Network port and its detailed solution
According to the port number, it can be divided into 3 categories:
(1) Well Known Ports: From 0 to 1023, they are closely bound to some services. Usually the communication of these ports clearly shows the protocol of some service. For example: 80 ports are actually HTTP communication.
(2) Registered ports: from 1024 to 49151. They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used in many other purposes. For example: Many systems processes the dynamic port starting from around 1024.
(3) Dynamic and / or private ports (Dynamic and / or Private Ports): from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, the machine usually allocates a dynamic port from 1024. But there are also exceptions: Sun's RPC port begins with 32768.
0 usually used to analyze the operating system. This method can work because "0" in some systems is invalid port, which will produce different results when you try to use a usual closing port to connect it. A typical scan: Use the IP address of 0.0.0.0 to set the ACK bit and broadcast in Ethernet layer.
1TCPMUXTCP Port Service Multiplexer Transfer Control Protocol Port Services Multi-Switch Selector
2ComPressNetManagement Utility CompressNet Management Utility
3ComPressNetCompression Process Compression Process
5rjeremote Job Entry remote job login
7echoecho
9DiscardDiscard discard
11SYSTATACTIVE USERS online user
13daytimedaytime time
17qotdquote of the day daily reference
18MspMessage Send Protocol Message Send Agreement
19CHARGENCHARACTER Generator character generator
20ftp-datafile transfer [default data] file transfer protocol (default data)
21FTPFILE TRANSFER [Control] File Transfer Protocol (Control)
22SSHSSH Remote Login Protocol SSH Remote Login Protocol
23TELNETTELNET Terminal Simulation Agreement
24Any Private Mail System reserved for personal mail system
25SMTPSIMPE MAIL TRANSFER Simple Mail Send Agreement
27nsw-fensw user system fe NSW user system field engineer
29MSG-ICPMSG ICP MSGICP
31MSG-Authmsg Authentication MSG Verification
33DSPDISPLAY Support Protocol Display Support Protocol
35any Private Printer Server Reserved to Personal Printer Services
37Timetime Time
38RaProute Access Protocol Route Access Protocol
39rlpResource Location Protocol Resource Positioning Protocol
41graphicsgraphics graphics
42Nameserverwins Host Name Server WINS Host Name Service
43nicNameWho IS "nickname" WHO IS service
44MPM-Flags MPM Flags Protocol MPM (Message Processing Module) Sign Protocol
45MPMMESSAGE Processing Module [RECV] message processing module
46MPM-SNDMPM [Default Send] Message Processing Module (Default Send Port) 47Ni-ftpni FTP NI FTP
48AuditDigital Audit Daemon Digital Audio Background Service 49TACACSLOGIN HOST Protocol (TACACS) TACACS Login Host Protocol 50re-Mail-Ck Remote Mail Checking Protocol Remote Mail Check Protocol [Unneained]
51LA-MAINTIMP Logical Address Maintenance IMP (Interface Information Processor) Logical Address Maintenance
52xns-Timexns Time Protocol Xerox Network Service System Time Agreement
53DomainDomain name Server domain server
54xns-chxns clearinghouse Xerox Network Service System Bill Exchange 55isi-Glisi Graphics Language ISI graphics
56xns-authxns Authentication Xerox Network Service System Verification
57? Any Private Terminal Access Reserved Personal Terminal Access
58xns-mailxns mail Xerox Network Service System Mail
59ny private file service reserved personal file service
60UNASSIGNED is not defined
61ni-mailni mail ni mail?
62ACASACA Services Asynchronous Communication Adapter Service
63Whois WHOIS WHOIS
64coviacommunications Integrator (CI) Communication Interface
65TACACS-DSTACACS-Database Service TACACS Database Services
66sql * Netoracle SQL * NET ORACLE SQL * NET
67BootpsBootstrap Protocol Server Boot Protocol Service
68BootpcBootstrap Protocol Client Boot Protocol Client
69TFTPTRIVIAL FILE TRANSFER Small File Transfer Protocol
70gophergopher information retrieval agreement
71NETRJS-1Remote Job Service Remote Job Service
72NETRJS-2Remote Job Service Remote Job Service
73NETRJS-3Remote Job Service Remote Job Service
74NETRJS-4Remote Job Service Remote Job Service
75any Private Dial Out Service Reserved to Personal Dial
76 DeSDistributed External Object Store Distributed External Object Storage
77Any Private RJE Service Reserved to Personal Remote Job Entering Service
78vettcpvettcp correction TCP?
79fingerfinger query remote host online user, etc.
80HTTPWORLD WIDE Web HTTP Global Information Network Hypertext Transfer Protocol 81HOSTS2-NSHOSTS2 NAME Server Host2 Name Service
82xferxfer utility transmission utility
83Mit-ml-devmit ml Device Modular Intelligent Terminal ML Device
84ctfcommon trace facility public tracking equipment
85mit-ml-devmit ml device modular intelligent terminal ML device
86MFCOBOLMICRO FOCUS COBOL Micro Focus Cobol Programming Language
87 An Private Terminal Link reserved to a personal terminal connection
88Kerberoskerberos Kerberros security certification system
89SU-MIT-TGSU / MIT Telnet Gateway SU / MIT Terminal Simulation Gateway
90DnsixDnsix Securit Attribute Token Map DNSIX Security Properties Tags 91Mit-Dovmit Dover Spooler Mit Dover Spi 92NppNetwork Printing Protocol Network Print Protocol
93DCPDevice Control Protocol Device Control Protocol
94objCallTivoli Object Dispatcher Tivoli Object Scheduling
95suPdup Supdup
96Dixiedixie Protocol Specification DiXie Protocol Specification
97SWIFT-RVF (SWIFT Remote Virtural File Protocol) Quick Remote Virtual File Protocol 98TACNEWSTAC News TAC News Protocol
99metagrammetagRam RELAY
100NewAcct [Unauthorized USE]
101 = Nic Host Name Server
102 = ISO-TSAP
103 = Genesis Point-to-Point Trans Net
104 = Acr-Nema Digital Imag. & Comm. 300
105 = Mailbox Name Nameserver
106 = 3com-TSMUX3COM-TSMUX
107 = Remote Telnet Service
108 = SNA Gateway Access Server
109 = Post Office Protocol - Version 2
110 = Post Office Protocol - Version 3
111 = Sun RPC
112 = MCIDAS Data Transmission Protocol
113 = Authentication Service
114 = Audio News Multicast
115 = Simple File Transfer Protocol
116 = Ansa Rex Notify
117 = UUCP PATH Service
118 = SQL Servicesqlserv
119 = NetWork News Transfer Protocol
120 = cfdptktcfdptkt
121 = Encore Expedited Remote Pro.Call
122 = SMAKYNETSMAKYNET
123 = NetWork Time Protocol
124 = Ansa Rex Trader
125 = LOCUS PC-Interface Net Map Ser
126 = Unisys Unityary Login
127 = LOCUS PC-Interface Conn Server
128 = GSS X License Verification
129 = Password Generator Protocol
130 = Cisco Fnative
131 = Cisco TNATIVE
132 = Cisco Sysmaint
133 = Statistics Service
134 = INGRES-NET Service
135 = Location Service
136 = Profile Naming System
137 = NetBIOS Name Service
138 = NetBIOS DataGram Service
139 = Netbios Session Service
140 = EMFIS DATA Service
141 = EMFIS Control Service
142 = britton-lee idm 143 = interim mail access protocol v2 144 = newsnews 145 = uaac protocoluaac 146 = iso-ip0iso-tp0 147 = iso-ipiso-ip 148 = cronus-support 149 = aed 512 emulation service 150 = sql-netsql -net 151 = hemshems 152 = background file transfer program 153 = sgmpsgmp 154 = netscnetsc-prod 155 = netscnetsc-dev 156 = sql service 157 = knet / vm command / message protocol 158 = pcmail serverpcmail-srv 159 = nss-routingnss-routing 160 = sgmp-trapssgmp-traps 161 = snmp 162 = snmp trap 163 = cmip / tcp manager 164 = cmip / tcp agent 165 = xeroxxns-courier 166 = sirius systems 167 = nampnamp 168 = rsvdrsvd 169 = send 170 = network post 170 = network post 171 = network innovations multiplex 172 = network innovations cl / 1 173 = xyplexxyplex-mux 174 = mailq 175 = vmnet 176 = genrad-muxgenrad-mux 177 = x display manager control protocol 178 = nextstep window server 179 = border gateway protocol 180 = Intergraphris 181 = unifiedunify 182 = unisys audit sitp 183 = observerocserver 185 = remote-kis 186 = kis protocolkis 187 = Application Communication Interface 188 = Plus five's mumps 189 = queued file transport 189 = queued file transport 190 = gateway access control protocol 190 = gateway access control protocol 191 = prospero directory service 191 = prospero directory service 192 = osu network monitoring system 193 = srmp, spider remote monitoring protocol 194 = IRC, Internet Relay Chat Protocl 195 = DNSIX Network Level Module Audit 196 = DNSIX session mgt module audit redir 197 = Directory location service 198 = Directory Location Service Monitor 199 = SMUX 200 =
ibm system resource controller 201 = at-rtmp appletalk routing maintenance 202 = at-nbp appletalk name binding 203 = at-3 appletalk unused 204 = appletalk echo 205 = appletalk unused 206 = appletalk zone information 207 = appletalk unused 208 = appletalk unused 209 = trivial authenticated mail protocol 210 = ansi z39.50z39.50 211 = texas instruments 914c / g terminal 212 = atexsstranet 213 = ipx 214 = vm pwscsvmpwscs 215 = insignia solutions 216 = access technology license server 217 = dbase unix 218 = netix message posting protocol 219 = unisys arpsuarps 220 = interactive mail access protocol v3 221 = berkeley rlogind with spx auth 222 = berkeley rshd with spx auth 223 = certificate distribution center 224 = reserved (224-241) 241 = reserved (224-241) 242 = unassigned # 243 = survey measurement 244 = unassigned # 245 = linklink 246 = display systems protocol 247-255 reserved 256-343 unassigned 344 = prospero data access protocol 345 = perf analysis workbench 346 = zebra serverzserv 347 = fatmen serverfatserv 348 = cabletron management protocol 349- 370 Unass igned 371 = clearcaseclearcase 372 = unix listservulistserv 373 = legent corporation 374 = legent corporation 375 = hasslehassle 376 = amiga envoy network inquiry proto 377 = nec corporation 378 = nec corporation 379 = tia / eia / is-99 modem client 380 = tia / eia / is-99 modem server 381 = hp performance data collector 382 = hp performance data managed node 383 = hp performance data alarm manager 384 = a remote network server system 385 = ibm application 386 = asa message router object def. 387 = appletalk update- Based Routing Pro. 388 = Unidata LDM VERSION 4 389 =
lightweight directory access protocol 390 = uisuis 391 = synoptics snmp relay port 392 = synoptics port broker port 393 = data interpretation system 394 = embl nucleic data transfer 395 = netscout control protocol 396 = novell netware over ip 397 = multi protocol trans. net. 398 = kryptolankryptolan 399 = unassigned # 400 = workstation solutions 401 = uninterruptible power supply 402 = genie protocol 403 = decapdecap 404 = ncednced 405 = ncldncld 406 = interactive mail support protocol 407 = timbuktutimbuktu 408 = prospero resource manager sys. man. 409 = prospero resource manager node man 410 = decladebug remote debug protocol 411 = remote mt protocol 412 = trap convention port 413 = smspsmsp 414 = infoseekinfoseek 415 = bnetbnet 416 = silverplattersilverplatter 417 = onmuxonmux 418 = hyper-ghyper-g 419 = arielariel1 420 = smptesmpte 421. = arielariel2 422 = arielariel3 423 = ibm operations planning and control start 424 = ibm operations planning and control track 425 = icadicad-el 426 = smartsdpsmartsdp 427 = server location 429 = ocs_amu 430 = utmpsdutmpsd 431 = u tmpcdutmpcd 432 = iasdiasd 433 = nnspnnsp 434 = mobileip-agent 435 = mobilip-mn 436 = dna-cmldna-cml 437 = comscmcomscm 439 = dasp, thomas obermair 440 = sgcpsgcp 441 = decvms-sysmgtdecvms-sysmgt 442 = cvc_hostdcvc_hostd 443 = https 444 = simple network paging protocol 445 = microsoft-ds 446 = ddm-rdbddm-rdb 447 = ddm-rfmddm-dfm 448 = ddm-byteddm-byte 449 = as server mapper 450 = tservertserver 512 = exec, remote process execution 513 = login, Remote login 514 = cmd, Exec with auto auth. 514 = syslog 515 = printer spooler 516 =
unassigned 517 = talk 519 = unixtime 520 = extended file name server 521 = unassigned 522 = unassigned 523 = unassigned 524 = unassigned 526 = newdate 530 = rpc courier 531 = chatconference 532 = readnewsnetnews 533 = for emergency broadcasts 539 = apertus technologies load determination 540 = uucp 541 = uucp-rlogin 542 = unassigned 543 = klogin 544 = kshell 545 = unassigned 546 = unassigned 547 = unassigned 548 = unassigned 549 = unassigned 550 = new-who 551 = unassigned 552 = unassigned 553 = unassigned 554 = unassigned 555 = dsf 556 = remotefs 557-559 = rmonitor 560 = rmonitord 561 = dmonitor 562 = chcmd 563 = unassigned 564 = plan 9 file service 565 = whoami 566-569 unassigned 570 = demonmeter 571 = udemonmeter 572-599 unassigned ipc server 600 = sun ipc server 607 = nqs 606 = cray unified resource manager 608 = sender-initiated / unsolicited file transfer 609 = npmp-trapnpmp-trap 610 = npmp-localnpmp-local 611 = npmp-guinpmp-gui 634 = ginadginad 666 = doom id software 704 = Errlog Copy / Server Daemon 709 = EntrustManager 729 = IBM NetView DM / 6000 Server / Client 730 = IBM NetView DM / 6000 send / tcp 731 = ibm netview dm / 6000 receive / tcp 741 = netgwnetgw 742 = network based rev. cont. sys. 744 = flexible license manager 747 = fujitsu device control 748 = russell info sci calendar manager 749 = kerberos administration 751 = pump 752 = qrh 754 = send 758 = nlogin 759 = con 760 = ns 762 = quotad 763 = cycleserv 765 = webster 767 = phonephonebook 769 = vid 771 = rtip 772 = cycleserv2 774 = acmaint_dbd 775 = acmaint_transd 780 = wpgs 786 = concertconcert 800 =
mdbs_daemon 996 = central point software 997 = maitrd 999 = puprouter 1023 = reserved 1024 = reserved 1025 = network blackjack 1030 = bbn iad 1031 = bbn iad 1032 = bbn iad 1067 = installation bootstrap proto. serv. 1068 = installation bootstrap proto. cli. 1080 = socks 1083 = anasoft license manager 1084 = anasoft license manager 1155 = network file access 1222 = sni r & d network 1248 = hermes 1346 = alta analytics license manager 1347 = multi media conferencing 1347 = multi media conferencing 1348 = multi media conferencing 1349 = registration network protocol 1350 = registration network protocol 1351 = digital tool works (mit) 1352 = / lotus notelotusnote 1353 = relief consulting 1354 = rightbrain software 1355 = intuitive edge 1356 = cuillamartin company 1357 = electronic pegboard 1358 = connlcliconnlcli 1359 = ftsrvftsrv 1360 = mimermimer 1361 = linx 1362 = timefliestimeflies 1363 = network datamover requester 1364 = network datamover server 1365 = network software associates 1366 = novell netware comm service platform 1367 = dcsdcs 1368 = screencastscreencast 136 9 = globalview to unix shell 1370 = unix shell to globalview 1371 = fujitsu config protocol 1372 = fujitsu config protocol 1373 = chromagrafxchromagrafx 1374 = epi software systems 1375 = bytexbytex 1376 = ibm person to person software 1377 = cichlid license manager 1378 = elan license manager 1379 = integrity solutions 1380 = telesis network license manager 1381 = apple network license manager 1382 = udt_os 1383 = gw hannaway network license manager 1384 = objective solutions license manager 1385 = atex publishing license manager 1386 =
checksum license manager 1387 = computer aided design software inc lm 1388 = objective solutions database cache 1389 = document manager 1390 = storage controller 1391 = storage access server 1392 = print managericlpv-pm 1393 = network log server 1394 = network log client 1395 = pc workstation manager software 1396 = dvl active mail 1397 = audio active mail 1398 = video active mail 1399 = cadkey license manager 1400 = cadkey tablet daemon 1401 = goldleaf license manager 1402 = prospero resource manager 1403 = prospero resource manager 1404 = infinite graphics license manager 1405 = ibm remote execution starter 1406 = netlabs license manager 1407 = dbsa license manager 1408 = sophia license manager 1409 = here license manager 1410 = hiq license manager 1411 = audiofileaf 1412 = innosysinnosys 1413 = innosys-aclinnosys-acl 1414 = ibm mqseriesibm-mqseries 1415 = DBStardbStar 1416 = Novell Lu6.2novell-lu6.2 1417 = Timbuktu Service 1 Port 1417 = TIMBUKTU Service 1 Port 1418 = TIMBUKTU Service 2 Port 1419 = Timbuktu Service 3 Port 1420 = TIMBUKTU Service 4 Port 1421 = gandalf license manager 1422 = autodesk license manager 1423 = essbase arbor software 1424 = hybrid encryption protocol 1425 = zion software license manager 1426 = satellite-data acquisition system 1 1427 = mloadd monitoring tool 1428 = informatik license manager 1429 = hypercom nmsnms 1430 = hypercom tpdutpdu1431 = reverse gosip transport 1432 = blueberry software license manager 1433 = microsoft-sql-server 1434 = microsoft-sql-monitor 1435 = ibm ciscibm-cics 1436 = satellite-data acquisition system 2 1437 = tabulatabula 1438 =
eicon security agent / server 1439 = eicon x25 / sna gateway 1440 = eicon service location protocol 1441 = cadis license management 1442 = cadis license management 1443 = integrated engineering software 1444 = marcam license management 1445 = proxima license manager 1446 = optical research associates license manager 1447 = applied parallel research lm 1448 = openconnect license manager 1449 = peportpeport 1450 = tandem distributed workbench facility 1451 = ibm information management 1452 = gte government systems license man 1453 = genie license manager 1454 = interhdl license manager 1454 = interhdl license manager 1455 = esl license manager 1456 = dcadca 1457 = valisys license manager 1458 = nichols research corp. 1459 = proshare notebook application 1460 = proshare notebook application 1461 = ibm wireless lan 1462 = world license manager 1463 = nucleusnucleus 1464 = msl license manager 1465 = pipes platform 1466 = Ocean Software License Manager 1467 = CSDMBasecsdmbase 1468 = CSDMCSDM 1469 = ACTIVE Analysis Limited License Manager 1470 = Universal Analyz tics 1471 = csdmbasecsdmbase 1472 = csdmcsdm 1473 = openmathopenmath 1474 = telefindertelefinder 1475 = taligent license manager 1476 = clvm-cfgclvm-cfg 1477 = ms-sna-server 1478 = ms-sna-base 1479 = dberegisterdberegister 1480 = pacerforumpacerforum 1481 = airsairs 1482 = miteksys license manager 1483 = afs license manager 1484 = confluent license manager 1485 = lansourcelansource 1486 = nms_topo_serv 1487 = localinfosrvr 1488 = docstordocstor 1489 = dmdocbrokerdmdocbroker 1490 = insitu-confinsitu-conf 1491 = anynetgateway 1492 = stone-design-1 1493 =
netmap_lmnetmap_lm 1494 = icaica 1495 = cvccvc 1496 = liberty-lmliberty-lm 1497 = rfx-lmrfx-lm 1498 = watcom-sqlwatcom-sql 1499 = federico heinz consultora 1500 = vlsi license manager 1501 = satellite-data acquisition system 3 1502 = shivashivadiscovery 1503 = databeamimtc-mcs 1504 = evb software engineering license manager 1505 = funk software, inc. 1524 = ingres 1525 = oracle 1525 = prospero directory service non-priv 1526 = prospero data access prot non-priv 1527 = oracletlisrv 1529 = oraclecoauthor 1600 = issd 1651 = proshare conf audio 1652 = proshare conf video 1653 = proshare conf data 1654 = proshare conf request 1655 = proshare conf notify 1661 = netview-aix-1netview-aix-1 1662 = netview-aix-2netview-aix-2 1663 = netview -AIX-3NetView-AIX-3 1664 = NetView-AIX-4NetView-AIX-4 1665 = NetView-AIX-5NetView-AIX-5 1666 = NetView-AIX-6NetView-AIX-6 1986 = Cisco License Management 1987 = Cisco RSRB Priority 1 Port 1988 = Cisco Rsrb Priority 2 Port 1989 = Cisco Rsrb Priority 3 Port 1989 = MHSNET SystemMshNet 1990 = Cisco Stun Priority 1 Port 1991 = Cisco Stun priority 2 port 1992 = cisco stun priority 3 port 1992 = ipsendmsgipsendmsg 1993 = cisco snmp tcp port 1994 = cisco serial tunnel port 1995 = cisco perf port 1996 = cisco remote srb port 1997 = cisco gateway discovery protocol 1998 = cisco x.25 service ( xot) 1999 = cisco identification port 2009 = whosockami 2010 = pipe_server 2011 = raid 2012 = raid-ac 2013 = rad-am 2015 = raid-cs 2016 = bootserver 2017 = terminaldb 2018 = rellpack 2019 = about 2019 = xinupageserver 2020 = xinupageserver 2021 = xinuexpansion1 2021 = DOWN 2022 =
xinuexpansion2 2023 = xinuexpansion3 2023 = xinuexpansion4 2024 = xinuexpansion4 2025 = xribs 2026 = scrabble 2027 = shadowserver 2028 = submitserver 2039 = device2 2032 = blackboard 2033 = glogger 2034 = scoremgr 2035 = imsldoc 2038 = objectmanager 2040 = lam 2041 = interbase 2042 = isis 2043 = isis-bcast 2044 = primsl 2045 = cdfunc 2047 = dls 2048 = dls-monitor 2065 = data link switch read port number 2067 = data link switch write port number 2201 = advanced training system program 2500 = resource tracking system server 2501 = resource tracking system client 2564 = hp 3000 ns / vt block mode telnet 2784 = world wide web - development 3049 = ccmail 3264 = ccmail, cc: mail / lotus 3333 = dec-notes 3984 = mapper network node manager 3985 = mapper tcp / ip server 3986 = mapper workstation server 3421 = bull apprise portmapper 3900 = unidata udt os 4132 = nuts daemonnuts_dem 4133 = nuts bootp server 4343 = unicall 4444 = krb524 4672 = remote file access server 5002 = radio free ethernet 5010 = telepathstarttelelpathstart 5011 = telepathattack 5050 = multimedia conference Control Tool 5145 = rmonitor_secure 5190 = aol, america-online 5300 = ha cluster heartbeat 5301 = hacl-gs # ha cluster general services 5302 = ha cluster configuration 5303 = hacl-probe ha cluster probing 5305 = hacl-test 6000-6063 = x11 x window system 6111 = sub-process hp softbench sub-process control 6141 / = meta-corp meta corporation license manager 6142 = aspentec-lm aspen technology license manager 6143 = watershed-lm watershed license manager 6144 = statsci1-lm statsci license manager - 1 6145 =
statsci2-lm statsci license manager - 2 6146 = lonewolf-lm lone wolf systems license manager 6147 = montage-lm montage license manager 7000 = afs3-fileserver file server itself 7001 = afs3-callback callbacks to cache managers 7002 = afs3-prserver users & groups database 7003 = afs3-vlserver volume location database 7004 = afs3-kaserver afs / kerberos authentication service 7005 = afs3-volser volume managment server 7006 = afs3-errors error interpretation service 7007 = afs3-bos basic overseer process 7008 = afs3-update server -to-server updater 7009 = afs3-rmtsys remote cache manager service 7010 = ups-online onlinet uninterruptable power supplies 7100 = x font service 7200 = fodms flip 7626 = glacier 8010 = wingate 8181 = imail 9535 = man 45576 = e professional Generation time More specific and supplemented below the proxy port. 0 usually used to analyze the operating system. This method can work because "0" in some systems is invalid port, which will produce different results when you try to use a usual closing port to connect it. A typical scan: Use the IP address of 0.0.0.0 to set the ACK bit and broadcast in Ethernet layer.
1 TCPMUX This shows that someone is looking for SGI IRIX machines. IRIX is the main provider of TCPMUX, which is opened in this system by default. IRIS machines are published in the release of several default unconsored accounts such as LP, Guest, UUCP, NUUCP, DEMOS, TUTOR, DIAG, EZSETUP, OUTOFBOX, and 4DGIFTS. Many administrators have forgotten to delete these accounts. Therefore, Hacker searches for TCPMUX on the Internet and uses these accounts.
7 Echo You can see how many people searches for the Fraggle amplifier, sent to XX.x.0 and X.x.x.255. Common DOS Attacks are echo-loops, and an attacker is forged from a UDP packet from one machine to another, and the two machines respond to these packets in their fastest way. Another thing is a TCP connection established by DoubleClick in the word port. There is a product called "Resonate Global Dispatch", which is connected to this port of DNS to determine the nearest route. Harvest / Squid Cache will send UDP Echo from the 3130 port: "If you open the cache's Source_Ping ON option, it will respond to a hit reply on the UDP ECHO port of the original host." This will generate a lot of such packets.
11 SysStat This is a UNIX service that lists all the running processes on the machine and what is started. This provides many information for intruders and threats to the machine, such as exposing programs known to certain weaknesses or accounts. This is similar to the results of the "PS" command in the UNIX system. Again: ICMP has no port, ICMP port 11 is usually ICMP Type = 11.19 Chargen This is a service that only sends characters. The UDP version will respond to the package containing the spam after receiving the UDP package. When the TCP connection is connected, the data stream containing the spam will be sent to the connection to close. Hacker uses IP spoof to launch a DOS attack. Forged two UDP packages between two Chargen servers. Since the server attempts to respond to unlimited round-trip data communication between the two servers A Chargen and Echo will cause the server to overload. The same Fraggle DOS attack is broadcast to this port of the target address with a packet with counterfeit victim IP, and the victim is overloaded in order to respond to this data.
21 FTP's most common attacker is used to find ways to open "Anonymous" FTP server. These servers have a readable and writable directory. Hackers or Crackers uses these servers as a node that transmits Warez (private programs) and PR0n (intentional tangle words).
22 SSH PCANYwhere Establishing TCP and this connection can be to find SSH. This service has many weaknesses. If configured as specific modes, many have many vulnerabilities using the RSAREF library. (It is recommended to run SSH in other ports). It should also be noted that the SSH toolkit has a program called make-ssh-known-hosts. It scans the SSH host of the entire domain. You sometimes be used in unintentional scanning. UDP (rather than TCP) is connected to the 5632 port of the other means that there is a scanning of PCANywhere. 5632 (Hexadecimal 0x1600) After the interchange is 0x0016 (22).
23 Telnet invaders are searching for remote landing UNIX. In most cases, the invaders scan this port is to find the operating system that is running. In addition, use other technologies, invaders will find a password.
25 SMTP Against (Spammer) Finding the SMTP server is to deliver their spam. The invader's account is always turned off, and they need to dial to connect to the high-bandwidth E-mail server to pass simple information to different addresses. SMTP servers (especially Sendmail) are one of the most common methods of entering the system, as they must be completely exposed to the Internet and the route of mail is complex (exposed complex = weaknesses).
53 DNS HACKER or CRACKERS may be attempt to perform regional delivery (TCP), deceive DNS (UDP) or hidden other communications. Therefore, the firewall often filters or records 53 ports. It should be noted that you often see the 53 port as the UDP source port. Unstable firewalls typically allow this communication and assume that this is a reply to DNS queries. Hacker often uses this method to penetrate the firewall.
67 & 68 BootP and Bootp / DHCP on DHCP UDP: The firewall that is often sent to broadcast addresses 255.255.255.255 via DSL and Cable-Modem often see data from the broadcast address 255.255.255.255. These machines request an address assignment to the DHCP server. Hacker often enters them allocated an address to initiate a large number of "man-in-middle) attacks as partial routers. The client is configured to the 68-port (Bootps) broadcast request, and the server responds to the 67-port (Bootpc) broadcast. This response uses broadcast because the client still does not know the IP address that can be sent.
69 TFTP (UDP) Many servers are provided with BootP to facilitate download startup code from the system. But they often configure any files from the system, such as password files. They can also be used to write files to the system. 79 Finger Hacker is used to obtain user information, query the operating system, and detect known buffers overflow errors, responding to the machine to other machine finger scans.
80 Web site default 80 is the service port, using TCP or UDP protocol.
98 LinuxConf This program provides simple management of Linux Boxen. Provide a web-based service in the 98 port by integrated HTTP servers. It has found many security issues. Some versions setuid root, trust local area network, build Internet accessible files, and the LANG environment variable has buffer overflow. Also because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, over the directory, etc.)
109 POP2 is not as famous as POP3, but many servers provide two services (backward compatibility). The vulnerability of POP3 on the same server exists in POP2.
110 POP3 is used for the client access to the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses overflow over the username and password switching buffer (this means that Hacker can enter the system before logging in). There are other buffers overflow errors after successfully logging in.
111 SunRPC Portmap Rpcbind Sun RPC portmapper / rpcbind. Access Portmapper is the first step for the scanning system to view which RPC services allowed. Common RPC services include: rpc.mountd, nfs, rpc.statd, rpc.csmd, rpc.ttybd, AMD, etc. The invader found that the allowed RPC service will turn to the specific port test vulnerability of the service. Remember to record Daemon, IDS, or Sniffer in the line, and you can find what program access to the invader is to find what happened.
113 Ident Auth This is a multi-machine running protocol for identifying TCP connections. This service using standard can obtain information of many machines (will be utilized by Hacker). But it can serve as many services, especially those such as FTP, POP, IMAP, SMTP, and IRC. Usually if you have many customers access these services through the firewall, you will see the connection requests for this port. Remember, if you block this port client feels slow connection with the E-mail server on the other side of the firewall. Many firewalls support back RST during the blocking of TCP connections, and will stop this slow connection back.
119 NNTP News News Group Transmission Protocol to carry the USEnet communication. This port is usually used when you link to the address, such as: news: //comp.security.firewalls/. The connection at this port is usually looking for a USENET server. Most ISP limits only their customers can access their newsgroup servers. Open the newsgroup server will allow / read anyone's post, access the restricted newsgroup server, post anonymous to post or send a spam.
135 OC-SERV MS RPC END-POINT MAPPER Microsoft runs DCE RPC End-Point Mapper for this port for its DCOM service. This is similar to the functionality of UNIX 111 ports. Use DCOM and / or RPC services to register their location using end-point mapper on your machine. When remote customers are connected to the machine, they queries end-point mapper to find the location of the service. The same HACKER scanning machine is to find Exchange Server on this machine? What version is it? This port can also be used for direct attacks in addition to query services (such as using EPDUMP). There are some DOS attacks directly for this port. 137 NetBIOS Name Service NBTSTAT (UDP) This is the most common information of the firewall administrator.
139 NetBIOS File and Print Sharing Attempts to access the NetBIOS / SMB through this port. This protocol is used for Windows file and printer sharing and Samba. Sharing your own hard drive on the Internet is the most common problem. A large number of ports were started at 1999, and later became less. In 2000, there was a rebound. Some VBS (IE5 VisualBasic ING) starts copying themselves to this port and trying to breed this port.
143 IMAP and Safety of POP3 above, many IMAP servers have buffer overflow vulnerabilities running in the login process. Remember: A Linux worm (ADMW0RM) will reproduce this port, so many of this port scans from uninformed users who are infected. These vulnerabilities become popular when Radhat allows IMAP by default in their Linux release versions. This is also a widely spread worm after Morris worm. This port is also used in IMAP2, but it is not popular. Some reports have found that some 0 to 143 ports have stem from script.
161 SNMP (UDP) invaders often detect ports. SNMP allows remote management devices. All configurations and running information are stored in the database and are available through SNMP guests. Many administrator error configurations are exposed to the Internet. Crackers will try to use the default password "public" "private" access system. They may test all possible combinations. The SNMP package may be incorrect to point to your network. The Windows machine often uses SNMP for the HP JetDirect Remote Management software because the error configuration. HP Object Identifier will receive an SNMP package. The new version of Win98 uses SNMP to resolve domain names, you will see this package in subnet broadcast (Cable Modem, DSL) query sysname and other information.
162 SNMP TRAP may be due to error configuration
177 XDMCP Many Hackers Access the X-Windows console through it, it needs to open the 6000 port.
513 RWHO may be broadcast from UNIX machines from the subnet using Cable Modem or DSL. These people provide very interesting information for Hacker into their system.
553 CORBA IIOP (UDP) If you use Cable Modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system.
600 PCServer Backdoor Please see the 1524 port. Some children who played think they have completely broken the system by modifying Ingreslock and PCServer files - Alan J. Rosenthal.
635 mountd Linux MountD bug. This is a popular bug that people scan. Most of this port scan is UDP based, but TCP-based mountD has increased (MountD runs on two ports). Remember, MountD can run in any port (which port is in the end, you need to do a portmap query at the port 111), just Linux defaults to 635 port, just like NFS usually runs on the 2049 port. 1024 Many people ask what this port is dry. It is the beginning of a dynamic port. Many programs do not care which port connection network, they request operating systems to assign them "next idle port". Based on this allocation starts from port 1024. This means that the first program that requests the dynamic port to the system will be assigned port 1024. To verify this, you can restart the machine, open Telnet, open a window to run "natstat -a", you will see Telnet assigned 1024 port. The more programs requested, the more dynamic ports. The port assigned by the operating system will gradually become large. Come again, when you browse the web page, use "NetStat" to view, each web page requires a new port.
1025, 1026 See 1024
1080 SOCKS The protocol passes through the firewall in a pipeline, allowing many people behind the firewall to access the Internet through an IP address. In theory it should only allow the internal communication to reach the Internet. However, due to the wrong configuration, it allows the HACKER / CRACKER to pass an attack outside the firewall through the firewall. Or simply respond to a computer located on the Internet, enabling them to attack your direct attack. Wingate is a common Windows personal firewall that often occurs the above error configuration. This will often see this when joining the IRC chat room.
1114 SQL system itself rarely scans this port, but is often part of the SSCAN script.
1243 SUB-7 Trojans (TCP)
1524 Ingreslock Land Door Many Attack Scripts will install a back door shell at this port (especially those for Sendmail and RPC service vulnerabilities in the Sun system, such as STATD, TTDBSERVER, and CMSD). If you just installed your firewall, you see the connection at this port, which is probably the above reasons. You can try Telnet to this port on your machine to see if it will give you a shell. This issue is also available to 600 / PCServer.
2049 NFS NFS program is often running on this port. It usually needs to access portmapper query which port is running, but most of the case is installed after installation, and Hacker / Cracker can pass the portmapper directly to test this port.
3128 Squid This is the default port of the Squid HTTP proxy server. The attacker scans this port is to search for an anonymous access to the Internet. You will also see the ports of other proxy servers: 8000/8001/8080/8888. Another reason for scan this port is that users are entering the chat room. Other users (or server itself) also verify this port to determine if the user's machine supports the agent.
5632 PCANYWERE You will see a lot of this port scan, depending on your location. When the user opens PCAnyWere, it automatically scans the local area network C-class network to find the possible agent (the translator: refers to Agent instead of proxy). Hacker / Cracker will also find a machine that open this service, so you should check the source address of this scan. Some scanning of PCANYWERE often contains the UDP packet of port 22.
6776 SUB-7 Artifact This port is a port that is used to transmit data from the SUB-7 host port. For example, when the controller controls another machine through the telephone line, you will see this when the controlled machine is hung up. Therefore, when another person is dial in this IP, they will see continuous, attempting at this port. (Translator: That is to see the connection attempt of the firewall report, do not mean that you have been controlled by SUB-7.) 6970 ReaRaudio ReaRaudio receives audio data streams from the UDP port of the server's 6970-7170. This is set by the TCP7070 port externally control connection.
13223 Powwow Powwow is a chat program for TRIBAL VOICE. It allows users to open private chats at this port. This process is very "offensive" for establishing a connection. It will "station" waiting for response in this TCP port. This causes a connection attempt to a heartbeat interval. If you are a dial user, "inherit" from another chat, this is what the IP address is: It seems that many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt.
17027 Conducent This is an outgoing connection. This is because someone has a shared software with Conducent "ADBOT" inside the company. Conducent "Adbot" is an advertising service for shared software. A popular software using this service is pkware. Some people test: Blocking this external connection does not have any problems, but the IP address itself will cause the ADBOTS to try to connect multiple times during each second: the machine will try to resolve DNS name -ads.conducent .com, IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I don't know if Netants used in Radiate also has this phenomenon)
27374 SUB-7 Trojans (TCP)
30100 NetSphere Trojan (TCP) usually this port scan is to find NetSphere Trojans.
31337 Back Orification "Elite" HACKER 31337 reads "Elite" / Ei'li: T / (Translator: French, translated as backbone, essence. That is, 3 = E, 1 = L, 7 = T). So many rear door programs are running on this port. The most famous is Back Orific. This is the most common scan on the Internet for a while. Now it's getting less and less, other Trojans are increasingly popular.
31789 Hack-A-TACK This port UDP communication is usually due to the "HACK-A-TACK" remote access to Trojan (RAT, Remote Access Trojan). This Trojan includes a built-in 31790 port scanner, so any 31789 port to 317890 port means that this invasion is already. (31789 port is control connection, 317890 port is file transfer connection)
32770 ~ 32900 RPC Services The RPC service of Sun Solaris is within this range. Detailed: Early versions of Solaris (2.5.1) placed portmapper in this range even if the low port was closed by the firewall, still allowed Hacker / Cracker to access this port. Scanning this range is not to find portmapper, just to find known RPC services that can be attacked.
33434 ~ 33600 Traceroute If you see the UDP packet within this port (and within this range) may be due to Traceroute.
