Last Updated: 2010-01-09 23:30:00 UTC
by G. N. White (Version: 1)
We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies. One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.
While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.
The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!
Has anyone had similar experiences with this type of port scanning traffic? I welcome
your comments and feedback.
ISC Handler on Duty