What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

Yeah, this is from ISC. I've been noticing this for awhile, but I thought it was just noise. Apparently, others noticed it too. Here's what I have (example snippet):

syslog:Jan 10 14:16:03 none kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f
c:8b:69:08:00 SRC=221.194.45.3 DST=66.160.141.30 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=256
PROTO=TCP SPT=6000 DPT=1521 WINDOW=16384 RES=0x00 SYN URGP=0
syslog:Jan 10 15:44:17 none kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f
c:8b:69:08:00 SRC=218.240.32.166 DST=66.160.141.30 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=25
6 PROTO=TCP SPT=6000 DPT=2967 WINDOW=16384 RES=0x00 SYN URGP=0
syslog:Jan 10 16:21:55 none kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f
c:8b:69:08:00 SRC=61.182.168.30 DST=64.62.231.220 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256

Yeah, I've been blocking these. It's pretty easy, as I've a firewall policy that just flat-out blocks anything I don't outright allow...It's pretty hardcore. For those who think that "port 80 will always be open" (yeah, I do run a web-server), Modsecurity covers that port...but I'm deviating from the topic of this post.

No one seems to know what the offending IPs are doing, but most appear to originate from China. I'm running a tcpdump to try to gather data, but so far I don't have much (6 hours of sniffing only shows 4 hits so far).

I'm using the following tcpdump command:

tcpdump -i eth0 -Xvvnne -s 0 src port 6000 -w /tmp/dump_src_port_6000

I'll leave it running for 24 hours then check and see what I have...it might not amount to much, though.

UPDATE:

One thing I noticed right off the bat was the destination ports...they are all affiliated with MS Windows services (ports 135, 139, 1433, 2967, 1521) but also ports such as 8000, 8080 and 7212. Weird. I'll keep the sniff going for a few days (a week's worth of sniffing, maybe).

UPDATE #2:

Decided to kill the tcpdump process to see what's going on and post it here. Will start it up again before I head to bed (I doubt I'm missing much so far):

root@starchild:~# tcpdump -Xvvnes -0 -r /tmp/dump_src_port_6000
reading from file /tmp/dump_src_port_6000, link-type EN10MB (Ethernet)
20:06:55.553601 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 107, id 256, offset 0, flags [none], proto TCP (6), length 40) 221.195.73.68.6000 > 66.160.141.30.8000: S, cksum 0x3a87 (correct), 132448256:132448256(0) win 16384
0x0000: 4500 0028 0100 0000 6b06 580a ddc3 4944 E..(....k.X...ID
0x0010: 42a0 8d1e 1770 1f40 07e5 0000 0000 0000 B....p.@........
0x0020: 5002 4000 3a87 0000 P.@.:...
21:06:16.773790 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 109, id 256, offset 0, flags [none], proto TCP (6), length 40) 121.101.212.38.6000 > 66.160.141.30.1433: S, cksum 0xca79 (correct), 1796538368:1796538368(0) win 16384
0x0000: 4500 0028 0100 0000 6d06 2f86 7965 d426 E..(....m./.ye.&
0x0010: 42a0 8d1e 1770 0599 6b15 0000 0000 0000 B....p..k.......
0x0020: 5002 4000 ca79 0000 P.@..y..
21:36:31.664717 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 110, id 256, offset 0, flags [none], proto TCP (6), length 40) 60.13.26.66.6000 > 64.62.231.220.1433: S, cksum 0xd34d (correct), 19005440:19005440(0) win 16384
0x0000: 4500 0028 0100 0000 6e06 cd66 3c0d 1a42 E..(....n..f<..B
0x0010: 403e e7dc 1770 0599 0122 0000 0000 0000 @>...p..."......
0x0020: 5002 4000 d34d 0000 P.@..M..
22:00:21.259640 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 106, id 256, offset 0, flags [none], proto TCP (6), length 40) 222.45.112.219.6000 > 66.160.141.30.135: S, cksum 0xe3c1 (correct), 1432485888:1432485888(0) win 16384
0x0000: 4500 0028 0100 0000 6a06 3109 de2d 70db E..(....j.1..-p.
0x0010: 42a0 8d1e 1770 0087 5562 0000 0000 0000 B....p..Ub......
0x0020: 5002 4000 e3c1 0000 P.@.....

I'm not seeing much but my FW is definitely not helping things, either (killing the connections, which is why you can only see syn packets). Well, anyone else want to guess what's going on?

tcpdump, Dell Mini, and BASE

So, I'm wondering why tcpdump is missing from the default install of my Dell's Ubuntu...doesn't make sense. I was having issues with getting my wifi card associated with my WAP and wanted to see the packets leaving the wireless interface, so I tried to bring up tcpdump, but it wasn't available. I actually had to hook a cat5 cable to the Mini to get this package, just to troubelshoot. I noticed the same thing with Suse about a year ago.

Apparently, tcpdump was created on the permissive free software license, per Wikipedia. I don't know if this is actually GPL or a derivative of GPL. The manpage doesn't mention what license tcpdump falls under and I'm sometimes wary of Wikipedia, as I like to find the facts on my own to validate (or invalidate) internet claims.

I'll research this and post my findings here.

On another note, I found a very cool bag for my Dell Mini, at Dell's website. I'll try to post pics and a link soon (from my Macbook, as the Mini's keyboard slows me down a bit).

Lastly, I somehow broke access to my MySQL database, so now my snort sensors won't report to it. It's been down for about 2 weeks and I don't have the time to fix it. I'm going on vacation for my birthday and hope to have some personal (ie, QUIET) time to myself to fix this. I'll be visiting my parents for my birthday this weekend and will see about shelling in to fix it remotely.

What I've installed on the Mini so far...

So far, I've installed the following on my Dell Mini:

tcpdump (IMO, this is a mandatory package...should've been installed by default)
xchat
gdesklets (I'm going to remove this because desktop space is at a premium)

That's it, so far. Surprisingly, I find myself not needing much more than what apps are already installed. Then again, I've had the Mini for less than a week. :)

EDIT: also installed 'locate' but the install didn't include the updatedb.conf file...working on that now.