Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Outbound 6000/TCP traffic to multiple Chinese IPs? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Outbound 6000/TCP traffic to multiple Chinese IPs?
I have seen traffic over port 6000/TCP to multiple Chinese IPs. Is this a malware communication or an application traffic? SniffingShadow

3 Posts
I'd definitely be concerned about it, especially if the systems the traffic is coming from are unix/linux. It could be X11 traffic - someone running an app on your system with the GUI sent back to those IPs in China.

You could probably confirm whether or not it was X11 with a sniffer if you've got tcpdump or snort or wireshark on the systems (or on a system using a span/mirror port on your switch)...
Brent

120 Posts
That's not a Unix/Linux box.Its windows vista. Is it a concern? SniffingShadow

3 Posts
If you don't know what it is, yes, it's a big concern. Anonymous

6000 is the default port for http traffic for IBM synology DSM's running more than one instance. It defaults to the following:

5000:http
5001:https

6000:http
6001:https

7000:http
7001:https

8000:http
8001:https

Recently, since october 2013, there has been alot of exploit development on these boxes, 4-5 have been published. In fact as I'm writing this, a new remote code execution was published for it.

http://seclists.org/bugtraq/2014/Mar/138

If you search the metasploit/rapid7 modules, you'll find there is a scanner for this as well as a full fledged exploit. You're probably being scanned on port 5000,5001,6000,6001, etc. just to see if it's a synology DSM running 4.3. My buddy was running multiple instances of 4.3 and got popped recently.
gRanger

2 Posts

Sign Up for Free or Log In to start participating in the conversation!