| 0 |
|
Commonly used to help determine the operating
system. This works because on some systems,
port 0 is "invalid" and will generate a different
response when you connect to it vs. a normal
closed port. One typical scan uses a destination
IP address of 0.0.0.0 and sets the ACK bit,
with broadcast at the Ethernet layer.
|
| 1 |
tcpmux |
Indicates someone searching for SGI Irix machines.
Irix is the only major vendor that has implemented
tcpmux, and it is enabled by default on Irix
machines. Irix machines ship with several default
passwordless accounts, such as lp, guest, uucp,
nuucp, demos, tutor, diag, EZsetup, OutOfBox,
and 4Dgifts. Many administrators forget to close
these accounts after installation. Therefore,
hackers scan the Internet looking first for
tcpmux, then these accounts. [CA-95.15]
|
| 7 |
Echo |
You
will see lots of these from people looking for
fraggle
amplifiers sent to addresses of x.x.x.0 and
x.x.x.255.
A
common DoS attack is an echo-loop,
where the attacker forges a UDP from one machine
and sends it to the other, then both machines
bounce packets off each other as fast as they
can (see also chargen).
[CA-96.01]
Another
common thing seen is TCP connections to this
port by DoubleClick. They use a product called
"Resonate Global Dispatch" that connects to
this port on DNS servers in order to locate
the closest one.
Harvest/squid caches will send UDP echoes from
port 3130. To quote: If the cache is configured
with source_ping on, it also
bounces a HIT reply off the original host's
UDP echo port. It can generate a lot
of these packets.
|
| 11 |
sysstat |
This
is a UNIX service that will list all the running
processes on a machine and who started them.
This gives an intruder a huge amount of information
that might be used to compromise the machine,
such as indicating programs with known vulnerabilities
or user accounts. It is similar the contents
that can be displayed with the UNIX "ps" command.
ICMP doesn't have ports; if you see something
that says "ICMP port 11", you probably want
ICMP
type=11.
|
| 19 |
chargen |
This
is a service that simply spits out characters.
The UDP version will respond with a packet containing
garbage characters whenever a UDP packet is
received. On a TCP connection, it spits out
a stream of garbage characters until the connection
is closed. Hackers can take advantage of IP
spoofing for denial of service attacks. Forging
UDP packets between two chargen servers, or
a chargen and echo
can overload links as the two servers attempt
to infinitely bounce the traffic back and forth.
Likewise, the "fraggle"
DoS attack broadcasts a packet destined to this
port with a forged victim address, and the victim
gets overloaded with all the responses. [CA-96.01]
|
| 21 |
FTP |
The
most common attack you will see are hackers/crackers
looking for "open anonymous" FTP servers. These
are servers with directories that can be written
to and read from. Hackers/crackers use these
machines as way-points for transferring warez
(pirated programs) and pr0n (intentionally misspelled
word to avoid search engines classifying this
document).
|
| 22 |
ssh
pcAnywhere |
TCP
connections to this port might indicate a search
for ssh,
which has a few exploitable features. Many versions
using the RSAREF
library can be exploited if they are configured
in a certain fashion. (Suggestion: run ssh on
some other port).
Also
note that the ssh package comes with
a program called make-ssh-known-hosts
that will scan a domain
for ssh hosts. You will sometimes
be scanned from innocent people running this
utility.
UDP
(rather than TCP) packets directed at this
port along with port
5632 indicate a scan for pcAnywhere. The
number 5632 is (hex) 0x1600, which byte-swapped
is 0x0016, which is 22 decimal.
|
| 23 |
Telnet |
The
intruder is looking for a remote login to UNIX.
Most of the time intruders scan for this port
simply to find out more about what operating
system is being used. In addition, if the intruder
finds passwords using some other technique,
they will try the passwords here.
|
| 25 |
SMTP |
Spammers are looking for SMTP servers that allow
them to "relay" spam. Since spammers keep getting
their accounts shut down, they use dial-ups
to connect to high bandwidth e-mail servers,
and then send a single message to the relay
with multiple addresses. The relay then forwards
to all the victims. SMTP servers (esp. sendmail)
are one of the favorite ways to break into systems
because they must be exposed to the Internet
as a whole and e-mail routing is complex (complexity
+ exposure = vulnerability).
|
| 53 |
DNS |
DNS.
Hackers/crackers may be attempting to do zone
transfers (TCP), to spoof DNS (UDP), or even
hide other traffic since port 53 is frequently
neither filtered nor logged by firewalls.
An
important thing to note is that you will frequently
see port 53 used as the source UDP
port. Stateless firewalls frequently allow
such traffic on the assumption that it is
a response to a DNS query. Hackers are increasingly
exploiting this to pierce
firewalls.
|
| 67 and 68 |
bootp
DHCP |
Bootp/DHCP over UDP. Firewalls hooked to DSL
and cable-modem lines see a ton of these sent
to the broadcast address 255.255.255.255.
These machines are asking to for an address
assignment from a DHCP server. You could probably
hack into them by giving them such an assignment
and specifying yourself as the local router,
then execute a wide range of man-in-the-middle
attacks. The client requests configuration on
a broadcast to port 68 (bootps). The server
broadcasts back the response to port 67 (bootpc).
The response uses some type of broadcast because
the client doesn't yet have an IP address that
can be sent to.
|
| 69 |
TFTP |
(over
UDP). Many servers support this protocol in
conjunction with BOOTP
in order to download boot code to the system.
However, they are frequently misconfigured to
provide any file from the system, such as password
files. They can also be used to write files
to the system.
|
| 79 |
finger |
Hackers
are trying to:
|
| 98 |
linuxconf |
The
utility "linuxconf"
provide easy administration of Linux boxen.
It includes a web-enabled interface at port
98 through an integrated HTTP server. It has
had a number of security issues. Some versions
are setuid
root, trust the local network, create world-accessible
files in /tmp, and a buffer overflow in the
LANG environment variable. Also, because it
contains an integrated web server, it may be
vulnerable to many of the typical HTTP exploits
(buffer overruns, directory traversal using
../.., etc.).
|
| 109 |
POP2 |
POP2
is not nearly as popular as POP3 (see below),
but many servers support both (for backwards
compatibility). Many of the holes that can be
exploited on POP3 can also be exploited via
the POP2 port on the same server.
|
| 110 |
POP3 |
POP3
is used by clients accessing e-mail on their
servers. POP3 services have many well-known
vulnerabilities. At least 20 implementations
are vulnerable to a buffer overflow in the username
or password exchange (meaning that hackers can
break in at this stage before really logging
in). There are other buffer overflows that can
be executed after successfully logging in.
|
| 111 |
sunrpc
portmap
rpcbind |
Sun
RPC PortMapper/RPCBIND. Access to portmapper
is the first step in scanning a system looking
for all the RPC services enabled, such as rpc.mountd,
NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.
If the intruder finds the appropriate service
enabled, s/he will then run an exploit against
the port where the service is running.
Note
that by putting a logging daemon, IDS, or
sniffer on the wire, you can find out what
programs the intruder is attempting to access
in order to figure out exactly what is going
on.
|
| 113 |
identd
auth |
This
is a protocol that runs on many machines that
identifies the user of a TCP connection. In
standard usage this reveals a LOT of information
about a machine that hackers can exploit. However,
it used by a lot of services by loggers, especially
FTP, POP, IMAP, SMTP, and IRC servers. In general,
if you have any clients accessing these services
through a firewall, you will see incoming connection
attempts on this port. Note that if you block
this port, clients will perceive slow
connections to e-mail servers on the other side
of the firewall. Many firewalls support sending
back a RST on the TCP connection as part of
the blocking procedure, which will stop these
slow connections.
|
| 119 |
NNTP
news |
Network
News Transfer Protocol, carries USENET traffic.
This is the port used when you have a URL like
news://comp.security.firewalls/.
Attempts on this port are usually by people
hunting for open USENET servers. Most ISPs restrict
access to their news servers to only their customers.
Open news servers allow posting and reading
from anybody, and are used to access newsgroups
blocked by someone's ISP, to post anonymously,
or to post spam.
Update: @Home has started scanning their
subscribers to see if they are running USENET
servers. They are doing this in order to find
these servers and close them before spammers
can take advantage of them.
|
| 135 |
loc-serv
MS RPC end-point mapper |
Microsoft runs its DCE RPC end-point mapper for
its DCOM services at this port.
This
has much the same functionality as port
111 for UNIX systems. Services that use
DCOM and/or RPC register their location with
the end-point mapper on the machine. When
clients remotely connect to the machine, they
query the end-point mapper to find out where
the service is. Likewise, hackers can scan
the machine on this port in order to find
out such things as "is Exchange Server running
on this machine, and which version?".
This
port is often hit in order to scan for services
(for example, using the "epdump" utility),
but this port may also be attacked directly.
Currently, there are a few denial-of-service
attacks that can be directed at this port.
|
| 137 |
NetBIOS
name service
nbtstat |
(UDP) This is
the most common item seen by firewall administrators
and is perfectly normal. Please read the NetBIOS
section below for more details.
|
| 139 |
NetBIOS
File and Print Sharing |
Incoming connections to this port are trying
to reach NetBIOS/SMB, the protocols used for
Windows "File and Print Sharing" as well as
SAMBA. People sharing their hard disks on this
port are probably the most common vulnerability
on the Internet.
Attempts
on this port were common at the beginning
of 1999, but tapered off near the end. Now
at the start of year 2000, attempts on this
port have picked up again. Several VBS (IE5
VisualBasic Scripting) worms have appeared
that attempt to copy themselves on this port.
Therefore, it may be worms attempting to propagate
on this port.
|
| 143 |
IMAP4 |
Same
security idea as POP3 above, numerous IMAP servers
have buffer overflows that allow compromise
during the login. Note that for awhile, there
was a Linux worm (admw0rm) that would spread
by compromising port 143, so a lot of scans
on this port are actually from innocent people
who have already been compromised. IMAP exploits
became popular when RedHat enabled the service
by default on its distributions. In fact, this
may have been the first widely scanned for exploit
since the Morris Worm.
This
port is also used for IMAP2, but that version
wasn't very popular.
Several
people have noted attacks from port 0 to port
143, which appears to be from some attack
script.
|
| 161 |
SNMP |
(UDP)
A very common port that intruders probe for.
SNMP allows for remote management of devices.
All the configuration and performance information
is stored in a database that can be retrieved
or set via SNMP. Many managers mistakeningly
leave this available on the Internet. Crackers
will first attempt to use the default passwords
"public" and "private" to access the system;
they may then attempt to "crack" the password
by trying all combinations.
SNMP
packets may be mistakenly directed at your
network. Windows machines running HP JetDirect
remote management software uses SNMP, and
misconfigured machines are frequent. HP OBJECT
IDENTIFIERs will be seen in the packets. Newer
versions of Win98 will use SNMP for name resolution;
you will see packets broadcast on local subnets
(cable modem, DSL) looking up sysName and
other info.
|
| 162 |
SNMP
trap |
Probably a misconfiguration.
|
| 177 |
xdmcp |
Numerous hacks may allow access to an X-Window
console; it needs port 6000 open as well in
order to really succeed.
|
| 513 |
rwho |
Probably from UNIX machines on your DSL/cable-modem
segment broadcasting who is logged into their
servers. These people are kindly giving you
really interesting information that you can
use to hack into their systems.
|
| 535 |
CORBA
IIOP |
(UDP)
If you are on a cable-modem or DSL VLAN, then
you may see broadcasts to this port. CORBA is
an object-oriented remote procedure call (RPC)
system. It is highly likely that when you see
these broadcasts, you can use the information
to hack back into the systems generating these
broadcasts.
|
| 600 |
pcserver
backdoor |
See
port
1524 for more info.
Some
script kiddies feel they're contributing substantially
to the exploit programs by making a minor
change from ingreslock to pcserver
in constant text... -- Alan J. Rosenthal.
|
| 635 |
mountd |
Linux
mountd bug. This is a popular bug that people
are scanning for. Most scans on this port are
UDP-based, but they are increasingly TCP-based
(mountd runs on both ports simultaneously).
Note that mountd can run at any port (for which
you must first do a portmap lookup at port 111),
it's just that Linux defaulted to port 635 in
much the same way that NFS universally runs
at port 2049.
|
| 1024 |
----- |
Many
people ask the question what this port is used
for. The answer is that this is the first port
number in the dynamic range of ports. Many applications
don't care what port they use for a network
connection, so they ask the operating system
to assign the "next freely available port".
In point of fact, they as for port 0, but are
assigned one starting with port 1024. This means
the first application on your system that requests
a dynamic port will be assigned port 1024. You
can test this fact by booting your computer,
then in one window open a Telnet session, and
in another window run "netstat -a". You will
see that the Telnet application has been assigned
port 1024 for its end of the connection. As
more applications request more and more dynamic
ports, the operating system will assign increasingly
higher port numbers. Again, you can watch this
effect with 'netstat' as your browse the Internet
with your web browser, as each web-page requires
a new connection.
|
| 1025 |
----- |
See
port
1024.
|
| 1026 |
----- |
See
port
1024.
|
| 1027 |
----- |
See
port
1024.
|
| 1080 |
SOCKS |
This
protocol tunnels traffic through firewalls,
allowing many people behind the firewall access
to the Internet through a single IP address.
In theory, it should only tunnel inside traffic
out towards the Internet. However, it is frequently
misconfigured and allows hackers/crackers to
tunnel their attacks inwards, or simply bounce
through the system to other Internet machines,
masking their attacks as if they were coming
from you. WinGate, a popular Windows personal
firewall, is frequently misconfigured this way.
This is often seen when joining IRC
chatrooms.
|
| 1114 |
SQL |
This
is rarely probed by itself, but is almost always
seen as part of the sscan
script.
|
| 1243 |
Sub-7 |
Trojan
Horse (TCP). See the section on SubSeven
for more details.
|
| 1524 |
ingreslock
backdoor |
Many
attack scripts install a backdoor shell at this
port (especially those against Sun systems via
holes in sendmail and RPC services like statd,
ttdbserver, and cmsd). If you've just installed
your firewall and are seeing connection attempts
on this port, then this may be the cause. Try
telnetting to the attempted machine in order
to see if it indeed comes up with a shell. Connections
to port 600/pcserver also have this problem.
[IN-99-04]
|
| 2049 |
NFS |
The
NFS program usually runs at this port. Normally,
access to portmapper
is needed to find which port this service runs
on, but since most installations run NFS on
this port, hackers/crackers can bypass portmapper
and try this port directly.
|
| 3128 |
squid |
This
is the default port for the "squid" HTTP proxy.
An attacker scanning for this port is likely
searching for a proxy server they can use to
surf the Internet anonymously. You may see scans
for other proxies at the same time, such as
at port 8000/8001/8080/8888. Another cause of
scans at this port, for a similar reason, is
when users enter chatrooms. Others users (or
the servers themselves) will attempt to check
this port to see if the user's machines supports
proxying. See section 5.3
for more info.
|
| 5632 |
pcAnywhere |
You
may see lots of these, depending on the sort
of segment you are on. When a user opens pcAnywhere,
it scans the local Class C range looking for
potential agents. Hackers/crackers also scan
looking for open machines, so look at the source
address to see which it is. Some scans for pcAnywhere
frequently also include a UDP packet to port
22. See dialup
probes for more info.
|
| 6776 |
Sub7
artifact |
This
port is used separately from the SubSeven
main port to transfer data. One example where
you might see this is when a master is controling
a slave on a dialup line, then the slave machine
hangs up. Therefore, when someone else dials-in
at that IP address, they will see a continuous
stream of connection attempts at this port.
more
on dialups
|
| 6970 |
RealAudio |
Clients
receive incoming audio streams from servers
on UDP ports in the range 6970-7170. This is
setup by the outgoing control connection on
TCP port 7070.
|
| 13223 |
PowWow |
The
"PowWow" chat program from Tribal Voice. It
allows users to open up private chat connections
with each other on this port. The program is
very aggressive at trying to establish the connection
and will "camp" on the TCP port waiting for
a response. This causes a connection attempt
at regular intervals like a heartbeat. This
can be seen by dial-up users who inherit IP
addresses from somebody who was chatting with
other people: it will appear as if many different
people are probing that port. The protocol uses
the letters "OPNG" as the first four bytes of
its connection attempt. more
|
| 17027 |
Conducent |
Outbound: This is seen on outbound connections.
It is caused by users inside the corporation
who have installed shareware programs using
the Conducent "adbot" wrapper. This wrapper
shows advertisements to users of the shareware.
A popular shareware program that uses this is
PKware.
Bill Royds mentions that in his experience,
you can block this outbound connection with
no problem, but if you block the IP addresses
themselves, then the adbots can overload the
link trying to reach the servers by continually
connecting many times per second.
The
machines will attempt to resolve the DNS name
"ads.conducent.com", which resolve to the
IP addresses:
216.33.210.40
216.33.199.77
216.33.199.80
216.33.199.81
216.33.210.41
These addresses are hosted by Exodus.
|
| 27374 |
Sub-7 |
Trojan
Horse (TCP). See the section on SubSeven
for more details.
|
| 30100 |
NetSphere |
Trojan
Horse (TCP). This is a commonly seen scan
looking for systems compromised by this trojan.
|
| 31337 |
Back
Orifice
"elite" |
This
number means "elite" in hacker/cracker spelling
(3=E, 1=L, 7=T). Lots of hacker/cracker backdoors
run at this port, but the most important is
Back Orifice. At one time, this was by far the
most popular scan on the Internet. These days,
it's popularity is waning and other remote access
trojans are becoming popular.
|
| 31789 |
Hack-a-tack |
UDP
traffic on this port is currently being seen
due to the "Hack-a-tack" RAT (Remote Access
Trojan). This trojan includes a built-in scanner
that scans from port 31790, so any packets FROM
31789 TO 317890 indicate a possible intrusion.
(Port 31789 is the control connection; port
31790 is the file transfer connection).
|
| 32770 ~ 32900 |
RPC
services |
Sun
Solaris puts most of its RPC services in this
range. In particular, older versions of Solaris
(pre-2.5.1) put a portmapper
in this range, allowing hackers access to this
even when low ports are blocked by a firewall.
Probes in this range might either be for this
portmapper, or for known RPC
services that can be exploited.
|
| 33434 - 33600 |
traceroute |
If
you see a series of UDP packets within this
port range (and only within thisrange), then
it is probably indicative of traceroute. See
traceroute
for more info.
|
| 41508 |
Inoculan |
Inoculan on UDP. Older versions of Inoculan apparently
generate huge quantities of UDP traffic directed
at subnets in order to discover each other.
More info can be found at http://www.circlemud.org/~jelson/software/udpsend.html
and http://www.ccd.bnl.gov/nss/tips/inoculan/index.html.
Thanks to Jerry Leslie, NeoNET < leslie at
clio dot rice dot edu> |