We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies.  One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.

While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.

The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!

Has anyone had similar experiences with this type of port scanning traffic?  I welcome
your comments and feedback.

G.N. White
ISC Handler on Duty