Ports can be divided into 3 categories:
1) Well Known Ports: From 0 to 1023, they are closely bound to some services. Usually communications on these ports clearly indicate the protocol of a certain service. For example: Port 80 is actually always HTTP communication.
2) Registered Ports: from 1024 to 49151. They are loosely bound to some services. That is to say, there are many services bound to these ports, which are also used for many other purposes. For example: Many systems handle dynamic ports starting from around 1024.
3) Dynamic and/or Private Ports: from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, machines usually allocate dynamic ports from 1024. But there are exceptions: SUN's RPC port starts at 32768.
This section describes the information that TCP/UDP ports are usually scanned in firewall records. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to the other sections of this article.
0 Usually used to analyze operating systems. This method works because in some systems "0" is an invalid port, and when you try to connect it with a usual closed port, it will produce different results. A typical scan: use the IP address of 0.0.0.0, set the ACK bit and broadcast at the Ethernet layer.
1 tcpmux This shows someone is looking for the SGI Irix machine. Irix is the main provider of implementing tcpmux, and by default tcpmux is turned on in such systems. The Iris machine contains several default passwordless accounts when it is released, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to delete these accounts after installation. So Hackers search tcpmux on the Internet and use these accounts.
7 Echo You can see many messages sent to .0 and .255 when people search for Fraggle amplifiers.
A common DoS attack is an echo-loop where an attacker forged UDP packets sent from one machine to another, and the two machines responded to these packets in their fastest way. (See Chargen)
Another thing is the TCP connection established by DoubleClick on the word port. There is a product called "Resonate Global Dispatch", which connects to this port of DNS to determine the closest route.
Harvest/squid cache will send UDP echo from port 3130: "If the cache's source_ping on option is turned on, it will respond to a HIT reply to the UDP echo port of the original host." This will generate many such data packets.
11 sysstat This is a UNIX service that lists all running processes on the machine and what started them. This provides intruders with much information that threatens the security of the machine, such as programs that expose certain known weaknesses or accounts. This is similar to the result of the "ps" command in UNIX system.
Again: ICMP has no port, ICMP port 11 is usually ICMP type=11
19 chargen This is a service that only sends characters. The UDP version will respond to the package containing junk characters after receiving the UDP package. When TCP is connected, a data stream containing spam characters will be sent to know that the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forged UDP packets between two charger servers. A charger and echo will cause the server to overload because the server attempts to respond to the infinite round-trip data communication between the two servers. Similarly, the fraggle DoS attack broadcasts a data packet with a forged victim IP to this port of the target address, and the victim is overloaded in response to this data.
21 ftp The most common attacker uses to find ways to open anonymous ftp server. These servers come with readable and writeable directories. Hackers or Crackers use these servers as nodes that deliver warez (private programs) and pr0n (intentionally misspelled words to avoid being classified by search engines).
22 ssh PcAnywhere establishes the connection between TCP and this port, which may be to find ssh. This service has many weaknesses. If configured in a specific mode, many versions using the RSAREF library have many vulnerabilities. (It is recommended to run ssh on other ports)
It should also be noted that the ssh toolkit comes with a program called make-ssh-known-hosts. It will scan the ssh host for the entire domain. You can sometimes be accidentally scanned by people using this program.
UDP (rather than TCP) is connected to port 5632 on the other end which means there is a scan to search for pcAnywhere. 5632 (0x1600 in hexadecimal) bit exchange is 0x0016 (22 in the actuation).
23 Telnet Intruder is searching for services that log in to UNIX remotely. In most cases, intruders scan this port to find the operating system running on the machine. Also using other technologies, the intruder will find the password.
25 smtp The attackers (spammers) look for SMTP servers to pass their spam. The intruders' accounts are always closed and they need to dial up to connect to a high-bandwidth e-mail server to pass simple information to different addresses. SMTP servers (especially sendmail) are one of the most common ways to get into the system, because they must be fully exposed to the Internet and the route of mail is complex (exposed + complex = weakness).
53 DNS Hacker or crackers may be attempting to perform zone delivery (TCP), spoof DNS (UDP), or hide other communications. Therefore, the firewall often filters or records port 53.
It should be noted that you often see port 53 as the UDP source port. Unstable firewalls usually allow this communication and assume that this is a response to a DNS query. Hacker often uses this method to penetrate the firewall.
67 and 68 Bootp and DHCP Bootp/DHCP on UDP: Through the DSL and cable-modem firewalls, you often see a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address assignment from the DHCP server. Hackers often enter them to assign an address to use themselves as a local router and launch a large number of "man-in-middle" attacks. The client broadcasts the configuration to port 68 (bootps) and the server broadcasts the request to port 67 (bootpc). This response uses broadcast because the client does not yet know the IP address that can be sent.
69 TFTP (UDP) Many servers provide this service with bootp to facilitate downloading startup code from the system. But they are often misconfigured to provide any file, such as password files, from the system. They can also be used to write files to the system.
79 finger Hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to scans from your own machine to other machines.
98 linuxconf This program provides simple management of linux boxen. Provides web interface-based services on port 98 through an integrated HTTP server. It has found that there are many security issues. Some versions setuid root, trust the LAN, create Internet-accessible files under /tmp, and LANG environment variables have buffer overflow. Furthermore, because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, through directories, etc.)
109 POP2 is not as famous as POP3, but many servers provide two services at the same time (backward compatible). The vulnerability of POP3 on the same server also exists in POP2.
110 POP3 is used for client access to the server-side mail service. POP3 services have many recognized weaknesses. There are at least 20 weaknesses regarding username and password exchange buffer overflow (which means Hacker can enter the system before actually logging in). After successful login, there are other buffer overflow errors.
111 sunrpc portmap rpcbind Sun RPC PortMapper/RPCBIND. Accessing the portmapper is the earliest step to scan the system to see which RPC services are allowed. Common RPC services include:, NFS,,,, amd, etc. The intruder discovered a vulnerability to the specific port testing of the allowed RPC services that will turn to the service.
Remember to record daemon, IDS, or sniffer in the line, and you can discover what program the intruder is using to access it in order to discover what exactly is happening.
113 Ident auth This is a protocol run on many machines to identify users connected to TCP. Using standard services can obtain information from many machines (which will be exploited by Hacker). But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually if many customers access these services through a firewall, you will see many connection requests for this port. Remember, if you block this port client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support sending back RST during blocking of TCP connections, and stopping this slow connection.
119 NNTP news News Group Transmission Protocol, Carrying USENET Communication. This port is usually used when you link to an address such as: news:///. The attempt to connect to this port is usually people looking for USENET servers. Most ISPs restrict only their customers to access their newsgroup servers. Opening the News Group Server will allow posting/reading anyone's posts, accessing restricted news group servers, posting anonymously or sending spam.
135 oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point mapper on this port to serve its DCOM. This is very similar to the functionality of the UNIX 111 port. Use DCOM and/or RPC services to register their locations using end-point mapper on the machine. When remote clients connect to the machine, they query the end-point mapper to find the location of the service. Similarly, Hacker scans this port of the machine to find such as: Is Exchange Server running on this machine? What version is it?
This port can also be used for direct attacks in addition to querying services (such as using epdump). There are some DoS attacks that target this port directly.
137 NetBIOS name service nbtstat (UDP) This is the most common information for firewall administrators. Please read the NetBIOS section at the end of the article carefully.
139 NetBIOS File and Print Sharing The connection entered through this port is attempted to obtain NetBIOS/SMB service. This protocol is used for Windows "File and Printer Sharing" and SAMBA. Sharing your own hard drive on the Internet is probably the most common problem.
A large number of targets for this port began in 1999 and gradually decreased. There was another rebound in 2000. Some VBSs (IE5 Visual Basic Scripting) began copying them themselves to this port, trying to reproduce on this port.
143 IMAP Same as the security issues of POP3 above, many IMAP servers have buffer overflow vulnerabilities that enter during login. Remember: a Linux worm (admw0rm) breeds through this port, so many scans of this port are from uninformed infected users. These vulnerabilities became popular when RadHat allowed IMAP by default in their Linux releases. This is the first time that the Morris worm has been widely spread.
This port is also used for IMAP2, but is not popular.
There have been some reports that some attacks on port 0 to 143 are derived from scripts.
161 SNMP (UDP) Port often detected by intruders. SNMP allows remote management of devices. All configuration and operation information are stored in the database and obtained through SNMP customers. Many administrators misconfigure expose them to the Internet. Crackers will attempt to access the system using the default password "public" and "private". They may experiment with all possible combinations.
SNMP packets may be pointed to your network incorrectly. Windows machines often use SNMP for HP JetDirect remote management software due to incorrect configuration. HP OBJECT IDENTIFIER will receive the SNMP packet. The new version of Win98 uses SNMP to resolve domain names, and you will see this package broadcasting (cable modem, DSL) in the subnet to query sysName and other information.
162 SNMP trap may be due to misconfiguration
177 xdmcp Many Hackers access the X-Windows console through it, and it also needs to open port 6000.
513 rwho may be a broadcast sent from a UNIX machine in a subnet logged in using cable modem or DSL. These people provide interesting information for Hacker to enter their system.
553 CORBA IIOP (UDP) If you use cable modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (remote procedure call) system. Hacker uses this information to enter the system.
600 Pcserver backdoor Please check port 1524
Some children who play script think that they have completely broken through the system by modifying the inculcl and pcserver files- Alan J. Rosenthal.
635 mountd Linux mountd bug. This is a popular bug that people scan. Most scans of this port are based on UDP, but TCP-based mountd has increased (mountd runs on both ports at the same time). Remember, mountd can run on any port (which port is on, and you need to do portmap query on port 111), but Linux defaults to port 635, just like NFS usually runs on port 2049.
1024 Many people ask what this port is for. It is the beginning of a dynamic port. Many programs don't care which port to connect to the network, and they ask the operating system to assign them "the next idle port". Based on this, the allocation starts from port 1024. This means that the first program requesting the system to assign a dynamic port will be assigned to port 1024. To verify this, you can restart the machine, turn on Telnet, and then open a window to run "natstat -a", and you will see that Telnet is assigned to port 1024. The more programs you request, the more dynamic ports you will have. The ports allocated by the operating system will gradually become larger. Once again, when you browse the web page, you use "netstat" to view it, each web page needs a new port.
?ersion 0.4.1, June 20, 2000
/pubs/
Copyright 1998-2000 by Robert Graham (mailto:firewall-seen1@.
All rights reserved. This document may only be reproduced (whole or
in part) for non-commercial purposes. All reproductions must
contain this copyright notice and must not be altered, except by
permission of the author.
1025 See 1024
1026 See 1024
1080 SOCKS
This protocol passes through the firewall in a pipeline, allowing many people behind the firewall to access the Internet through an IP address. In theory it should only allow internal communication to reach the Internet outward. But due to the wrong configuration, it will allow Hacker/Cracker's attacks outside the firewall to pass through the firewall. Or simply respond to computers located on the Internet to mask their direct attacks on you. WinGate is a common Windows personal firewall, and the above misconfigurations often occur. This is often seen when joining the IRC chat room.
1114 SQL
The system itself rarely scans this port, but it is often part of the sscan script.
1243 Sub-7 * (TCP)
See the Subseven section.
1524 ingreslock backdoor
Many attack scripts will install a backdoor Sh*ll on this port (especially those that target Sendmail and RPC service vulnerabilities in Sun systems, such as statd, ttdbserver and cmsd). If you just installed your firewall and saw an attempt to connect on this port, it is likely that the above reasons are. You can try Telnet to this port on your machine and see if it will give you a Sh*ll. This problem also exists when connecting to 600/pcserver.
2049 NFS
NFS programs often run on this port. Usually, you need to access the portmapper to check which port this service runs on, but most of the time, after installation, NFS is installed. acker/Cracker can therefore close the portmapper and directly test this port.
3128 squid
This is the default port of the Squid HTTP proxy server. The attacker scanned this port to access the Internet anonymously to search for a proxy server. You will also see the ports searching for other proxy servers: 8000/8001/8080/8888. Another reason for scanning this port is that the user is entering the chat room. Other users (or the server itself) will also verify this port to determine whether the user's machine supports proxy. Please check section 5.3.
5632 pcAnywere
You will see a lot of scans for this port, which depends on where you are. When the user opens pcAnywere, it will automatically scan the LAN C-type network for possible agents (translator: refers to agent instead of proxy). Hacker/cracker will also look for machines that open this service, so you should check the source address of this scan. Some scans searching for pcAnywere often contain UDP packets on port 22. See Dial-up Scan.
6776 Sub-7 artifact
This port is a port separated from the Sub-7 main port for transferring data. For example, you will see this when the controller controls another machine through the telephone line and the controlled machine is hung up. So when another person dials in with this IP, they will see a continuous, connection attempt at this port. (Translator: When you see a firewall report a connection attempt on this port, it does not mean that you have been controlled by Sub-7.)
6970 RealAudio
RealAudio customers will receive audio data streams from the UDP port of 6970-7170 of the server. This is set by the TCP7070 port outward control connection.
13223 PowWow
PowWow is a chat program for Tribal Voice. It allows users to open connections to private chat on this port. This program is very "offensive" for establishing connections. It will "stay" on this TCP port waiting for a response. This creates a connection attempt similar to the heartbeat interval. If you are a dialer user and "inherit" the IP address from another chatter, this will happen: it seems like many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt.
17027 Conducent
This is an outward connection. This is because someone inside the company installed shareware with Conducent "adbot". Conducent “adbot” is used to display ads for sharing software. One popular software that uses this service is Pkware. Someone tried: There will be no problem blocking this outgoing connection, but blocking the IP address itself will cause adbots to continue to try to connect multiple times per second, resulting in connection overload:
The machine will constantly try to parse the DNS name - i.e. IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I wonder if the Radiate used by NetAnts also has this phenomenon)
27374 Sub-7 * (TCP)
See the Subseven section.
30100 NetSphere * (TCP)
Usually, the scan of this port is to find the NetSphere *.
31337 Back Orifice “elite”
In Hacker, 31337 is read as "elite"/ei'li:t/ (Translator: French, translated as backbone, essence. That is, 3=E, 1=L, 7=T). Therefore, many backdoor programs run on this port. The most famous of them is Back Orifice. It used to be the most common scan on the Internet for a while. Now it is becoming less and less popular, and other * programs are becoming more and more popular.
31789 Hack-a-tack
UDP communication on this port is usually due to the "Hack-a-tack" remote access * (RAT, Remote Access *). This * contains a built-in 31790 port scanner, so any connection to port 31789 to port 317890 means that there has been such an intrusion. (Port 31789 is a control connection, and port 317890 is a file transfer connection)
32770~32900 RPC service
Sun Solaris' RPC service is within this range. To put it in detail: Early versions of Solaris (before 2.5.1) placed portmapper in this range, allowing Hacker/cracker to access this port even if the low port is enclosed by the firewall. Scan the ports in this range either to find portmappers or to find known RPC services that can be attacked.
33434~33600 traceroute
If you see UDP packets within this port range (and only within this range) it may be due to traceroute. See the traceroute section.
41508 Inoculan
Early versions of Inoculan would generate a large amount of UDP communication within the subnet to identify each other. See
/~jelson/software/
/nss/tips/inoculan/
(II) What do the following source ports mean?
Ports 1~1024 are reserved ports, so they are hardly source ports. But there are some exceptions, such as connections from NAT machines. See 1.9.
You often see ports immediately after 1024, which are "dynamic ports" assigned by the system to applications that do not care which port to connect to.
Server Client Service Description
1-5/tcp Dynamic FTP Port 1-5 means sscan script
20/tcp Dynamic FTP Port of file transfer for FTP server
53 Dynamic FTP DNS sends UDP responses from this port. You may also see TCP connections for the source/destination port.
123 Dynamic S/NTP Simple Network Time Protocol (S/NTP) port running the server. They will also be sent to the broadcast on this port.
27910~27961/udp Dynamic Quake Quake or Quake engine-driven games run their server on this port. Therefore, UDP packets from this port range or UDP packets sent to this port range are usually games.
61000 or above dynamic FTP Ports above 61000 may come from Linux NAT server (IP Masquerade)
1) Well Known Ports: From 0 to 1023, they are closely bound to some services. Usually communications on these ports clearly indicate the protocol of a certain service. For example: Port 80 is actually always HTTP communication.
2) Registered Ports: from 1024 to 49151. They are loosely bound to some services. That is to say, there are many services bound to these ports, which are also used for many other purposes. For example: Many systems handle dynamic ports starting from around 1024.
3) Dynamic and/or Private Ports: from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, machines usually allocate dynamic ports from 1024. But there are exceptions: SUN's RPC port starts at 32768.
This section describes the information that TCP/UDP ports are usually scanned in firewall records. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to the other sections of this article.
0 Usually used to analyze operating systems. This method works because in some systems "0" is an invalid port, and when you try to connect it with a usual closed port, it will produce different results. A typical scan: use the IP address of 0.0.0.0, set the ACK bit and broadcast at the Ethernet layer.
1 tcpmux This shows someone is looking for the SGI Irix machine. Irix is the main provider of implementing tcpmux, and by default tcpmux is turned on in such systems. The Iris machine contains several default passwordless accounts when it is released, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to delete these accounts after installation. So Hackers search tcpmux on the Internet and use these accounts.
7 Echo You can see many messages sent to .0 and .255 when people search for Fraggle amplifiers.
A common DoS attack is an echo-loop where an attacker forged UDP packets sent from one machine to another, and the two machines responded to these packets in their fastest way. (See Chargen)
Another thing is the TCP connection established by DoubleClick on the word port. There is a product called "Resonate Global Dispatch", which connects to this port of DNS to determine the closest route.
Harvest/squid cache will send UDP echo from port 3130: "If the cache's source_ping on option is turned on, it will respond to a HIT reply to the UDP echo port of the original host." This will generate many such data packets.
11 sysstat This is a UNIX service that lists all running processes on the machine and what started them. This provides intruders with much information that threatens the security of the machine, such as programs that expose certain known weaknesses or accounts. This is similar to the result of the "ps" command in UNIX system.
Again: ICMP has no port, ICMP port 11 is usually ICMP type=11
19 chargen This is a service that only sends characters. The UDP version will respond to the package containing junk characters after receiving the UDP package. When TCP is connected, a data stream containing spam characters will be sent to know that the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forged UDP packets between two charger servers. A charger and echo will cause the server to overload because the server attempts to respond to the infinite round-trip data communication between the two servers. Similarly, the fraggle DoS attack broadcasts a data packet with a forged victim IP to this port of the target address, and the victim is overloaded in response to this data.
21 ftp The most common attacker uses to find ways to open anonymous ftp server. These servers come with readable and writeable directories. Hackers or Crackers use these servers as nodes that deliver warez (private programs) and pr0n (intentionally misspelled words to avoid being classified by search engines).
22 ssh PcAnywhere establishes the connection between TCP and this port, which may be to find ssh. This service has many weaknesses. If configured in a specific mode, many versions using the RSAREF library have many vulnerabilities. (It is recommended to run ssh on other ports)
It should also be noted that the ssh toolkit comes with a program called make-ssh-known-hosts. It will scan the ssh host for the entire domain. You can sometimes be accidentally scanned by people using this program.
UDP (rather than TCP) is connected to port 5632 on the other end which means there is a scan to search for pcAnywhere. 5632 (0x1600 in hexadecimal) bit exchange is 0x0016 (22 in the actuation).
23 Telnet Intruder is searching for services that log in to UNIX remotely. In most cases, intruders scan this port to find the operating system running on the machine. Also using other technologies, the intruder will find the password.
25 smtp The attackers (spammers) look for SMTP servers to pass their spam. The intruders' accounts are always closed and they need to dial up to connect to a high-bandwidth e-mail server to pass simple information to different addresses. SMTP servers (especially sendmail) are one of the most common ways to get into the system, because they must be fully exposed to the Internet and the route of mail is complex (exposed + complex = weakness).
53 DNS Hacker or crackers may be attempting to perform zone delivery (TCP), spoof DNS (UDP), or hide other communications. Therefore, the firewall often filters or records port 53.
It should be noted that you often see port 53 as the UDP source port. Unstable firewalls usually allow this communication and assume that this is a response to a DNS query. Hacker often uses this method to penetrate the firewall.
67 and 68 Bootp and DHCP Bootp/DHCP on UDP: Through the DSL and cable-modem firewalls, you often see a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address assignment from the DHCP server. Hackers often enter them to assign an address to use themselves as a local router and launch a large number of "man-in-middle" attacks. The client broadcasts the configuration to port 68 (bootps) and the server broadcasts the request to port 67 (bootpc). This response uses broadcast because the client does not yet know the IP address that can be sent.
69 TFTP (UDP) Many servers provide this service with bootp to facilitate downloading startup code from the system. But they are often misconfigured to provide any file, such as password files, from the system. They can also be used to write files to the system.
79 finger Hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to scans from your own machine to other machines.
98 linuxconf This program provides simple management of linux boxen. Provides web interface-based services on port 98 through an integrated HTTP server. It has found that there are many security issues. Some versions setuid root, trust the LAN, create Internet-accessible files under /tmp, and LANG environment variables have buffer overflow. Furthermore, because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, through directories, etc.)
109 POP2 is not as famous as POP3, but many servers provide two services at the same time (backward compatible). The vulnerability of POP3 on the same server also exists in POP2.
110 POP3 is used for client access to the server-side mail service. POP3 services have many recognized weaknesses. There are at least 20 weaknesses regarding username and password exchange buffer overflow (which means Hacker can enter the system before actually logging in). After successful login, there are other buffer overflow errors.
111 sunrpc portmap rpcbind Sun RPC PortMapper/RPCBIND. Accessing the portmapper is the earliest step to scan the system to see which RPC services are allowed. Common RPC services include:, NFS,,,, amd, etc. The intruder discovered a vulnerability to the specific port testing of the allowed RPC services that will turn to the service.
Remember to record daemon, IDS, or sniffer in the line, and you can discover what program the intruder is using to access it in order to discover what exactly is happening.
113 Ident auth This is a protocol run on many machines to identify users connected to TCP. Using standard services can obtain information from many machines (which will be exploited by Hacker). But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually if many customers access these services through a firewall, you will see many connection requests for this port. Remember, if you block this port client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support sending back RST during blocking of TCP connections, and stopping this slow connection.
119 NNTP news News Group Transmission Protocol, Carrying USENET Communication. This port is usually used when you link to an address such as: news:///. The attempt to connect to this port is usually people looking for USENET servers. Most ISPs restrict only their customers to access their newsgroup servers. Opening the News Group Server will allow posting/reading anyone's posts, accessing restricted news group servers, posting anonymously or sending spam.
135 oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point mapper on this port to serve its DCOM. This is very similar to the functionality of the UNIX 111 port. Use DCOM and/or RPC services to register their locations using end-point mapper on the machine. When remote clients connect to the machine, they query the end-point mapper to find the location of the service. Similarly, Hacker scans this port of the machine to find such as: Is Exchange Server running on this machine? What version is it?
This port can also be used for direct attacks in addition to querying services (such as using epdump). There are some DoS attacks that target this port directly.
137 NetBIOS name service nbtstat (UDP) This is the most common information for firewall administrators. Please read the NetBIOS section at the end of the article carefully.
139 NetBIOS File and Print Sharing The connection entered through this port is attempted to obtain NetBIOS/SMB service. This protocol is used for Windows "File and Printer Sharing" and SAMBA. Sharing your own hard drive on the Internet is probably the most common problem.
A large number of targets for this port began in 1999 and gradually decreased. There was another rebound in 2000. Some VBSs (IE5 Visual Basic Scripting) began copying them themselves to this port, trying to reproduce on this port.
143 IMAP Same as the security issues of POP3 above, many IMAP servers have buffer overflow vulnerabilities that enter during login. Remember: a Linux worm (admw0rm) breeds through this port, so many scans of this port are from uninformed infected users. These vulnerabilities became popular when RadHat allowed IMAP by default in their Linux releases. This is the first time that the Morris worm has been widely spread.
This port is also used for IMAP2, but is not popular.
There have been some reports that some attacks on port 0 to 143 are derived from scripts.
161 SNMP (UDP) Port often detected by intruders. SNMP allows remote management of devices. All configuration and operation information are stored in the database and obtained through SNMP customers. Many administrators misconfigure expose them to the Internet. Crackers will attempt to access the system using the default password "public" and "private". They may experiment with all possible combinations.
SNMP packets may be pointed to your network incorrectly. Windows machines often use SNMP for HP JetDirect remote management software due to incorrect configuration. HP OBJECT IDENTIFIER will receive the SNMP packet. The new version of Win98 uses SNMP to resolve domain names, and you will see this package broadcasting (cable modem, DSL) in the subnet to query sysName and other information.
162 SNMP trap may be due to misconfiguration
177 xdmcp Many Hackers access the X-Windows console through it, and it also needs to open port 6000.
513 rwho may be a broadcast sent from a UNIX machine in a subnet logged in using cable modem or DSL. These people provide interesting information for Hacker to enter their system.
553 CORBA IIOP (UDP) If you use cable modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (remote procedure call) system. Hacker uses this information to enter the system.
600 Pcserver backdoor Please check port 1524
Some children who play script think that they have completely broken through the system by modifying the inculcl and pcserver files- Alan J. Rosenthal.
635 mountd Linux mountd bug. This is a popular bug that people scan. Most scans of this port are based on UDP, but TCP-based mountd has increased (mountd runs on both ports at the same time). Remember, mountd can run on any port (which port is on, and you need to do portmap query on port 111), but Linux defaults to port 635, just like NFS usually runs on port 2049.
1024 Many people ask what this port is for. It is the beginning of a dynamic port. Many programs don't care which port to connect to the network, and they ask the operating system to assign them "the next idle port". Based on this, the allocation starts from port 1024. This means that the first program requesting the system to assign a dynamic port will be assigned to port 1024. To verify this, you can restart the machine, turn on Telnet, and then open a window to run "natstat -a", and you will see that Telnet is assigned to port 1024. The more programs you request, the more dynamic ports you will have. The ports allocated by the operating system will gradually become larger. Once again, when you browse the web page, you use "netstat" to view it, each web page needs a new port.
?ersion 0.4.1, June 20, 2000
/pubs/
Copyright 1998-2000 by Robert Graham (mailto:firewall-seen1@.
All rights reserved. This document may only be reproduced (whole or
in part) for non-commercial purposes. All reproductions must
contain this copyright notice and must not be altered, except by
permission of the author.
1025 See 1024
1026 See 1024
1080 SOCKS
This protocol passes through the firewall in a pipeline, allowing many people behind the firewall to access the Internet through an IP address. In theory it should only allow internal communication to reach the Internet outward. But due to the wrong configuration, it will allow Hacker/Cracker's attacks outside the firewall to pass through the firewall. Or simply respond to computers located on the Internet to mask their direct attacks on you. WinGate is a common Windows personal firewall, and the above misconfigurations often occur. This is often seen when joining the IRC chat room.
1114 SQL
The system itself rarely scans this port, but it is often part of the sscan script.
1243 Sub-7 * (TCP)
See the Subseven section.
1524 ingreslock backdoor
Many attack scripts will install a backdoor Sh*ll on this port (especially those that target Sendmail and RPC service vulnerabilities in Sun systems, such as statd, ttdbserver and cmsd). If you just installed your firewall and saw an attempt to connect on this port, it is likely that the above reasons are. You can try Telnet to this port on your machine and see if it will give you a Sh*ll. This problem also exists when connecting to 600/pcserver.
2049 NFS
NFS programs often run on this port. Usually, you need to access the portmapper to check which port this service runs on, but most of the time, after installation, NFS is installed. acker/Cracker can therefore close the portmapper and directly test this port.
3128 squid
This is the default port of the Squid HTTP proxy server. The attacker scanned this port to access the Internet anonymously to search for a proxy server. You will also see the ports searching for other proxy servers: 8000/8001/8080/8888. Another reason for scanning this port is that the user is entering the chat room. Other users (or the server itself) will also verify this port to determine whether the user's machine supports proxy. Please check section 5.3.
5632 pcAnywere
You will see a lot of scans for this port, which depends on where you are. When the user opens pcAnywere, it will automatically scan the LAN C-type network for possible agents (translator: refers to agent instead of proxy). Hacker/cracker will also look for machines that open this service, so you should check the source address of this scan. Some scans searching for pcAnywere often contain UDP packets on port 22. See Dial-up Scan.
6776 Sub-7 artifact
This port is a port separated from the Sub-7 main port for transferring data. For example, you will see this when the controller controls another machine through the telephone line and the controlled machine is hung up. So when another person dials in with this IP, they will see a continuous, connection attempt at this port. (Translator: When you see a firewall report a connection attempt on this port, it does not mean that you have been controlled by Sub-7.)
6970 RealAudio
RealAudio customers will receive audio data streams from the UDP port of 6970-7170 of the server. This is set by the TCP7070 port outward control connection.
13223 PowWow
PowWow is a chat program for Tribal Voice. It allows users to open connections to private chat on this port. This program is very "offensive" for establishing connections. It will "stay" on this TCP port waiting for a response. This creates a connection attempt similar to the heartbeat interval. If you are a dialer user and "inherit" the IP address from another chatter, this will happen: it seems like many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt.
17027 Conducent
This is an outward connection. This is because someone inside the company installed shareware with Conducent "adbot". Conducent “adbot” is used to display ads for sharing software. One popular software that uses this service is Pkware. Someone tried: There will be no problem blocking this outgoing connection, but blocking the IP address itself will cause adbots to continue to try to connect multiple times per second, resulting in connection overload:
The machine will constantly try to parse the DNS name - i.e. IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I wonder if the Radiate used by NetAnts also has this phenomenon)
27374 Sub-7 * (TCP)
See the Subseven section.
30100 NetSphere * (TCP)
Usually, the scan of this port is to find the NetSphere *.
31337 Back Orifice “elite”
In Hacker, 31337 is read as "elite"/ei'li:t/ (Translator: French, translated as backbone, essence. That is, 3=E, 1=L, 7=T). Therefore, many backdoor programs run on this port. The most famous of them is Back Orifice. It used to be the most common scan on the Internet for a while. Now it is becoming less and less popular, and other * programs are becoming more and more popular.
31789 Hack-a-tack
UDP communication on this port is usually due to the "Hack-a-tack" remote access * (RAT, Remote Access *). This * contains a built-in 31790 port scanner, so any connection to port 31789 to port 317890 means that there has been such an intrusion. (Port 31789 is a control connection, and port 317890 is a file transfer connection)
32770~32900 RPC service
Sun Solaris' RPC service is within this range. To put it in detail: Early versions of Solaris (before 2.5.1) placed portmapper in this range, allowing Hacker/cracker to access this port even if the low port is enclosed by the firewall. Scan the ports in this range either to find portmappers or to find known RPC services that can be attacked.
33434~33600 traceroute
If you see UDP packets within this port range (and only within this range) it may be due to traceroute. See the traceroute section.
41508 Inoculan
Early versions of Inoculan would generate a large amount of UDP communication within the subnet to identify each other. See
/~jelson/software/
/nss/tips/inoculan/
(II) What do the following source ports mean?
Ports 1~1024 are reserved ports, so they are hardly source ports. But there are some exceptions, such as connections from NAT machines. See 1.9.
You often see ports immediately after 1024, which are "dynamic ports" assigned by the system to applications that do not care which port to connect to.
Server Client Service Description
1-5/tcp Dynamic FTP Port 1-5 means sscan script
20/tcp Dynamic FTP Port of file transfer for FTP server
53 Dynamic FTP DNS sends UDP responses from this port. You may also see TCP connections for the source/destination port.
123 Dynamic S/NTP Simple Network Time Protocol (S/NTP) port running the server. They will also be sent to the broadcast on this port.
27910~27961/udp Dynamic Quake Quake or Quake engine-driven games run their server on this port. Therefore, UDP packets from this port range or UDP packets sent to this port range are usually games.
61000 or above dynamic FTP Ports above 61000 may come from Linux NAT server (IP Masquerade)