SUC003 : Events from static source port 6000/TCP

  • Use Case Reference : SUC003
  • Use Case Title : Events from static source port 6000/TCP
  • Use Case Detection : Firewall / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Most of China
  • Source Port(s) : 6000/TCP
  • Destination Port(s) : 135/TCP, 1080/TCP, 1433/TCP, 1521/TCP, 2967/TCP, 3127/TCP, 3128/TCP, 8000/TCP, 8080/TCP, 9090/TCP

Possible(s) correlation(s) :

  • Worm Dasher

Sources :

Same as many other Honey Net, we detected activities with static source port 6000 in destination of above destination ports.

This 6000/TCP port, is well know for targeting Microsoft-SQL-Server 1433/TCP, but has involve to target Oracle 1521/TCP.

Since a few days, source port 6000/TCP is targeting new destination ports : 8000/TCP, 8080/TCP and 9090/TCP.

Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.

24 hours source port 6000 events
24 hours source port 6000 events
1 week source port 6000 events
1 week source port 6000 events
1 month source port 6000 events
1 month source port 6000 events
1 year source port 6000 events
1 year source port 6000 events
Source port 6000 source countries repartition
Source port 6000 source countries repartition
Source port 6000 destination ports repartition
Source port 6000 destination ports repartition