We here at the SANS ISC always appreciate all the feedback from our readers concerning Internet anomalies. One such anomaly that caught my attention was a reader pointing out some port scans that happened to target irregular Internet Protocol numbers. While looking through my own firewall logs for similar activity, I was surprised to see a large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as the source port. The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar signature in its scanning (propagation) traffic where a constant TCP source port of 6000 was also used... but that ...

Comments (1)

1. Kevin says:

   January 17, 2010 at 7:34 am

   Zonealarm has been blocking a port 6000 request for the last several days from 222.133.182.194 (China).