Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What's Up With All The Port Scanning Using TCP/6000 As A Source Port? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies.  One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.

While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.

The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!

Has anyone had similar experiences with this type of port scanning traffic?  I welcome
your comments and feedback.

G.N. White
ISC Handler on Duty
 

G. N.

23 Posts
Checking my home Linux firewall logs I get:
/var/log# grep SPT=6000 * | wc -l
554

Thats about 10 days traffic on a low volume box... so yes it is a bit odd.
Chester

3 Posts
What are the destinations and can you put up some pcaps? Might this have anything to do with an attempt to bypass ACLs or firewalls that think the attacker is an XWindows session of some kind? What flags are active? Thanks, curtw
Chester
4 Posts
My current DMZ log file (started midnight today, 15 hours old) shows LOTS of hits for SRC=6000, and viewing the output at command line also reveals destination IP address sequences indicating a scan of some sort. Over 16K hits.

/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182

whois queries on the SOURCE IP indicate originating from China.

Chester
5 Posts
My current DMZ log file (started midnight today, 15 hours old) shows LOTS of hits for SRC=6000, and viewing the output at command line also reveals destination IP address sequences indicating a scan of some sort. Over 16K hits.

/logging> cat customer-dmz.log | grep src | grep "/6000" | grep -v /6000[0-9] | wc -l
16182

whois queries on the SOURCE IP indicate originating from China.

Chester
5 Posts
Testing a random sample all are Chinese here as well. Different ISPs, but all Chinese.
Chester

3 Posts
I wondered about this back in early 2008 when analyzing at honeypot logs. Looking at the destination ports below they appeared to be looking for proxies.

1080
2967
3128
6588
7212
8000
Chester
15 Posts
Destination port in my case seems to be:

1433
2967
1521
4899
8080
8082
Chester
5 Posts
Destination port in my case seems to be:

1433
2967
1521
4899
8080
8082
Chester
5 Posts
~100 logged here over a 6 day period, but i already have swaths of china blocked. same ports, 1433, 2967, 3128, 8080.
Anonymous
I have been seeing probing with source port 6000/12000 and target port 1434/1433/3128/445/3389/10000/8080/1521/2967/7212 and many others.I am seeing this drop traffic since a very long time which denied by perimeter firewalls.
hcbhatt

14 Posts
I have been seeing probing with source port 6000/12000 and target port 1434/1433/3128/445/3389/10000/8080/1521/2967/7212 and many others.I am seeing this drop traffic since a very long time which denied by perimeter firewalls.
hcbhatt

14 Posts
Multiple scanners seem to use the same source port, on top of them one for MS-SQL and one for proxies:

# zgrep 'SPT=6000 ' /var/log/messages* |egrep -o 'DPT=[^ ]+' |awk -F= '{print $2}' |sort -n |uniq -c |sort -nr |awk '{system("grep \"\t"$2"/\" /etc/services"); print $1,$2,"\n---"}'
ms-sql-s 1433/tcp # Microsoft SQL Server
ms-sql-s 1433/udp
186 1433
---
78 2967
---
http-alt 8080/tcp webcache # WWW caching service
http-alt 8080/udp # WWW caching service
45 8080
---
radmin-port 4899/tcp # RAdmin Port
radmin-port 4899/udp
34 4899
---
13 3389
---
8 3128
---
5 9415
---
5 8000
---
socks 1080/tcp # socks proxy server
socks 1080/udp
4 1080
---
mysql 3306/tcp
mysql 3306/udp
3 3306
---
kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5
1 88
---
1 15253
---
tillo

7 Posts
I asked that very question last April on the mailing list but my mail was rejected by the admin without reason. Talk about shooting your own foot.
tillo
16 Posts
I have also seen a very large uptick in scanning from a source port of 6000, and dst. port of 2967 on my gateways.
Matt F.

1 Posts
Had a slew of scans 12/29-31, and in recent days. Like everyone else, target ports on my firewall are 1433, 3306, 2967, and 8080. Many of the scanning IPs originate (of course) in China.
Val

10 Posts
All these scans from port 6000 are pretty boring if your ports are closed, but if they're open, you can see something interesting:

22:43:34.599950 IP 60.173.11.xxx.6000 > 87.123.xxx.xxx.1080: S 485883904:485883904(0) win 16384
22:43:34.600043 IP 87.123.xxx.xxx.1080 > 60.173.11.xxx.6000: S 124211016:124211016(0) ack 485883905 win 5
22:43:34.599951 IP 60.173.11.xxx.6000 > 87.123.xxx.xxx.1025: S 651689984:651689984(0) win 16384
22:43:34.600205 IP 87.123.xxx.xxx.1025 > 60.173.11.xxx.6000: S 127802748:127802748(0) ack 651689985 win 5
22:43:34.970557 IP 60.173.11.xxx.6000 > 87.123.xxx.xxx.1080: R 485883905:485883905(0) win 0
22:43:34.970640 IP 60.173.11.xxx.6000 > 87.123.xxx.xxx.1025: R 651689985:651689985(0) win 0

22:43:52.301700 IP 60.173.11.xxx.2527 > 87.123.xxx.xxx.1025: S 2027460173:2027460173(0) win 65535 <mss 1460,nop,nop,sackOK>
22:43:52.301802 IP 87.123.xxx.xxx.1025 > 60.173.11.xxx.2527: S 397071762:397071762(0) ack 2027460174 win 5
22:43:52.317636 IP 60.173.11.xxx.2529 > 87.123.xxx.xxx.1025: S 4254698349:4254698349(0) win 65535 <mss 1460,nop,nop,sackOK>
22:43:52.317691 IP 87.123.xxx.xxx.1025 > 60.173.11.xxx.2529: S 402854145:402854145(0) ack 4254698350 win 5
22:43:52.349114 IP 60.173.11.xxx.2531 > 87.123.xxx.xxx.1080: S 2263490663:2263490663(0) win 65535 <mss 1460,nop,nop,sackOK>
22:43:52.349160 IP 87.123.xxx.xxx.1080 > 60.173.11.xxx.2531: S 397604341:397604341(0) ack 2263490664 win 5
22:43:52.402033 IP 60.173.11.xxx.2533 > 87.123.xxx.xxx.1080: S 1484036034:1484036034(0) win 65535 <mss 1460,nop,nop,sackOK>
22:43:52.402098 IP 87.123.xxx.xxx.1080 > 60.173.11.xxx.2533: S 395167577:395167577(0) ack 1484036035 win 5
22:43:52.673113 IP 60.173.11.xxx.2527 > 87.123.xxx.xxx.1025: . ack 1 win 65535
22:43:52.673211 IP 87.123.xxx.xxx.1025 > 60.173.11.xxx.2527: . ack 1 win 0
22:43:52.673233 IP 60.173.11.xxx.2527 > 87.123.xxx.xxx.1025: . 1:6(5) ack 1 win 65535
22:43:52.673246 IP 87.123.xxx.xxx.1025 > 60.173.11.xxx.2527: . ack 1 win 0
22:43:52.735780 IP 60.173.11.xxx.2529 > 87.123.xxx.xxx.1025: . ack 1 win 65535
22:43:52.735934 IP 87.123.xxx.xxx.1025 > 60.173.11.xxx.2529: . ack 1 win 0
22:43:52.735953 IP 60.173.11.xxx.2529 > 87.123.xxx.xxx.1025: P 1:4(3) ack 1 win 65535
22:43:52.736109 IP 87.123.xxx.xxx.1025 > 60.173.11.xxx.2529: . ack 1 win 0
22:43:52.736318 IP 60.173.11.xxx.2531 > 87.123.xxx.xxx.1080: . ack 1 win 65535
22:43:52.736334 IP 87.123.xxx.xxx.1080 > 60.173.11.xxx.2531: . ack 1 win 0
22:43:52.736320 IP 60.173.11.xxx.2531 > 87.123.xxx.xxx.1080: . 1:6(5) ack 1 win 65535
22:43:52.736431 IP 87.123.xxx.xxx.1080 > 60.173.11.xxx.2531: . ack 1 win 0
22:43:52.760179 IP 60.173.11.xxx.2533 > 87.123.xxx.xxx.1080: . ack 1 win 65535
22:43:52.761412 IP 60.173.11.xxx.2533 > 87.123.xxx.xxx.1080: P 1:4(3) ack 1 win 65535
22:43:55.713889 IP 60.173.11.xxx.2533 > 87.123.xxx.xxx.1080: P 1:4(3) ack 1 win 65535
22:43:55.713933 IP 87.123.xxx.xxx.1080 > 60.173.11.xxx.2533: . ack 1 win 0

First this particular attacker (a hourly visitor) sends SYNs to ports 1025 and 1080. As soon as my tarpit responds with SYN/ACK, the connection is reset. Shortly after, the same host establishes two connections to each port, this time from ports <5000, and sends some data. One connection to each port sends 3 bytes payload (0x05 01 02), and the other 5 bytes or more (0x04 01 00 50 3c). As my Linux IPtables tarpit only advertises a rwin of 5, I can't capture more. As I don't speak socks, I have no idea what those bytes are supposed to do. I can provide captured packets to anyone interested.

To me this looks like some portscanner using port 6000 because it's outside of the 1025-5000 port range used on Windows hosts. The packet ID is always the same for each attacking host. TCP sequence number is the same for and src ip/dst port combination. For some reason, the TTL of the initial probes always seems to be 8 less than the TTL of the actual connections. Those connections always have a source port of <5000.
To summarize, I highly suspect this to be a port scanner using raw sockets on a Windows host.

I highly recommend running a tarpit on all popular ports. It lets you gather some nice data and keeps the scanners busy.
catweax

6 Posts

Sign Up for Free or Log In to start participating in the conversation!