up some pcaps? Might this have anything to do with an attempt to bypass ACLs or firewalls that think the attacker is an XWindows session of some kind? What flags are active? Thanks, curtw

cw

Jan 10th 2010
1 decade ago

My current DMZ log file (started midnight today, 15 hours old) shows LOTS of hits for SRC=6000, and viewing the output at command line also reveals destination IP address sequences indicating a scan of some sort. Over 16K hits.

/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182

whois queries on the SOURCE IP indicate originating from China.

Don

Jan 10th 2010
1 decade ago

My current DMZ log file (started midnight today, 15 hours old) shows LOTS of hits for SRC=6000, and viewing the output at command line also reveals destination IP address sequences indicating a scan of some sort. Over 16K hits.

/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182

whois queries on the SOURCE IP indicate originating from China.

Don

Jan 10th 2010
1 decade ago

Testing a random sample all are Chinese here as well. Different ISPs, but all Chinese.

Chester Wisniewski - Sophos

Jan 10th 2010
1 decade ago

I wondered about this back in early 2008 when analyzing at honeypot logs. Looking at the destination ports below they appeared to be looking for proxies.

1080
2967
3128
6588
7212
8000

Edge

Jan 10th 2010
1 decade ago

Destination port in my case seems to be:

1433
2967
1521
4899
8080
8082

Don

Jan 10th 2010
1 decade ago

Destination port in my case seems to be:

1433
2967
1521
4899
8080
8082

Don

Jan 10th 2010
1 decade ago

~100 logged here over a 6 day period, but i already have swaths of china blocked. same ports, 1433, 2967, 3128, 8080.

joeblow

Jan 10th 2010
1 decade ago

I have been seeing probing with source port 6000/12000 and target port 1434/1433/3128/445/3389/10000/8080/1521/2967/7212 and many others.I am seeing this drop traffic since a very long time which denied by perimeter firewalls.

hcbhatt

Jan 10th 2010
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives