What's Up With All The Port Scanning Using TCP/6000 As A Source Port?
We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies. One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.
While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.
The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!
Has anyone had similar experiences with this type of port scanning traffic? I welcome
your comments and feedback.
G.N. White
ISC Handler on Duty
Comments
/var/log# grep SPT=6000 * | wc -l
554
Thats about 10 days traffic on a low volume box... so yes it is a bit odd.
Chester Wisniewski - Sophos
Jan 10th 2010
1 decade ago
cw
Jan 10th 2010
1 decade ago
/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182
whois queries on the SOURCE IP indicate originating from China.
Don
Jan 10th 2010
1 decade ago
/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182
whois queries on the SOURCE IP indicate originating from China.
Don
Jan 10th 2010
1 decade ago
Chester Wisniewski - Sophos
Jan 10th 2010
1 decade ago
1080
2967
3128
6588
7212
8000
Edge
Jan 10th 2010
1 decade ago
1433
2967
1521
4899
8080
8082
Don
Jan 10th 2010
1 decade ago
1433
2967
1521
4899
8080
8082
Don
Jan 10th 2010
1 decade ago
joeblow
Jan 10th 2010
1 decade ago
hcbhatt
Jan 10th 2010
1 decade ago