Computer port basics port can be divided into 3 categories:
1) Well Known Ports: From 0 to 1023, they are closely brought to some services. Usually the communication of these ports clearly shows the protocol of some service. For example: 80 ports are actually HTTP communication.
2) Registration port (Registered Ports): from 1024 to 49151. They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used in many other purposes. For example: Many systems processes the dynamic port starting from around 1024.
3) Dynamic and / or private ports (Dynamic and / or Private Ports): from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, the machine usually allocates a dynamic port from 1024. But there are also exceptions: Sun's RPC port begins with 32768.
This section describes the information of the usual TCP / UDP port scan in the firewall record. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to other parts of this article.
0 usually used to analyze the operating system. This method can work because "0" in some systems is invalid port, which will produce different results when you try to use a usual closing port to connect it. A typical scan: Use the IP address of 0.0.0.0 to set the ACK bit and broadcast in Ethernet layer.
1 TCPMUX This shows that someone is looking for SGI IRIX machines. IRIX is the main provider of TCPMUX, which is opened in this system by default. IRIS machines are published in the release of several default unconsored accounts such as LP, Guest, UUCP, NUUCP, DEMOS, TUTOR, DIAG, EZSETUP, OUTOFBOX, and 4DGIFTS. Many administrators have forgotten to delete these accounts. Therefore, Hacker searches for TCPMUX on the Internet and uses these accounts.
7 Echo You can see how many people searches for the Fraggle amplifier, sent to XX.x.0 and X.x.x.255.
Common DOS Attacks are echo-loops, and an attacker is forged from a UDP packet from one machine to another, and the two machines respond to these packets in their fastest way. (See Chargen)
Another thing is a TCP connection established by DoubleClick in the word port. There is a product called "Resonate Global Dispatch", which is connected to this port of DNS to determine the nearest route.
Harvest / Squid Cache will send UDP Echo from the 3130 port: "If you open the cache's Source_Ping ON option, it will respond to a hit reply on the UDP ECHO port of the original host." This will generate a lot of such packets.
11 SysStat This is a UNIX service that lists all the running processes on the machine and what is started. This provides many information for intruders and threats to the machine, such as exposing programs known to certain weaknesses or accounts. This is similar to the results of the "PS" command in the UNIX system
Again again: ICMP has no port, ICMP port 11 is usually ICMP TYPE = 11
19 Chargen This is a service that only sends characters. The UDP version will respond to the package containing the spam after receiving the UDP package. When the TCP connection is connected, the data stream containing the spam will be sent to the connection to close. Hacker uses IP spoof to launch a DOS attack. Forged two UDP packages between two Chargen servers. Since the server attempts to respond to unlimited round-trip data communication between the two servers A Chargen and Echo will cause the server to overload. The same Fraggle DOS attack is broadcast to this port of the target address with a packet with counterfeit victim IP, and the victim is overloaded in order to respond to this data. 21 FTP's most common attacker is used to find ways to open "Anonymous" FTP server. These servers have a readable and writable directory. Hackers or Crackers uses these servers as a node that transmits Warez (private programs) and PR0n (intentional tangle words).
22 SSH PCANYwhere Establishing TCP and this connection can be to find SSH. This service has many weaknesses. If configured as specific modes, many have many vulnerabilities using the RSAREF library. (It is recommended to run SSH in other ports)
It should also be noted that the SSH toolkit has a program called make-ssh-known-hosts. It scans the SSH host of the entire domain. You sometimes be used in unintentional scanning.
UDP (rather than TCP) is connected to the 5632 port of the other means that there is a scanning of PCANywhere. 5632 (Hexadecimal 0x1600) After the interchange is 0x0016 (22).
23 Telnet invaders are searching for remote landing UNIX. In most cases, the invaders scan this port is to find the operating system that is running. In addition, use other technologies, invaders will find a password.
25 SMTP Against (Spammer) Finding the SMTP server is to deliver their spam. The invader's account is always turned off, and they need to dial to connect to the high-bandwidth E-mail server to pass simple information to different addresses. SMTP servers (especially Sendmail) are one of the most common methods of entering the system, as they must be completely exposed to the Internet and the route of mail is complex (exposed complex = weaknesses).
53 DNS HACKER or CRACKERS may be attempt to perform regional delivery (TCP), deceive DNS (UDP) or hidden other communications. Therefore, the firewall often filters or records 53 ports.
It should be noted that you often see the 53 port as the UDP source port. Unstable firewalls typically allow this communication and assume that this is a reply to DNS queries. Hacker often uses this method to penetrate the firewall.
BootP / DHCP on 67 and 68 Bootp and DHCP UDP: The firewall that is often sent to broadcast addresses 255.255.255.255 via DSL and Cable-Modem often see data from the broadcast address 255.255.255.255. These machines request an address assignment to the DHCP server. Hacker often enters them allocated an address to initiate a large number of "man-in-middle) attacks as partial routers. The client is configured to the 68-port (Bootps) broadcast request, and the server responds to the 67-port (Bootpc) broadcast. This response uses broadcast because the client still does not know the IP address that can be sent.
69 TFTP (UDP) Many servers are provided with BootP to facilitate download startup code from the system. But they often configure any files from the system, such as password files. They can also be used to write files to the system.
79 Finger Hacker is used to obtain user information, query the operating system, and detect known buffers overflow errors, responding to the machine to other machine finger scans.
98 LinuxConf This program provides simple management of Linux Boxen. Provide a web-based service in the 98 port by integrated HTTP servers. It has found many security issues. Some versions setuid root, trust local area network, build Internet accessible files, and the LANG environment variable has buffer overflow. Also because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, overhead directory, etc.) 109 POP2 is not as named by POP3, but many servers provide two services (backward compatible). The vulnerability of POP3 on the same server exists in POP2.
110 POP3 is used for the client access to the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses overflow over the username and password switching buffer (this means that Hacker can enter the system before logging in). There are other buffers overflow errors after successfully logging in.
111 SunRPC Portmap Rpcbind Sun RPC portmapper / rpcbind. Access Portmapper is the first step for the scanning system to view which RPC services allowed. Common RPC services include: rpc.mountd, nfs, rpc.statd, rpc.csmd, rpc.ttybd, AMD, etc. The invader found that the allowed RPC service will turn to the specific port test vulnerability of the service.
Remember to record Daemon, IDS, or Sniffer in the line, and you can find what program access to the invader is to find what happened.
113 Ident Auth This is a multi-machine running protocol for identifying TCP connections. This service using standard can obtain information of many machines (will be utilized by Hacker). But it can serve as many services, especially those such as FTP, POP, IMAP, SMTP, and IRC. Usually if you have many customers access these services through the firewall, you will see the connection requests for this port. Remember, if you block this port client feels slow connection with the E-mail server on the other side of the firewall. Many firewalls support back RST during the blocking of TCP connections, and will stop this slow connection back.
119 NNTP News News Group Transmission Protocol to carry the USEnet communication. This port is usually used when you link to the address, such as: news: //comp.security.firewalls/. The connection at this port is usually looking for a USENET server. Most ISP limits only their customers can access their newsgroup servers. Open the newsgroup server will allow / read anyone's post, access the restricted newsgroup server, post anonymous to post or send a spam.
135 OC-SERV MS RPC END-POINT MAPPER Microsoft runs DCE RPC End-Point Mapper for this port for its DCOM service. This is similar to the functionality of UNIX 111 ports. Use DCOM and / or RPC services to register their location using end-point mapper on your machine. When remote customers are connected to the machine, they queries end-point mapper to find the location of the service. The same HACKER scanning machine is to find Exchange Server on this machine? What version is it?
This port can also be used for direct attacks in addition to query services (such as using EPDUMP). There are some DOS attacks directly for this port.
137 Netbios Name Service NBTSTAT (UDP) This is the most common information of the firewall administrator, please read the NetBIOS section behind the article carefully.
139 NetBIOS File and Print Sharing Attempts to access the NetBIOS / SMB through this port. This protocol is used for Windows file and printer sharing and Samba. Sharing your own hard drive on the Internet is the most common problem. A large number of ports were started at 1999, and later became less. In 2000, there was a rebound. Some VBS (IE5 VisualBasic scripting) starts copying themselves to this port and trying to breed this port.
143 IMAP and Safety of POP3 above, many IMAP servers have buffer overflow vulnerabilities running in the login process. Remember: A Linux worm (ADMW0RM) will reproduce this port, so many of this port scans from uninformed users who are infected. These vulnerabilities become popular when Radhat allows IMAP by default in their Linux release versions. This is also a widely spread worm after Morris worm.
This port is also used in IMAP2, but it is not popular.
Some reports have found that some 0 to 143 ports have stem from script.
161 SNMP (UDP) invaders often detect ports. SNMP allows remote management devices. All configurations and running information are stored in the database and are available through SNMP guests. Many administrator error configurations are exposed to the Internet. Crackers will try to use the default password "public" "private" access system. They may test all possible combinations.
The SNMP package may be incorrect to point to your network. The Windows machine often uses SNMP for the HP JetDirect Remote Management software because the error configuration. HP Object Identifier will receive an SNMP package. The new version of Win98 uses SNMP to resolve domain names, you will see this package in subnet broadcast (Cable Modem, DSL) query sysname and other information.
162 SNMP TRAP may be due to error configuration
177 XDMCP Many Hackers Access the X-Windows console through it, it needs to open the 6000 port.
513 RWHO may be broadcast from UNIX machines from the subnet using Cable Modem or DSL. These people provide very interesting information for Hacker into their system.
553 CORBA IIOP (UDP) If you use Cable Modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system.
600 PCSERVER Backdoor Please see the 1524 port
Some children who play Script think they have completely broken the system through the modification of the Ingreslock and the PCServer file - Alan J. Rosenthal.
635 mountd Linux MountD bug. This is a popular bug that people scan. Most of this port scan is UDP based, but TCP-based mountD has increased (MountD runs on two ports). Remember, MountD can run in any port (which port is in the end, you need to do a portmap query at the port 111), just Linux defaults to 635 port, just like NFS usually runs on the 2049 port.
1024 Many people ask what this port is dry. It is the beginning of a dynamic port. Many programs do not care which port connection network, they request operating systems to assign them "next idle port". Based on this allocation starts from port 1024. This means that the first program that requests the dynamic port to the system will be assigned port 1024. To verify this, you can restart the machine, open Telnet, open a window to run "natstat -a", you will see Telnet assigned 1024 port. The more programs requested, the more dynamic ports. The port assigned by the operating system will gradually become large. Come again, when you browse the web page, use "NetStat" to view, each web page requires a new port. Ersion 0.4.1, June 20, 2000
http://www.robertgraham.com/pubs/firewall-seen.html
Copyright 1998-2000 by Robert Graham (Mailto: firewall-seen1@robertgraham.com.
All Rights Reserved. This Document May Only Be Reproduces (Whole OR
In part) for non-Commercial Purposes. All Reproductions Must
Contain this Copyright Notice and Must Not Be Altered, Except by
Permission of the author.
1025 See 1024
1026 See 1024
1080 SOCKS
This protocol passes through the firewall in a pipeline, allowing many people behind the firewall to access the Internet through an IP address. In theory it should only allow the internal communication to reach the Internet. However, due to the wrong configuration, it allows the HACKER / CRACKER to pass an attack outside the firewall through the firewall. Or simply respond to a computer located on the Internet, enabling them to attack your direct attack. Wingate is a common Windows personal firewall that often occurs the above error configuration. This will often see this when joining the IRC chat room.
1114 SQL
The system itself rarely scans this port, but is often part of the SSCAN script.
1243 SUB-7 Trojans (TCP)
See the Subseven section.
1524 Ingreslock back door
Many attack scripts will install a back door SH * LL at this port (especially those scripts for Sendmail and RPC services for SUN systems, such as Statd, TTDBServer, and CMSD). If you just installed your firewall, you see the connection at this port, which is probably the above reasons. You can try Telnet to this port on your machine to see if it will give you a SH * LL. This issue is also available to 600 / PCServer.
2049 NFS
The NFS program is often running on this port. It usually needs to access portmapper to query which port of this service runs, but most of the situation is installed after the NFS Apricot. Acker / Cracker can pass the portmapper directly to test this port.
3128 Squid
This is the default port of the Squid HTTP proxy server. The attacker scans this port is to search for an anonymous access to the Internet. You will also see the ports of other proxy servers: 8000/8001/8080/8888. Another reason for scan this port is that users are entering the chat room. Other users (or server itself) also verify this port to determine if the user's machine supports the agent. Please see Section 5.3.
5632 PCANYWERE
You will see a lot of this port scan, depending on your location. When the user opens PCAnyWere, it automatically scans the local area network C-class network to find the possible agent (the translator: refers to Agent instead of proxy). Hacker / Cracker will also find a machine that open this service, so you should check the source address of this scan. Some scanning of PCANYWERE often contains the UDP packet of port 22. See dial scanning. 6776 SUB-7 Artifact
This port is a port that is used to transmit data from the SUB-7 main port. For example, when the controller controls another machine through the telephone line, you will see this when the controlled machine is hung up. Therefore, when another person is dial in this IP, they will see continuous, attempting at this port. (Translator: That is to see the connection attempt of the firewall report, do not mean that you have been controlled by SUB-7.)
6970 Reaudio
Reaudio Customers receive audio data streams from the UDP port of the server's 6970-7170. This is set by the TCP7070 port externally control connection.
13223 Powwow
Powwow is a Tribal Voice chat program. It allows users to open private chats at this port. This process is very "offensive" for establishing a connection. It will "station" waiting for response in this TCP port. This causes a connection attempt to a heartbeat interval. If you are a dial user, "inherit" from another chat, this is what the IP address is: It seems that many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt.
17027 Conducent
This is an outgoing connection. This is because someone has a shared software with Conducent "ADBOT" inside the company. Conducent "Adbot" is an advertising service for shared software. A popular software using this service is pkware. Some people test: Blocking this external connection does not have any problems, but the IP address itself will cause the ADBOTS to try to connect multiple times in each second:
The machine will continue to analyze DNS name -ADS.Conducent.com, ie IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I don't know if Netants used in Radiate also has this phenomenon)
27374 SUB-7 Trojans (TCP)
See the Subseven section.
30100 NetSphere Trojan (TCP)
Usually the scan of this port is to find NetSphere Trojans.
31337 Back Orific "elite"
Hacker 31337 reads "Elite" / Ei'li: T / (Translator: French, translated as backbone, essence. That is, 3 = E, 1 = L, 7 = T). So many rear door programs are running on this port. The most famous is Back Orific. This is the most common scan on the Internet for a while. Now it's getting less and less, other Trojans are increasingly popular.
31789 HACK-A-TACK
The UDP communication of this port is usually due to the "HACK-A-TACK" remote access to Trojan (RAT, Remote Access Trojan). This Trojan includes a built-in 31790 port scanner, so any 31789 port to 317890 port means that this invasion is already. (31789 port is control connection, 317890 port is file transfer connection)
32770 ~ 32900 RPC service
Sun Solaris's RPC service is within this range. Detailed: Early versions of Solaris (2.5.1) placed portmapper in this range even if the low port was closed by the firewall, still allowed Hacker / Cracker to access this port. Scanning this range is not to find portmapper, just to find known RPC services that can be attacked. 33434 ~ 33600 Traceroute
If you see the UDP packet (within this range) within the port range (only within this range) may be due to Traceroute. See the Traceroute section.
41508 inoculan
Early versions of Inoculan generate a large number of UDP communication in the subnet for identifying each other. See
http://www.circlemud.org/~jelson/software/udpsend.html
http://www.ccd.bnl.gov/nss/tips/inoculan/index.html
(2) What does the sources below mean?
Ports 1 to 1024 are reserved ports, so they are hardly almost the source port. However, there are some exceptions, such as the connection from the NAT machine. See 1.9.
Often see the port following 1024, they are "dynamic ports" assigned to those applications that do not care about which port connection.
Server Client Service Description
1-5 / TCP Dynamic FTP 1-5 port means SSCAN scripts
20 / TCP Dynamic FTP FTP Server Portable Port
53 Dynamic FTP DNS Send UDP from this port. You may also see the TCP connection of the source / target port.
123 Dynamic S / NTP Simple Network Time Protocol (S / NTP) server running port. They also send broadcasts to this port.
27910 ~ 27961 / UDP Dynamic Quake Quake or Quake Engine driven game runs its server at this port. Therefore, UDP packages from this port range or the UDP package sent to this port range is usually a game.
61000 Dynamic FTP 61000 or more ports may come from Linux NAT Server (IP Masquerade)
I know that these ports have a certain understanding of the network.
