- Use Case Reference : SUC003
- Use Case Title : Events from static source port 6000/TCP
- Use Case Detection : Firewall / IDS
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : Unknown
- Source IP(s) : Random
- Source Countries : Most of China
- Source Port(s) : 6000/TCP
- Destination Port(s) : 135/TCP, 1080/TCP, 1433/TCP, 1521/TCP, 2967/TCP, 3127/TCP, 3128/TCP, 8000/TCP, 8080/TCP, 9090/TCP
Possible(s) correlation(s) :
- Worm Dasher
- worm blog – Worm Dasher
- ISC – What’s Up With All The Port Scanning Using TCP/6000 As A Source Port?
- McAfee – W32/Dasher.worm
- Emerging Threats “Known Compromised Hosts”
- Dshield “Recommended Block List”
Same as many other Honey Net, we detected activities with static source port 6000 in destination of above destination ports.
This 6000/TCP port, is well know for targeting Microsoft-SQL-Server 1433/TCP, but has involve to target Oracle 1521/TCP.
Since a few days, source port 6000/TCP is targeting new destination ports : 8000/TCP, 8080/TCP and 9090/TCP.
Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.