Commonly Probed Ports

Toby Miller has provided GIAC with this list of commonly probed ports from his experience. With contributions from Rob McCauley, Meredith Lynes, Guy Bruneau and David Andrews. Please take a look at this and if you feel there should be additions send them to handler@incidents.org(last updated May 4, 2000) Also thanks goes to www.tlsecurity.net for port listings as well.
Service Port TCP/UDP Explanation
Reserved 0 TCP/UDP N/A
Sscan Signature 0 - 5 TCP N/A
Ttymux 1 TCP an effort to ID SGI Irix systems
echo 7 TCP/UDP UDP Attack
systat 11 TCP system/user information
chargen 19 TCP/UDP potential UDP attack
ftp 20 TCP FTP data port. Can be used in an ftp bounce attack
ftp 21 TCP File Transfer Protocol
Ssh 22 TCP Secure Shell
Ssh 22 TCP PCAnywhere
PCAnywhere v. 8.x 22 UDP N/A
Telnet 23 TCP Remote login.  Poor Authentication
SMTP 25 TCP Simple Mail Tranfer Protocol
DNS 53 TCP Domain Name Service. Used in zone transfers. Used for >512 byte name queries as well
DNS 53 UDP Domain Name Service.  Used for name queries
Finger 79 TCP Can obtain computer information
Linuxconf 98 TCP System administration tool for linux, heavily probed, attack unknown.
POP2 109 TCP Internet Mail
POP3 110 TCP Internet Mail
SunRpc 111 / 32771 TCP Remote Procedure Call. Very Dangerous. Don't run unless necessary
NNTP 119 TCP Internet News
Netbios - Name Service 137 TCP/UDP Microsoft machines use this often
Netbios - Datagram Service 138 TCP/UDP Microsoft machines use this often
Netbios - Session 139 TCP/UDP Microsoft machines use this often
IMAP 143 TCP Internet Message Access Protocol. Don't need it = Don't run it.
SNMP 161 TCP Used for network mapping
Exec 512 TCP Remote process execution authentication performed using passwords and login names.
Login 513 TCP Remote login. Don't need it = Don't run it
Who 513 UDP Shows load averages, and who's logged in. Don't need it = Don't run it
Cmd 514 TCP Similar to Exec
Printer 515 TCP Spooler
NCP 524 TCP N/A
Mount 635 TCP Mount. NFS mount service
Doly Version 1.1 & 1.2 1011 TCP Trojan
Doly Version 1.5 1015 TCP Trojan
Doly Version 1.6 & 1.7 1016 TCP Trojan
Doly Version 1.35 1035 TCP Trojan
Socks 1080 TCP Recently has been gettign a lot of probes
NFS 2000 TCP Network File System
Squid Proxy 3128 TCP www.rusftpsearch.net Was searching and trying to exploit this service
ICQ 4000 UDP Chat programs. Can be dangerous. Don't need it = Don't run it.
PCAnywhere v. 8.x & 9.x 5631 TCP N/A
PCAnywhere v. 8.x & 9.x 5632 UDP N/A
X-Windows 6000 + TCP Common exploit. Don't need it = Don't run it
Gnutella 6346 N/A File server
IRC 6665 - 6669 TCP/UDP Internet Relay Chat. Very dangerous. Don't need it = Don't run it
Wingate sniffers 8080 TCP N/A
Netbus 12345-6, 20034 TCP Remote control program. Considered by many to be a trojan.
Stacheldraht ddos 16660 TCP ddos tool. Client -> Handler
SubSeven 2.1 27374 TCP Trojan
Trinoo ddos 27444 UDP ddos tool. Master -> Daemons
Trinoo ddos 27665 TCP ddos tool. Intruder -> Master
Trinoo ddos 31335 UDP ddos tool. Daemon -> Master
Back Orifice 31337 UDP One of the most common Trojans
Hack 'a' Tack 31789-90 UDP One of the most common Trojans
Unknown 32773 TCP N/A
Traceroute 33434-33523 UDP Common Network utility
Back Orifice 2K 54320 / 54321 UDP One of the most common Trojans
Stacheldraht ddos 65000 TCP ddos tool. Handler -> <- Agents
PCAnywhere v. 8.x 65301 TCP N/A
 

Here is another list of ports with the known trojans or applications that run on these default ports.
Port Trojan or application that runs on this port
21 Blade Runner, Doly Trojan, Fore, Invisible, FTP, WebEx, WinCrash
23 Tiny Telnet Server
25 Antigen, Email Password Sender, Haebu, Coceda, Shtrilitz, Stealth, Terminator, WinPC, WinSpy
25 SMTP
31 Hackers Paradise
80 Executor, WWW
110 POP3
137 Name Service (Netbios over IP) Windows
138 Datagram Service (Netbios over IP) Windows
139 Session Service (Netbios over IP) Windows
456 Hackers Paradise
555 Ini-Killer, Phase Zero, Stealth Spy
666 Satanz Backdoor
777 AIM Spy
1000 Der Spaeher3, Insane Network
1001 Silencer, WebEx, Der Spaeher3, Insane Network
1011 Doly Trojan
1029 InCommand
1050 MiniCommand 1.2
1170 Psyber Stream Server, Voice
1207 SoftWar
1234 Ultors Trojan
1243 Sub 7.2
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor
2000 Der Spaeher3, Insane Network
2001 Trojan Cow, Der Spaeher3, Insane Network
2023 Ripper
2115 Bugs
2140 Deep Throat, The Invasor
2716 The Prayer
2801 Phineas Phucker
3024 WinCrash
3128 Squid Proxy
3129 Masters Paradise
3150 Deep Throat, The Invasor
3700 Portal of Doom
4092 WinCrash
4590 ICQTrojan
5000 Sockets de Troie
5001 Sockets de Troie
5031 NetMetropolitan2
5032 NetMetropolitan2
5321 Firehotcker
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5569 Robo-Hack
5636 PC Crasher
5637 PC Crasher
5742 WinCrash
6000 The Thing
6666 TCPShell.c
6669 Host Control
6670 DeepThroat
6771 DeepThroat
6883 DeltaSource
6969 GateCrasher, Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8080 Proxy
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
9999 The Prayer
10067 Portal of Doom
10167 Portal of Doom
11000 Senna Spy
11050 Host Control
11223 Progenic trojan
12223 Hack´99 KeyLogger
12345 GabanBus, NetBus
12346 GabanBus, NetBus
12361 Whack-a-mole
12362 Whack-a-mole
12701 Eclipse2000
16484 Mosucker
16969 Priority
20001 Millennium
20034 NetBus 2 Pro
20203 Chupacabra
20331 Bla
21544 GirlFriend
21554 Schwindler
22222 Prosiak
23456 Evil FTP, Ugly FTP
26274 Delta
31337 Back Orifice
31338 Back Orifice, DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck, TinyTelnetServer, TN
37651 YetAnotherTrojan
40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
57341 NetRaider
61466 Telecommando
65000 Devil

<<

Copyright (c) 2000 - 3000 by Ing. Eduardo Palena - Napolifirewall.com