The port can be divided into 3 categories: 1) Well Known Ports: From 0 to 1023, they are closely brought to some services. Usually the communication of these ports clearly demonstrates an agreement for a service. For example: 80 ports are actually HTTP communication. 2) Registration port (Registered Ports): from 1024 to 49151. They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used in many other purposes. For example: Many systems processes the dynamic port starting from around 1024. 3) Dynamic and / or private ports (Dynamic and / or Private Ports): from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, the machine usually allocates a dynamic port from 1024. But there are also exceptions: Sun's RPC port begins with 32768. This section describes the information of the usual TCP / UDP port scan in the firewall record. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to other parts of this article. 0 usually used to analyze the operating system. This method can work because "0" in some systems is invalid port, which will produce different results when you try to use a usual closing port to connect it. A typical scan: Use the IP address of 0.0.0.0 to set the ACK bit and broadcast in Ethernet layer. 1 TCPMUX This shows that someone is looking for the SGIIRIX machine. IRIX is the main provider of TCPMUX, which is opened in this system by default. IRIS machines are published in the release of several default unconsored accounts such as LP, Guest, UUCP, NUUCP, DEMOS, TUTOR, DIAG, EZSETUP, OUTOFBOX, and 4DGIFTS. Many administrators have forgotten to delete these accounts. Therefore, Hacker searches for TCPMUX on the Internet and uses these accounts. 7ec, you can see how many people searched to the Fraggle amplifier, send information to X.x.x.0 and X.x.x.255. Common DOS Attacks are echo-loops, and an attacker is sent from a machine to another UDP packet, and the two machines respond to these packets in their fastest way. (See Chargen) Another thing is a TCP connection established by DoubleClick in the word port. There is a product called Resonate Global Dispatch, "which is connected to this port of DNS to determine the nearest routing. Harvest / Squid Cache will send udpecho from the 3130 port:" If you open the cache's source_ping the ON option, it will be the original host The UDP ECHO port responds to a hit reply. "This will produce many such packets. 11 SysStat This is a UNIX service that lists all of the running processes on the machine and what is launched. This provides many information for intruders and threats the machine. Safety, such as exposing a program that is known to some weaknesses or accounts. This is similar to the result of the "PS" command in the UNIX system: ICMP does not have port, ICMP port 11 is usually ICMPTYPE = 1119 Chargen This is a only sending characters Service .udp version will respond to the spam package .tcp connection after receiving the UDP package, you will send a data stream containing the spam. The connection is closed. Hacker uses IP spoofs to launch a DOS attack forgery two Chargen servers UDP Due to the server attempt to respond to unlimited round-trip data communication between the two servers A Chargen and Echo will cause the server to overload. The same Fraggle DOS attack is broadcast to the target address of this port, which is a packet with counterfeit victim IP, victim In order to respond to these data and overload.
21 FTP's most common attacker is used to find ways to open "Anonymous" FTP server. These servers have a readable and writable directory. Hackers or Tackers uses these servers as a node that transmits Warez (private programs) and PR0n (deliberately tiered). 22 SSHPCANYWHERE Establish TCP and this connection can be to find SSH. This service has many weaknesses. If configured as specific modes, many have many vulnerabilities using the RSAREF library. (It is recommended to run SSH in other ports) It should also be noted that the SSH Toolkit has a program called ake-ssh-known-hosts. It scans the SSH host of the entire domain. You sometimes be used in unintentional scanning. UDP (rather than TCP) is connected to the 5632 port of the other means that there is a scanning of PCANywhere. 5632 (Hexadecimal 0x1600) After the interchange is 0x0016 (22). 23 Telnet invaders are searching for remote landing UNIX. In most cases, the invaders scan this port is to find the operating system that is running. In addition, use other technologies, invaders will find a password. 25 SMTP Against (Spammer) Finding the SMTP server is to deliver their spam. The invader's account is always turned off, and they need to dial to connect to the high-bandwidth E-mail server to pass simple information to different addresses. SMTP servers (especially Sendmail) are one of the most common methods of entering the system, as they must be completely exposed to the Internet and the route of mail is complex (exposed complex = weaknesses). 53 DNSHACKER or CRACKERS may be trying to perform regional delivery (TCP), deceive DNS (UDP) or hidden other communications. Therefore, the firewall often filters or records 53 ports. It should be noted that you often see the 53 port as the UDP source port. Unstable firewalls typically allow this communication and assume that this is a reply to DNS queries. Hacker often uses this method to penetrate the firewall. BootP / DHCP on 67 and 68 Bootp and DHCP UDP: The firewall that is often sent to broadcast addresses 255.255.255.255 via DSL and Cable-Modem often see data from the broadcast address 255.255.255.255. These machines request an address assignment to the DHCP server. Hacker often enters them allocated an address to initiate a large number of "man-in-middle) attacks as partial routers. The client is configured to the 68-port (Bootps) broadcast request, and the server responds to the 67-port (Bootpc) broadcast. This response uses broadcast because the client still does not know the IP address that can be sent. 69 TFTP (UDP) Many servers are provided with BootP to facilitate download startup code from the system. But they often configure any files from the system, such as password files. They can also be used to write files to the system. 79 Finger Hacker is used to obtain user information, query the operating system, and detect known buffers overflow errors, responding to the machine to other machine finger scans. 98 LinuxConf This program provides simple management of Linux Boxen. Provide a web-based service in the 98 port by integrated HTTP servers. It has found many security issues. Some versions of SETUIDROOT, trust local area network, build files accessible under / TMP, and LANG environment variables have buffers overflow. Also because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, overhead directory, etc.) 109 POP2 is not as named by POP3, but many servers provide two services (backward compatible). The vulnerability of POP3 on the same server exists in POP2.
110 POP3 is used for the client access to the server side. POP3 services have many recognized weaknesses. There is at least 20 weaknesses overflow from usernames and password exchange buffers (this means that Hacker can enter the system before logging in). There are other buffers overflow errors after successfully logging in. 111 SunRPC Portmap Rpcbind Sun RPC portmapper / rpcbind. Access Portmapper is the first step for the scanning system to view which RPC services allowed. Common RPC services include: pc.mountd, nfs, rpc.statd, rpc.csmd, rpc.ttybd, AMD, etc. The invader found that the allowed RPC service will turn to the specific port test vulnerability of the service. Remember to record Daemon, IDS, or Sniffer in the line, and you can find what program access to the invader is to find what happened. 113 Ident Auth. This is a multi-machine running protocol for identifying TCP connections. This service using standard can obtain information of many machines (will be utilized by Hacker). But it can serve as many services, especially those such as FTP, POP, IMAP, SMTP, and IRC. Usually if you have many customers access these services through the firewall, you will see the connection requests for this port. Remember, if you block this port client feels slow connection with the E-mail server on the other side of the firewall. Many firewalls support back TCP connections during the blocking process of TCP, and will stop this slow connection. 119 NNTP News News Group Transmission Protocol to carry the USEnet communication. This port is usually used when you link to the address such as: news.security.firewalls /. The connection at this port is usually looking for a USENET server. Most ISP limits only their customers can access their newsgroup servers. Open the newsgroup server will allow / read anyone's post, access the restricted newsgroup server, post anonymous to post or send a spam. 135 OC-Serv MS RPC End-Point Mapper Microsoft runs DCE RPC End- Point Mapper for this port for its DCOM service. This is similar to the functionality of UNIX 111 ports. Use DCOM and / or RPC services to register their location using end-point mapper on your machine. When remote customers are connected to the machine, they queries end-point mapper to find the location of the service. This port of the same HACKER scan machine is to find Exchange Server on this machine? What version is it? This port can also be used for direct attacks in addition to query services (such as using EPDUMP). There are some DOS attacks directly for this port. 137 NetBIOS Name Service NBTSTAT (UDP) This is the most common information of the firewall administrator, please read the article after the article, 139 NetBIOS File and Print Sharing from this port is trying to get the NetBIOS / SMB service. This protocol is used for Windows file and printer sharing and Samba. Sharing your own hard drive on the Internet is the most common problem. A large number of ports were started at 1999, and later became less. In 2000, there was a rebound. Some VBS (IE5 VisualBasic scripting) starts copying themselves to this port and trying to breed this port. 143 IMAP and Safety of POP3 above, many IMAP servers have buffer overflow vulnerabilities running in the login process. Remember: A Linux worm (ADMW0RM) will reproduce this port, so many of this port scans from uninformed users who are infected. These vulnerabilities become popular when Radhat allows IMAP by default in their Linux release versions.
This is also a widely spread worm after Morris worm. This port is also used in IMAP2, but it is not popular. Some reports have found that some 0 to 143 ports have stem from script. 161 SNMP (UDP) invaders often detect ports. SNMP allows remote management devices. All configurations and running information are stored in the database and are available through SNMP guests. Many administrator error configurations are exposed to the Internet. Crackers will try to use the default password "public" "private" access system. They may test all possible combinations. The SNMP package may be incorrect to point to your network. The Windows machine often uses SNMP for the HP Jetdirect Rmote Management software because the error configuration. HP Object Identifier will receive an SNMP package. The new version of Win98 uses SNMP to resolve domain names, you will see this package in subnet broadcast (Cable Modem, DSL) query sysname and other information. 162 SNMP TRAP may be due to the error configuration 177 XDMCP Many Hacker access to the X-Windows console by it, it needs to open the 6000 port. 513 RWHO may be broadcast from UNIX machines from the subnet using Cable Modem or DSL. These people provide very interesting information for Hacker into their system 553 CORBA IIOP (UDP) If you use Cable Modem or DSL VLAN, you will see this port broadcast. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system. 600 PCServer Backdoor Please see the 1524 port Some children who play Script think they have completely broken the system through the modification of the Ingreslock and PCServer files - Alan J. Rosenthal. 635 MountD Linux MountD bug. This is a popular bug that people scan. Most of this port scan is UDP based, but TCP-based mountD has increased (MountD runs on two ports). Remember, MountD can run in any port (which port is in the end, you need to do a portmap query in port 111), just Linux defaults to 635 port, just like NFS usually runs on 2049 port 1024 Many people ask this port what is done. It is the beginning of a dynamic port. Many programs do not care which port connection network, they request operating systems to assign them "next idle port". Based on this allocation starts from port 1024. This means that the first program that requests the dynamic port to the system will be assigned port 1024. To verify this, you can restart the machine, open Telnet, open a window to run "natstat -a", you will see Telnet assigned 1024 port. The more programs requested, the more dynamic ports. The port assigned by the operating system will gradually become large. Come again, when you browse the web page, use "NetStat" to view, each web page requires a new port.
? Ersion 0.4.1, June 20, 2000 http://www.robertgraham.com/pubs/firewall-seen.html Copyright 1998-2000 by Robert Graham (mailto:. Firewall-seen1@robertgraham.com All rights reserved This. document may only be reproduced (whole or in part) for non-commercial purposes. All reproductions must contain this copyright notice and must not be altered, except by permission of the author. 1025 see Referring 10241026 1024 1080 SOCKS protocol this conduit The way through the firewall, allowing many people behind the firewall to access the Internet through an IP address. Theoretically it should only allow the internal communication to reach the Internet. However, due to the wrong configuration, it allows Hacker / Cracker to be located outside the firewall outside the firewall. Through the firewall. Or simply respond to a computer located on the Internet, covering their direct attacks on you. Wingate is a common Windows personal firewall, often the above error configuration. This will often see this when joining the IRC chat room. Situation. 1114 SQL system itself rarely scans this port, but is often part of the SSCAN script. 1243 SUB-7 Trojans (TCP) See the Subseven section. 1524 Ingreslock back door Many attack scripts will install a back door Sh * L1 in this port ( Especially those scripts for Sendmail and RPC service vulnerabilities in the Sun system, such as Statd, TTDBServer and CMSD). If you just install your firewall, you will see the connection at this port, which is likely to be the above reasons. You can Try Telnet to this port on your machine, see if it will give you a sh * ll. This problem is connected to 600 / pcserver. 2049 NFS NFS program is often running on this port. Usually need to access portmapper query this Which port is running, but most of the situation is installed after installation, NFS Apricot, the acker / cracker can be closed Portmapper tests this port directly. 3128 Squid This is the default port of the Squid HTTP proxy server. The attacker scans this port is to search for an anonymous access to the Internet. You will also see the port of searching for other proxy servers: 000/8001/8080/8888. Another reason for scan this port is that users are entering the chat room. Other users (or server itself) also verify this port to determine if the user's machine supports the agent. Please see Section 5.3. 5632 PCANYWERE You will see a lot of this port scan, depending on your location. When the user opens PCAnyWere, it automatically scans the local area network C-class network to find the possible agent (the translator: refers to Agent instead of proxy). Hacker / Cracker will also find a machine that open this service, so you should check the source address of this scan. Some scanning of PCANYWERE often contains the UDP packet of port 22. See dial scanning. 6776 SUB-7 Artifact This port is a port that is used to transmit data from the SUB-7 host port. For example, when the controller controls another machine through the telephone line, you will see this when the controlled machine is hung up. Therefore, when another person is dial in this IP, they will see continuous, attempting at this port. (Translator: That is to see the connection attempt of the firewall report, do not mean that you have been controlled by SUB-7.
6970 Reaudio ReaRaudio receives audio data streams from the UDP port of the server's 6970-7170. This is the TCP7070 port externally control connection setting 13223 Powwow Powwow is a chat program for TRIBAL VOICE. It allows users to open private chats at this port. This process is very "offensive" for establishing a connection. It will "station" waiting for response in this TCP port. This causes a connection attempt to a heartbeat interval. If you are a dial user, "inherit" from another chat, this is what the IP address is: It seems that many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt. 17027 Conducent This is an outgoing connection. This is because someone has a shared software with Conducent "ADBOT" inside the company. Conducent "Adbot" is an advertising service for shared software. A popular software using this service is pkware. Some people test: Blocking this external connection will not have any problems, but the IP address itself will cause the ADBOTS to try to connect multiple times in each second: the machine will try to resolve DNS name - ADS.CONDUCENT .com, IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I don't know if Netants used to use this phenomenon) 27374 SUB-7 Trojans (TCP) See the Subseven section. 30100 NetSphere Trojan (TCP) usually this port scan is to find NetSphere Trojans. 31337 BACK Orification "Elitehacker 31337 Read" Elite "/ Ei'li: T / (Translator: French, translated as backbone, essence. That is, 3 = E, 1 = L, 7 = T). So many back door procedures Running this port. The most famous is Back Orific. This is the most common scan on the Internet. It is now increasingly popular, and other Trojans are more and more popular. 31789 HACK-A- The UDP communication of TACK is usually due to the "HACK-A-TACK" remote access Trojan (RAT, Remote Access Trojan). This Trojan includes a built-in 31790 port scanner, so any 31789 port to 317890 port There is already this invasion. (31789 port is control connection, 317890 port is file transfer connection) 32770 ~ 32900 RPC service Sun Solaris RPC service is within this range. Detailed: Early version of Solaris (2.5.1 ) Place PortMapper within this range, even if the low port is closed by a firewall, the Hacker / Cracker is still allowed to access this port. The port within this range is not to find portmapper, just to find a known RPC service that can be attacked. . UDP communication is used to identify each other. See http://www.circlemud.org/~jelson/software/udpsend.html http://www.ccd.bnl.gov/nss/tips/inocus/index.html port 1 ~ 1024 is the reserved port, so they are hardly the source port.
