What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

Published: 2010-01-09
Last Updated: 2010-01-09 23:30:00 UTC
by G. N. White (Version: 1)
16 comment(s)

We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies.  One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.

While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.

The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!

Has anyone had similar experiences with this type of port scanning traffic?  I welcome
your comments and feedback.

G.N. White
ISC Handler on Duty
 

16 comment(s)

Comments

Checking my home Linux firewall logs I get:
/var/log# grep SPT=6000 * | wc -l
554

Thats about 10 days traffic on a low volume box... so yes it is a bit odd.
What are the destinations and can you put up some pcaps? Might this have anything to do with an attempt to bypass ACLs or firewalls that think the attacker is an XWindows session of some kind? What flags are active? Thanks, curtw
My current DMZ log file (started midnight today, 15 hours old) shows LOTS of hits for SRC=6000, and viewing the output at command line also reveals destination IP address sequences indicating a scan of some sort. Over 16K hits.

/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182

whois queries on the SOURCE IP indicate originating from China.

My current DMZ log file (started midnight today, 15 hours old) shows LOTS of hits for SRC=6000, and viewing the output at command line also reveals destination IP address sequences indicating a scan of some sort. Over 16K hits.

/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182

whois queries on the SOURCE IP indicate originating from China.

Testing a random sample all are Chinese here as well. Different ISPs, but all Chinese.
I wondered about this back in early 2008 when analyzing at honeypot logs. Looking at the destination ports below they appeared to be looking for proxies.

1080
2967
3128
6588
7212
8000
Destination port in my case seems to be:

1433
2967
1521
4899
8080
8082
Destination port in my case seems to be:

1433
2967
1521
4899
8080
8082
~100 logged here over a 6 day period, but i already have swaths of china blocked. same ports, 1433, 2967, 3128, 8080.
I have been seeing probing with source port 6000/12000 and target port 1434/1433/3128/445/3389/10000/8080/1521/2967/7212 and many others.I am seeing this drop traffic since a very long time which denied by perimeter firewalls.

Diary Archives