Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

Published: 2010-01-09
Last Updated: 2010-01-09 23:30:00 UTC
by G. N. White (Version: 1)
16 comment(s)

We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies.  One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.

While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.

The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!

Has anyone had similar experiences with this type of port scanning traffic?  I welcome
your comments and feedback.

G.N. White
ISC Handler on Duty

16 comment(s)
Diary Archives