2. Tech
  3. Port detailed

Port detailed

xiaoxiao2021-03-06  39

Detailed port list

TCP 5 = Remote Job Entry, yoyoTCP 7TCP 1 = TCP Port Service MultiplexerTCP 2 = Death = EchoTCP 11 = SkunTCP 12 = BomberTCP 16 = SkunTCP 17 = SkunTCP 18 = messaging protocol, skunTCP 19 = SkunTCP 20 = FTP Data, AmandaTCP 21 = Document Transport, Back Construction, Blade Runner, Doly Trojan, Fore, FTP Trojan, Invisible FTP, Larva, WebEx, WinCrashtcp 22 = Remote Login Protocol TCP 23 = Remote Login (Telnet), T11Y Telnet Server (= TTS) TCP 25 = Electronics email (SMTP), Ajan, Antigen, email Password Sender, Happy 99, Kuang2, ProMail trojan, Shtrilitz, Stealth, Tapiras, Terminator, WinPC, WinSpy, Haebu CocedaTCP 27 = AssasinTCP 28 = AmandaTCP 29 = MSG ICPTCP 30 = Agent 40421TCP 31 = Agent 31, Hackers Paradise, Masters Paradise, Agent 40421TCP 37 = Time, ADM wormTCP 39 = SubSARITCP 41 = deepThroat, ForeplayTCP 42 = host Name ServerTCP 43 = WHOISTCP 44 = ArcticTCP 48 = DRATTCP 49 = login protocol TCP 50 = DRATTCP 51 = Fuck Lamers BackdoorTCP 52 = MuSka52, SkunTCP 53 = DNS, Bonk (DOS Exploit) TCP 54 = MuSka52TCP 58 = DMSetupTCP 59 = DMSetupTCP 66 = AL-BarekiTCP 69 = W32.Evala.Worm, BackGate Kit, Nimda, Pasana, Storm, Storm Worm, Theeftcp 70 = Gopher Service, ADM WORMTCP 79 = User Query (Finger), Firehotcker, ADM wormTCP 80 = hypertext server (Http), Executor, RingZeroTCP 81 = ChuboTCP 99 = Hidden PortTCP 108 = SNA gateway access servers TCP 109 = Pop2TCP 110 = E-mail (Pop3), ProMailTCP 113 = Kazimas, Auther IdnetTCP 115 = Trivial file transfer protocol TCP 118 = SQL Services, Infector 1.4.2TCP 119 = Newsgroup (Nntp), Happy 99TCP 121 = JammerKiller, Bo jammerkillahTCP 129 = Password Generator ProtocolTCP 123 = Net ControllerTCP 133 = Infector 1.xTCP 135 = Netbios Remote procedure callTCP 137 = NetBIOS Name (DOS Attacks) TCP 138 = NetBIOS DataGram TCP 139 = NetBIOS Session (DOS Attacks) TCP 143 =

IMAPTCP 146 = FC Infector, InfectorTCP 150 = Netbios Session ServiceTCP 156 = SQL Server TCP 161 = SNMPTCP 162 = SNMP-TrapTCP 170 = A-TROJANTCP 179 = Border Gateway Protocol (BGP) TCP 190 = Gateway Access Control Protocol (GACP) TCP 194 = IrcTCP 197 = directory positioning service (DLS) TCP 256 = NirvanaTCP 315 = The InvasorTCP 389 = Lightweight directory Access Protocol (LDAP) TCP 396 = Novell Netware over IPTCP 420 = BreachTCP 421 = TCP WrappersTCP 443 = security service TCP 444 = Simple Network Paging Protocol (SNPP) TCP 445 = Microsoft-DSTCP 456 = Hackers paradise, FuseSparkTCP 458 = Apple QuickTimeTCP 531 = RasminTCP 546 = DHCP ClientTCP 547 = DHCP ServerTCP 555 = Ini-Killer, Phase Zero, Stealth SpyTCP 569 = MSNTCP 605 = SecretServiceTCP 606 = Noknok8TCP 661 = Noknok8TCP 666 = Attack FTP, Satanz Backdoor, Back Construction, Dark Connection Inside 1.2TCP 667 = Noknok7.2TCP 668 = Noknok6TCP 692 = GayOLTCP 777 = AIM SpyTCP 808 = RemoteControl, WinHoleTCP 815 = Everyone DarlingTCP 901 = Backdoor. Deviltcp 911 = DARK Shadowtcp 999 = Deepthroattcp 1000 = der spaehertcp 1001 = Silencer, WebEx, Der SpaeHERTCP 1003 = Backdoortcp 1010 = DolyTCP 1011 = Dolytcp 1012 = DolyTCP 1 015 = DolyTCP 1020 = VampireTCP 1024 = NetSpy.698 (YAI) TCP 1025 = NetSpy.698TCP 1033 = NetspyTCP 1042 = BlaTCP 1045 = RasminTCP 1047 = GateCrasherTCP 1050 = MiniCommandTCP 1080 = Wingate, Worm.BugBear.BTCP 1090 = Xtreme, VDOLiveTCP 1095 = RatTCP 1097 = RatTCP 1098 = RatTCP 1099 = RatTCP 1111 = Backdoor.AIMVisionTCP 1170 = Psyber Stream Server, Streaming Audio trojan, VoiceTCP 1200 = NoBackOTCP 1201 = NoBackOTCP 1207 = SoftwarTCP 1212 = Nirvana, Visul KillerTCP 1234 = UltorsTCP 1243 =

BackDoor-G, SubSeven, SubSeven ApocalypseTCP 1245 = VooDoo DollTCP 1269 = Mavericks MatrixTCP 1313 = NirvanaTCP 1349 = BioNetTCP 1441 = Remote StormTCP 1492 = FTP99CMP (BackOriffice.FTP) TCP 1509 = Psyber Streaming ServerTCP 1600 = Shivka-BurkaTCP 1703 = Exloiter 1.1TCP 1807 = SpySenderTCP 1966 = Fake FTP 2000TCP 1976 = Custom portTCP 1981 = ShockraveTCP 1999 = BackDoor, TransScoutTCP 2000 = Der Spaeher, INsane NetworkTCP 2001 = Transmisson scoutTCP 2002 = Transmisson scoutTCP 2003 = Transmisson scoutTCP 2004 = Transmisson scoutTCP 2005 = TTransmisson scoutTCP 2023 = Ripper , Pass Ripper, Hack City Ripper ProTCP 2115 = BugsTCP 2121 = NirvanaTCP 2140 = Deep Throat, The InvasorTCP 2155 = NirvanaTCP 2208 = RuXTCP 2255 = Illusion MailerTCP 2283 = HVL Rat5TCP 2300 = PC ExplorerTCP 2311 = Studio54TCP 2565 = StrikerTCP 2583 = WinCrashTCP 2600 = Digital RootBeerTCP 2716 = Prayer trojanTCP 2801 = Phineas PhuckerTCP 2989 = RatTCP 3024 = WinCrash trojanTCP 3128 = RingZeroTCP 3129 = Masters ParadiseTCP 3150 = Deep Throat, The InvasorTCP 3210 = SchoolBusTCP 3456 = TerrorTCP 3459 = Eclipse 2000TCP 3700 = Portal of DoomTCP 3791 = EclypseTCP 3801 = EclypseTCP 4000 = Tencent QQ client TCP 4092 = WinCrashTCP 4242 = VHMTCP 4321 = BoBoTCP 4444 = Prosiak, Swift remoteTCP 4500 = W32.HLLW.TufasTCP 4567 = File NailTCP 4590 = ICQTrojanTCP 4950 = ICQTrojanTCP 5000 = WindowsXP server, Blazer 5, Bubbel, Back Door Setup, Sockets de TroieTCP 5001 = Back Door Setup, Sockets de TroieTCP 5011 = One of the Last Trojans (OOTLT) TCP 5031 = Firehotcker, Metropolitan, NetMetroTCP 5032 = MetropolitanTCP 5190 = ICQ QueryTCP 5321 = Firehotckertcp 5333 =

Backage Trojan Box 3TCP 5343 = WCratTCP 5400 = Blade Runner, BackConstruction1.2TCP 5401 = Blade Runner, Back ConstructionTCP 5402 = Blade Runner, Back ConstructionTCP 5471 = WinCrashTCP 5521 = Illusion MailerTCP 5550 = Xtcp, INsane NetworkTCP 5555 = ServeMeTCP 5556 = BO FacilTCP 5557 = BO FacilTCP 5569 = Robo-HackTCP 5598 = BackDoor 2.03TCP 5631 = PCAnyWhere dataTCP 5637 = PC CrasherTCP 5638 = PC CrasherTCP 5698 = BackDoorTCP 5714 = Wincrash3TCP 5741 = WinCrash3TCP 5742 = WinCrashTCP 5881 = Y3K RATTCP 5882 = Y3K RATTCP 5888 = Y3K RATTCP 5889 = Y3K RATTCP 5900 = WinVnc, ECCOM VGA broadcast server TCP 6000 = Backdoor.ABTCP 6006 = Noknok8TCP 6272 = SecretServiceTCP 6267 = wide outside the girls TCP 6400 = Backdoor.AB, The ThingTCP 6500 = Devil 1.03TCP 6661 = TemanTCP 6666 = TCPshell. cTCP 6667 = NT Remote Control, China News video receiving port TCP 6668 = Chinese news broadcast video server TCP 6669 = VampyreTCP 6670 = DeepThroatTCP 6711 = SubSevenTCP 6712 = SubSeven1.xTCP 6713 = SubSevenTCP 6723 = MstreamTCP 6767 = NT Remote ControlTCP 6771 = DeepThroatTCP 6776 = Backdoor-G, Subseven, 2000 CRACKSTCP 6789 = Doly Trojantcp 6838 = mstreamtcp 6883 = DELTASOURCETCP 6912 = Shit HeepTCP 6939 = IndoctrinationTCP 6969 = GateCrasher, Priority, IRC 3TCP 6970 = GateCrasherTCP 7000 = Remote Grab, NetMonitor, SubSeven1.xTCP 7001 = Freak88TCP 7201 = NetMonitorTCP 7215 = BackDoor-G, SubSevenTCP 7001 = Freak88, Freak2kTCP 7300 = NetMonitorTCP 7301 = NetMonitorTCP 7306 = NetMonitorTCP 7307 = NetMonitor, ProcSpyTCP 7308 = NetMonitor, X SpyTCP 7323 = Sygate server TCP 7424 = Host ControlTCP 7597 = QazTCP 7609 = Snid X2TCP 7626 = ice TCP 7777 = The ThingTCP 7789 = Back Door Setup, ICQKillerTCP 7983 =

MstreamTCP 8000 = XDMA, Tencent OICQ server-side TCP 8010 = LogfileTCP 8080 = WWW proxy, Ring Zero, ChuboTCP 8520 = W32.Socay.WormTCP 8787 = BackOfrice 2000TCP 8897 = Hack Office, ArmageddonTCP 8989 = ReconTCP 9000 = NetministratorTCP 9325 = MstreamTCP 9400 = InCommandTCP 9401 = InCommandTCP 9402 = InCommandTCP 9872 = Portal of DoomTCP 9873 = Portal of DoomTCP 9874 = Portal of DoomTCP 9875 = Portal of DoomTCP 9876 = Cyber ​​AttackerTCP 9878 = TransScoutTCP 9989 = Ini-KillerTCP 9999 = Prayer TrojanTCP 10067 = Portal of DoomTCP 10084 = SyphillisTCP 10085 = SyphillisTCP 10086 = SyphillisTCP 10101 = BrainSpyTCP 10167 = Portal Of DoomTCP 10168 = Worm.Supnot.78858.cTCP 10520 = Acid ShiversTCP 10607 = Coma trojanTCP 10666 = AmbushTCP 11000 = Senna SpyTCP 11050 = Host ControlTCP 11051 = Host ControlTCP 11223 = Progenic , Hack '99KeyLoggerTCP 11831 = TROJ_LATINUS.SVRTCP 12076 = Gjamer, MSH.104bTCP 12223 = Hack? 9 KeyLoggerTCP 12345 = GabanBus, NetBus, Pie Bill Gates, X-billTCP 12346 = GabanBus, NetBus, X-billTCP 12349 = BioNetTCP 12361 = Whack -A-MOLETCP 12362 = WHACK-A-MOLETCP 12378 = W32 / Gibe @ mmtcp 1245 6 = NetBusTCP 12623 = DUN ControlTCP 12624 = ButtmanTCP 12631 = WhackJob, WhackJob.NB1.7TCP 12701 = Eclipse2000TCP 12754 = MstreamTCP 13000 = Senna SpyTCP 13010 = Hacker BrazilTCP 13013 = PsychwardTCP 13700 = Kuang2 The VirusTCP 14456 = SoleroTCP 14500 = PC InvaderTCP 14501 = PC InvaderTCP 14502 = PC InvaderTCP 14503 = PC InvaderTCP 15000 = NetDaemon 1.0TCP 15092 = Host ControlTCP 15104 = MstreamTCP 16484 = MosuckerTCP 16660 = Stacheldraht (DDoS) TCP 16772 = ICQ RevengeTCP 16969 = PriorityTCP 17166 = MosaicTCP 17300 =

Kuang2 The VirusTCP 17490 = CrazyNetTCP 17500 = CrazyNetTCP 17569 = Infector 1.4.x 1.6.xTCP 17777 = NephronTCP 18753 = Shaft (DDoS) TCP 19864 = ICQ RevengeTCP 20000 = Millennium II (GrilFriend) TCP 20001 = Millennium II (GrilFriend) TCP 20002 = AcidkoRTCP 20034 = NetBus 2 ProTCP 20203 = Logged, ChupacabraTCP 20331 = BlaTCP 20432 = Shaft (DDoS) TCP 21544 = Schwindler 1.82, GirlFriendTCP 21554 = Schwindler 1.82, GirlFriend, Exloiter 1.0.1.2TCP 22222 = Prosiak, RuX Uploader 2.0TCP 22784 = Backdoor.IntruzzoTCP 23432 = Asylum 0.1.3TCP 23456 = Evil FTP, Ugly FTP, WhackJobTCP 23476 = Donald DickTCP 23477 = Donald DickTCP 23777 = INet SpyTCP 26274 = DeltaTCP 26681 = Spy VoiceTCP 27374 = Sub Seven 2.0 , Backdoor.BasteTCP 27444 = Tribal Flood Network, TrinooTCP 27665 = Tribal Flood Network, TrinooTCP 29431 = Hack AttackTCP 29432 = Hack AttackTCP 29104 = Host ControlTCP 29559 = TROJ_LATINUS.SVRTCP 29891 = The UnexplainedTCP 30001 = Terr0r32TCP 30003 = Death, Lamers DeathTCP 30029 = AOL trojanTCP 30100 = NetSphere 1.27a NetSphere 1.31TCP 30101 = NetSphere 1.31, NetSphere 1.27ATCP 30102 = NetSphere 1.27a, NetSphere 1.31TCP 30103 = NetSphere 1.31TCP NetSphere FinalTCP 30303 = Sockets de TroieTCP 30947 = IntruseTCP 30999 = Kuang2TCP 21335 = Tribal Flood Network, TrinooTCP 31336 = Bo WhackTCP 31337 = Baron Night, BO client, BO2, Bo Facil , BackFire, Back Orifice, DeepBO, Freak2k, NetSpyTCP 31338 = NetSpy, Back Orifice, DeepBOTCP 31339 = NetSpy DKTCP 31554 = SchwindlerTCP 31666 = BOWhackTCP 31778 = Hack AttackTCP 31785 = Hack AttackTCP 31787 = Hack AttackTCP 31789 = Hack AttackTCP 31791 = Hack AttackTCP 31792 = Hack AttackTCP 32100 =

PeanutBrittleTCP 32418 = Acid BatteryTCP 33333 = Prosiak, Blakharaz 1.0TCP 33577 = Son Of PsychwardTCP 33777 = Son Of PsychwardTCP 33911 = Spirit 2001aTCP 34324 = BigGluck, TN, Tiny Telnet ServerTCP 34555 = Trin00 (Windows) (DDoS) TCP 35555 = Trin00 (Windows ) (DDoS) TCP 36794 = Worm.Bugbear-ATCP 37651 = YATTCP 40412 = The SpyTCP 40421 = Agent 40421, Masters Paradise.96TCP 40422 = Masters ParadiseTCP 40423 = Masters Paradise.97TCP 40425 = Masters ParadiseTCP 40426 = Masters Paradise 3.xTCP 41666 = Remote BootTCP 43210 = Schoolbus 1.6 / 2.0TCP 44444 = Delta SourceTCP 47252 = ProsiakTCP 47262 = DeltaTCP 47878 = BirdSpy2TCP 49301 = Online KeyloggerTCP 50505 = Sockets de TroieTCP 50766 = Fore, SchwindlerTCP 51966 = CafeIniTCP 53001 = Remote Windows ShutdownTCP 53217 = Acid Battery 2000TCP 54283 = Back Door-G, Sub7TCP 54320 = Back Orifice 2000, SheepTCP 54321 = School Bus .69-1.11, Sheep, BO2KTCP 57341 = NetRaiderTCP 58008 = BackDoor.TronTCP 58009 = BackDoor.TronTCP 58339 = ButtFunnelTCP 59211 = BackDoor.DuckToyTCP 60000 = Deep throattcp 60068 = xzip 6000068tcp 60411 = Connecti onTCP 60606 = TROJ_BCKDOR.G2.ATCP 61466 = TelecommandoTCP 61603 = Bunker-killTCP 63485 = Bunker-killTCP 65000 = Devil, DDoSTCP 65432 = Th3tr41t0r, The TraitorTCP 65530 = TROJ_WINMITE.10TCP 65535 = RC, Adore Worm / LinuxTCP 69123 = ShitHeepTCP 88798 = Armageddon, Hack OfficeUDP 1 = Sockets des TroieUDP 9 = ChargenUDP 19 = ChargenUDP 69 = Pasana, Tftpd32UDP 80 = PenroxUDP 135 = Netbios Remote procedure callUDP 137 = Netbios name (DoS attacks) UDP 138 = Netbios datagram UDP 139 = Netbios session (DoS attacks UDP 146 = InfectorudP 1025 = MAVERICK '

s Matrix 1.2 - 2.0UDP 1026 = Remote Explorer 2000UDP 1027 = Trojan.Huigezi.eUDP 1028 = KiLo, SubSARIUDP ​​1029 = SubSARIUDP ​​1031 = XotUDP 1032 = Akosch4UDP 1104 = RexxRaveUDP 1111 = DaodanUDP 1116 = LurkerUDP 1122 = Last 2000, SingularityUDP 1183 = Cyn , SweetHeartUDP 1200 = NoBackOUDP 1201 = NoBackOUDP 1342 = BLA trojanUDP 1344 = PtakksUDP 1349 = BO dllUDP 1561 = MuSka52UDP 1772 = NetControleUDP 1978 = SlapperUDP 1985 = Black DiverUDP 2000 = A-trojan, Fear, Force, GOTHIC Intruder, Last 2000, Real 2000UDP 2001 = ScalperUDP 2002 = SlapperUDP 2130 = Mini BackLashUDP 2140 = Deep Throat, Foreplay, The InvasorUDP 2222 = SweetHeart, WayUDP 2339 = Voice SpyUDP 2702 = Black DiverUDP 2989 = RATUDP 3150 = Deep ThroatUDP 3215 = XHXUDP 3333 = DaodanUDP 3801 = EclypseUDP 3996 = Remote AnythingUDP 4128 = RedShadUDP 4156 = SlapperUDP 5419 = DarkSkyUDP 5503 = Remote Shell TrojanUDP 5555 = DaodanUDP 5882 = Y3K RATUDP 5888 = Y3K RATUDP 6112 = Battle.net GameUDP 6666 = KiLoUDP 6667 = KiLoUDP 6766 = KiLoUDP 6767 = KiLo, UandMeUDP 6838 = Mstream Agent-handlerudp 7028 = unknown Troja UDP 7424 = host controludp 7788 = singularity UDP 7983 = MStream handler-agentUDP 8012 = PtakksUDP 8090 = Aphex's Remote Packet SnifferUDP 8127 = 9_119, ChonkerUDP 8488 = KiLoUDP 8489 = KiLoUDP 8787 = BackOrifice 2000UDP 8879 = BackOrifice 2000UDP 9325 = MStream Agent-handlerUDP 10000 = XHXUDP 10067 = Portal of DoomUDP 10084 = SyphillisUDP 10100 = SlapperUDP 10167 = Portal of DoomUDP 10498 = MstreamUDP 10666 = AmbushUDP 11225 = CynUDP 12321 = ProtossUDP 12345 = BlueIce 2000UDP 12378 = W32 / Gibe @ MMUDP 12623 = ButtMan, DUN ControlUDP 15210 =

UDP remote shell backdoor serverUDP 15486 = KiLoUDP 16514 = KiLoUDP 16515 = KiLoUDP 18753 = Shaft handler to AgentUDP 20433 = ShaftUDP 21554 = GirlFriendUDP 22784 = Backdoor.IntruzzoUDP 23476 = Donald DickUDP 25123 = MOTDUDP 26274 = Delta SourceUDP 26374 = Sub-7 2.1UDP 26444 = Trin00 / TFN2KUDP 26573 = Sub-7 2.1UDP 27184 = Alvgus trojan 2000UDP 27444 = TrinooUDP 29589 = KiLoUDP 29891 = The UnexplainedUDP 30103 = NetSphereUDP 31320 = Little WitchUDP 31335 = Trin00 DoS AttackUDP 31337 = Baron Night, BO client, BO2, Bo Facil , BackFire, Back Orifice, DeepBOUDP 31338 = Back Orifice, NetSpy DK, DeepBOUDP 31339 = Little WitchUDP 31340 = Little WitchUDP 31416 = LithiumUDP 31787 = Hack aTackUDP 31789 = Hack aTackUDP 31790 = Hack aTackUDP 31791 = Hack aTackUDP 33390 = unknown Trojan UDP 34555 = TrinooUDP 35555 = TrinooUDP 43720 = KiLoUDP 44014 = IaniUDP 44767 = School BusUDP 46666 = TaskmanUDP 47262 = Delta SourceUDP 47785 = KiLoUDP 49301 = OnLine keyLoggerUDP 49683 = FensterUDP 49698 = KiLoUDP 52901 = OmegaUDP 54320 = Back OrificeUDP 54321 = Back Orifice 2000UDP 54341 = NetRaider TrojanUDP 61746 = Kiloudp 61747 = kiloudp 61748 = kiloudp 65432 = THE TRAITOR

Port: 0 Services: reserved Description: Usually used to analyze the operating system. This method is capable of working because "0" is an invalid port in some systems, which will produce different results when you try to use the usual closing port to connect it. A typical scan, using an IP address of 0.0.0.0, setting an ACK bit and broadcasts Ethernet layer. Port: 1 Service: TCPMUX Description: This shows that someone is looking for SGI IRIX machines. IRIX is the primary provider of TCPMUX. By default, TCPMUX is opened in this system. IRIX Machines is published as a few default unciprocgeted accounts such as IP, Guest UUCP, NUUCP, DEMOS, TUTOR, DIAG, OUTOFBOX, etc. Many administrators have forgotten to delete these accounts after installation. Therefore, Hacker searches for TCPMUX on the Internet and uses these accounts. Port: 7 Services: Echo Description: When you can see the information of X.x.x.0 and X.x.x.255 when you search for the Fraggle amplifier. Port: 19 Services: Character Generator Description: This is a service that only sends characters. The UDP version will respond to the package containing the spam after receiving the UDP package. The data stream containing the spam when the TCP connection is sent until the connection is closed. Hacker uses IP spoof to launch a DOS attack. Forged two UDP packages between two Chargen servers. The same Fraggle DOS attack is broadcast to this port of the target address with a packet with counterfeit victim IP, and the victim is overloaded in order to respond to this data. Port: 21 Services: FTP Description: The port open by the FTP server is used to upload, download. The most common attacker is used to find ways to open anonymous's FTP server. These servers have a readable and writable directory. Trojan Doly Trojan, Fore, Invisible FTP, WebEX, WinCrash, and Blade Runner open port. Port: 22 Services: SSH Description: The connection to this TCP and this port established by PCANywhere may be to find SSH. This service has a lot of weaknesses, and if you are configured as a specific mode, many of the versions that use the RSAREF library will have a lot of vulnerabilities. Port: 23 Services: Telnet Description: Remote login, intruder is searching for remote login Unix service. Most cases scan this port is to find the operating system running in the machine. There are other technologies, and the intruder will also find a password. Trojan TiNy Telnet Server opens this port. Port: 25 Services: SMTP Description: The port open by the SMTP server is used to send an email. Intruders look for SMTP servers to pass their spam. The invader's account is turned off, and they need to connect to the high bandwidth E-mail server to pass simple information to different addresses. Trojan Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, Winspy are open. Port: 31 Services: MSG Authentication Description: Trojan Master Paradise, Hackers Paradise opens this port. Port: 42 Service: WINS Replication Description: WINS Replication Port: 53 Services: Domain Name Server (DNS) Description: The port open from the DNS server, the intruder may be trying to perform regional delivery (TCP), deceive DNS (UDP) or hide Other communications.

Therefore, the firewall often filters or records this port. Port: 67 Services: Bootstrap Protocol Server Description: The firewall that is often sent to broadcast addresses 255.255.255.255 via DSL and Cable Modem often see data from the broadcast address 255.255.255.255. These machines request an address to the DHCP server. Hacker often enters them, assigns an address to initiate a large number of middleman attacks as partial routers. The client is broadcast to the 68 port broadcast request, and the server responds to the 67-port broadcast. This response uses broadcast because the client still does not know the IP address that can be sent. Port: 69 Services: Trival File Transfer Description: Many servers provide this service with BootP to facilitate download startup code from the system. But they often cause the intruder to steal any files from the system due to the error configuration. They can also be used to write files. Port: 79 Service: Finger Server Description: Intruder is used to obtain user information, query the operating system, detect known buffer overflow errors, respond to the machine to other machine finger scans. Port: 80 Service: http Description: Used for web browsing. Trojan Executor opens this port. Port: 99 Service: Metagram Relay Description: The back door program NCX99 opens this port. Port: 102 Services: Message Transfer Agent (MTA) -X.400 over TCP / IP Description: Message Transfer Agent. Port: 109 Service: Post Office Protocol -Version3 Description: POP3 Server Open this port for receiving mail, client access to the server side mail service. POP3 services have many recognized weaknesses. There is at least 20 weaknesses overflow from the username and password exchange buffer, which means that the invader can enter the system before the truly landing. There are other buffers overflow errors after successfully logging in. Port: 110 Services: Sun's RPC Services All port descriptions: Common RPC services include RPC.Mountd, NFS, RPC.Statd, RPC.CSMD, RPC.TTYBD, AMD and other ports: 113 Service: Authentication Service Description: This is a Many computers running protocols for identifying TCP connections. This service using standards can get information about many computers. But it can serve as many services, especially those such as FTP, POP, IMAP, SMTP, and IRC. Usually, if you have many customers access these services through the firewall, you will see a number of connection requests for this port. Remember, if this port client will feel slowly connected to the E-mail server on the other side of the firewall. Many firewalls send back RST during blocking of TCP connections. This will stop slow connection. Port: 119 Services: Network News Transfer Protocol Description: News News Group Transfer Protocol to carry the USENET communication. This port connection is usually people looking for a USENET server. Most ISP limits, only their customers can access their newsgroup servers. Open the newsgroup server will allow / read anyone's post, access the restricted newsgroup server, post anonymous to post or send a spam. Port: 135 Services: Location Service Description: Microsoft runs DCE RPC End-Point Mapper for this port for its DCOM service. This is similar to the functionality of UNIX 111 ports. Use DCOM and RPC services to register their location by End-Point Mapper on your computer.

When remote customers are connected to a computer, they look for the location of the end-point mapper to find the service. Is this port of Hacker Scanning Computer to find this computer running Exchange Server? What version? Some DOS attacks are directly for this port. Port: 137, 138, 139 Service: NetBIOS Name Service Description: Where 137, 138 is a UDP port when transmitting a file over an online neighbor. This port is used. And 139 port: The connection entry through this port is trying to get the NetBIOS / SMB service. This protocol is used for Windows files and printers sharing and Samba. There is also WINS Regisrtation to use it. Port: 143 Services: Interim Mail Access Protocol V2 Description: Like the security of POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: A Linux worm (ADMV0RM) will breed this port, so many of this port scan from uninformed users who have been infected. These vulnerabilities are very popular when Redhat allows IMAP by default in their Linux release versions. This port is also used in IMAP2, but it is not popular. Port: 161 Service: SNMP Description: SNMP allows remote management devices. All configurations and run information are stored in the database, which is available to SNMP. Many administrators' error configuration will be exposed to the Internet. CACKERS will try to use the default password public, private access system. They may test all possible combinations. The SNMP package may be incorrectly pointing to the user's network. Port: 177 Services: X Display Manager Control Protocol Description: Many intruders have access to the X-Windows operator through it, and it needs to open the 6000 port. Port: 389 Services: LDAP, ILS Description: Light directory access protocol and NetMeeting Internet Locator Server share this port. Port: 443 Services: HTTPS Description: Web browsing ports that provide encryption and another HTTP transmitted through secure port. Port: 456 Service: [NULL] Description: Trojan Hackers Paradise opens this port. Port: 513 Service: Login, Remote Login Description: Yes from the Unix computer that is logged into the subnet using Cable Modem or DSL. These people provide information for invaders into their system. Port: 544 Service: [NULL] Description: Kerberos Kshell Port: 548 Service: Macintosh, File Services Description: Macintosh, file service. Port: 553 Services: CORBA IIOP (UDP) Description: Use Cable Modem, DSL, or VLAN will see the broadcast of this port. CORBA is an object-oriented RPC system. Intrusioners can use this information to enter the system. Port: 555 Service: DSF Description: Trojan Phase 1.0, Stealth Spy, INIKILLER Open this port. Port: 568 Service: MemberShip DPA Description: Membership DPA. Port: 569 Services: MemberShip MSN Description: Membership MSN.

Port: 635 Service: Mountd Description: Linux's mountd bug. This is a popular bug that scanned. Most of the scan for this port is UDP, but TCP-based mountd is increased (MountD is running on two ports at the same time). Remember that MountD can run at any port (which port is, you need to do a portmap query at port 111), just Linux default port is 635, just like NFS usually runs on 2049 port. Port: 636 Service: LDAP Description: SSL (Secure Sockets Layer) Port: 666 Service: Doom ID Software Description: Trojan Attack FTP, Satanz Backdoor Open This Port Port: 993 Service: IMAP Description: SSL (Secure Sockets Layer) Port: 1001 , 1011 Service: [NULL] Description: Trojan Silencer, WebEx open 1001 port. Trojan Doly Trojan open 1011 port. Port: 1024 Services: reserved Description: It is the beginning of the dynamic port, and many programs do not care which port connection network, they request the system to assign them the next idle port. Based on this allocation starts from port 1024. This means that the first request to issue a request to the 1024 port. You can restart the machine, open Telnet, and open a window to run natstat -a will see Telnet assigned 1024 port. There is also SQL Session also uses this port and 5000 ports. Port: 1025,1033 Services: 1025: Network BlackJack 1033: [NULL] Description: Trojan Netspy opens these 2 ports. Port: 1080 Service: SOCKS Description: This protocol passes through the firewall in a channel, allowing people behind the firewall to access the Internet through an IP address. In theory it should only allow the internal communication to arrive outside the Internet. However, due to the wrong configuration, it allows attacks located outside the firewall through the firewall. Wingate often happens, which often sees this situation when joining the IRC chat room. Port: 1170 Service: [NULL] Description: Trojan streaming Audio Trojan, Psyber Stream Server, Voice opens this port. Port: 1234, 1243, 6711, 6776 Services: [NULL] Description: Trojan Subseven 2.0, Ultors Trojan opens 1234,6776 ports. Trojans Subseven 1.0 / 1.9 open 1243, 6711,6776 ports. Port: 1245 Services: [NULL] Description: Trojan VODOO opens this port. Port: 1433 Services: SQL Description: Microsoft's SQL service open port. Port: 1492 Service: Stone-Design-1 Description: Trojan ftp99cmp open this port.

Port: 1500 Service: RPC Client Fixed Port Session Queries Description: RPC Customer fixed port session query port: 1503 Service: NetMeeting T.120 Description: NetMeeting T.120 Port: 1524 Service: INGRESS Description: Many attack scripts will be installed a back door shell This port, especially the script of Sendmail and RPC service vulnerabilities in the Sun system. If you just install the firewall, you will see the connection at this port, which is likely to be the above reasons. You can try Telnet to this port on the user's computer to see if it will give you a shell. This issue is also available to 600 / PCServer. Port: 1600 Service: ISSD Description: Trojan Shivka-Burka opens this port. Port: 1720 Service: NetMeeting Description: Netmeeting H.233 Call Setup. Port: 1731 Service: Netmeeting Audio Call Control Description: NetMeeting Audio Call Control. Port: 1807 Service: [NULL] Description: Trojan spysender opens this port. Port: 1981 Service: [NULL] Description: Trojan ShockRave opens this port. Port: 1999 Service: Cisco Identification Port Description: Trojan Backdoor opens this port. Port: 2000 Services: [NULL] Description: Trojan Girlfriend 1.3, Millenium 1.0 open this port. Port: 2001 Service: [NULL] Description: Trojan Millenium 1.0, Trojan COW opens this port. Port: 2023 Service: xinuexpansion 4 Description: Trojan Pass Ripper opens this port. Port: 2049 Service: NFS Description: NFS program is often running on this port. You usually need to access portmapper query which port is running. Port: 2115 Service: [NULL] Description: Trojan bugg opens this port. Port: 2140, 3150 Services: [NULL] Description: Trojan Deep Throat 1.0 / 3.0 open this port. Port: 2500 Service: RPC Client Using A Fixed Port Session Replication Description: Apply RPC client ports replicated by fixed port session: 2583 Services: [Null] Description: Trojan WinCrash 2.0 open this port. Port: 2801 Services: [NULL] Description: Trojan phineas phucker opens this port. Port: 3024,4092 Service: [NULL] Description: Trojan WinCrash opens this port. Port: 3128 Service: Squid Description: This is the default port of the Squid HTTP proxy server. The attacker scans this port is to search for an anonymous access to the Internet. You will also see ports 8000, 8001, 8080, 8888 of other proxy servers. Another reason for scanning this port is that the user is entering the chat room. Other users will also verify this port to determine if the user's machine supports the agent.

Port: 3129 Service: [NULL] Description: Trojan Master Paradise opens this port. Port: 3150 Services: [NULL] Description: Trojan The Invasor Opens this port. Port: 3210,4321 Service: [NULL] Description: Trojan Schoolbus open this port port: 3333 Services: Dec-Notes Description: Trojan Prosiak open this port port: 3389 Service: Super Terminal Description: Windows 2000 terminal open this port. Port: 3700 Service: [NULL] Description: Trojan Portal of Doom Open This port Port: 3996,4060 Service: [NULL] Description: Trojan RemoteAnyTHING Open This Port Port: 4000 Service: QQ Client Description: Tencent QQ client open this port. Port: 4092 Service: [NULL] Description: Trojan WinCrash opens this port. Port: 4590 Service: [NULL] Description: Trojan icqtrojan opens this port. Port: 5000, 5001, 5321, 50505 Service: [NULL] Description: Trojan Blazer5 open 5000 port. Trojan Sockets de Troie Open 5000, 5001, 5321, 50505 port. Port: 5400, 5401,5402 Services: [NULL] Description: Trojan Blade Runner opens this port. Port: 5550 Services: [NULL] Description: Trojan XTCP opens this port. Port: 5569 Service: [NULL] Description: Trojan Robo-Hack opens this port. Port: 5632 Service: PCAnywere Description: Sometimes a lot of scanning of this port is dependent on the location where the user is. When the user opens PCANYWERE, it automatically scans the local area network C-class network to find a possible agent (here the agent refers to Agent instead of proxy). Intrudes will also find a computer that opens this service. So you should look at this source address of this scan. Some scanning packs of PCANYWERE often contain the UDP packets of port 22. Port: 5742 Service: [NULL] Description: Trojan WinCrash1.03 opens this port. Port: 6267 Services: [NULL] Description: Trojan Guangxiang girl opens this port. Port: 6400 Services: [NULL] Description: Trojan The Thing opens this port. Port: 6670,6671 Services: [NULL] Description: Trojan deep throat opens 6670 port. Deep Throat 3.0 open 6671 port. Port: 6883 Services: [NULL] Description: Trojan deltasource opens this port. Port: 6969 Service: [NULL] Description: Trojan Gatecrasher, priority opens this port. Port: 6970 Service: ReaRaudio Description: Reaudio Customer receives audio data streams from the UDP port of the server's 6970-7170. This is set by the TCP-7070 port externally control connection. Port: 7000 Service: [NULL] Description: Trojan Remote Grab opens this port.

Port: 7300, 7301, 7306, 7307, 7308 Services: [NULL] Description: Trojan NetMonitor opens this port. The additional NetSPY1.0 also opens 7306 ports. Port: 7323 Services: [NULL] Description: Sygate server side. Port: 7626 Service: [NULL] Description: Trojan giscier opens this port. Port: 7789 Service: [NULL] Description: Trojan Ickiller opens this port. Port: 8000 Service: OICQ Description: Tencent QQ server opens this port. 'Port: 8010 Service: Wingate Description: Wingate Agent Opens this port. Port: 8080 Service: Proxy Port Description: WWW proxy opens this port. Port: 9400, 9401,9402 Services: [NULL] Description: Trojan Incommand 1.0 open this port. Port: 9872, 9873, 9874, 9875, 10067, 10167 Service: [NULL] Description: Trojan Portal of Doom open this port port: 9989 Service: [NULL] Description: Trojan Ini-Killer opens this port. Port: 11000 Service: [NULL] Description: Trojan Sennaspy opens this port. Port: 11223 Services: [NULL] Description: Trojan Progenic Trojan opens this port. Port: 12076,61466 Services: [NULL] Description: Trojan Telecommando opens this port. Port: 12223 Services: [NULL] Description: Trojan Hack'99 Keylogger opens this port. Port: 12345, 12346 Services: [NULL] Description: Trojan Netbus1.60 / 1.70, Gabanbus opens this port. Port: 12361 Services: [NULL] Description: Trojan WHACK-A-MOLE opens this port. Port: 13223 Services: Powwow Description: Powwow is a Tribal Voice chat program. It allows users to open private chats at this port. This process is very aggressive for establishing a connection. It will be stationed in this TCP port. A connection request similar to a heartbeat interval. If a dial user inherits the IP address from another chat, there will be many different people to test this port. This protocol uses opng as the first 4 bytes of its connection request. Port: 16969 Services: [NULL] Description: Trojan priority opens this port. Port: 17027 Service: Conducent Description: This is an outgoing connection. This is because someone has a shared software with Conducent "ADBOT" inside the company. Conducent "Adbot" is an advertising service for shared software. A popular software using this service is pkware. Port: 19191 Service: [NULL] Description: Trojan blue flame open this port. Port: 20000, 20001 Services: [NULL] Description: Trojan Millennium opens this port. Port: 20034 Services: [NULL] Description: Trojan Netbus Pro open this port.

Port: 21554 Services: [NULL] Description: Trojan Girlfriend opens this port. Port: 22222 Services: [NULL] Description: Trojan Prosiak opens this port. Port: 23456 Service: [NULL] Description: Trojan Evil FTP, UGLY FTP opens this port. Port: 26274,47262 Service: [NULL] Description: Trojan Delta opens this port. Port: 27374 Services: [NULL] Description: Trojan Subseven 2.1 opens this port. Port: 30100 Service: [NULL] Description: Trojan NetSphere opens this port. Port: 30303 Services: [NULL] Description: Trojan Socket23 opens this port. Port: 30999 Services: [NULL] Description: Trojan Kuang opens this port. Port: 31337, 31338 Services: [NULL] Description: Trojan Bo (Back Orific) opens this port. In addition, the Trojan Deepbo is also open 31338 port. Port: 31339 Service: [NULL] Description: Trojan Netspy DK opens this port. Port: 31666 Service: [NULL] Description: Trojan Bowhack opens this port. Port: 33333 Services: [NULL] Description: Trojan Prosiak opens this port. Port: 34324 Service: [NULL] Description: Trojan Tiny Telnet Server, Biggluck, TN open this port. Port: 40412 Services: [NULL] Description: Trojan the spy opens this port. Port: 40421, 40422, 40423, 40426, Service: [NULL] Description: Trojan Masters Paradise opens this port. Port: 43210,54321 Services: [NULL] Description: Trojan Schoolbus 1.0 / 2.0 open this port. Port: 44445 Services: [NULL] Description: Trojan HAPPYPIG opens this port. Port: 50766 Service: [NULL] Description: Trojan Fore open this port. Port: 53001 Services: [NULL] Description: Trojan Remote Windows Shutdown opens this port. Port: 65000 Service: [NULL] Description: Trojan Devil 1.03 opens this port. Port: 88 Description: Kerberos KRB5. In addition, TCP 88 port is also this purpose. Port: 137 Description: SQL NAMED PIPES Encryption over Other Protocols Name Lookup (SQL Name Links on Other Protocol Names) and SQL RPC Encryption over Other Protocols Name Lookup (other protocol name lookup SQL RPC encryption technology) and WINS NetBt Name Service (WINS NetBT Name Service) and WINS Proxy are used in this port.

Port: 161 Description: Simple Network Management Protocol (SMTP) (Simple Network Management Protocol) Port: 162 Description: SNMP Trap (SNMP Trap) Port: 445 Description: Common Internet File System (CIFS) (Public Internet File System) Port: 464 Description: Kerberos Kpasswd (V5). In addition, TCP's 464 port is also this purpose.

Since some application software occupies some ports, some ports in this file are commented (the characters of the comments are: //) TCP 5 = Remote Job Entry, YOYOTCP 7 = ECHOTCP 63 = WHOIS TCP 64 = Communications Integratortcp 65 = TACACS-Database ServiceTCP 67 = Bootstrap protocol ServerTCP 68 = Bootstrap protocol ClientTCP 88 = Kerberos krb5 service broker TCP 142 = NetTaxiTCP 177 = X Display management control protocol TCP 371 = ClearCase version management software TCP 513 = GrloginTCP 514 = RPC BackdoorTCP 544 = kerberos kshellTCP 548 = Macintosh file services TCP 669 = DP trojanTCP 707 = WelchiaTCP 993 = IMAPTCP 1016 = DolyTCP 1023 = Worm.Sasser.e // TCP 1025 = NetSpy.698, Unused Windows services Block // TCP 1026 = Unused Windows services Block // TCP 1027 = Unused Windows Services Block // TCP 1028 = Unused Windows Services Block // TCP 1029 = Unused Windows Services Block // TCP 1030 = Unused Windows Services Block // TCP 1033 = Netspy // TCP 1035 = Multidropper // TCP 1042 = Bla // TCP 1045 = Rasmin // TCP 1047 = GateCrasher // TCP 1050 = MiniCommandTCP 1069 = Backdoor.TheefServer.202TCP 1070 = Voice, Psyber Stream Server, Streaming Audio TrojanTCP 1080 = Wingate, Wo Rm.bugbear.b, Worm.Novarg.B // TCP 1090 = Xtreme, vDolive // ​​TCP 1095 = RAT // TCP 1097 = RAT // TCP 1098 = RAT // TCP 1099 = Rattcp 1110 = NFSD-KeepaliveTCP 1155 = Network File AccessTCP 1433 = Microsoft SQL services TCP 1503 = NetMeeting T.120TCP 1720 = NetMeeting H.233 call SetupTCP 1731 = NetMeeting audio call control TCP 1990 = stun-p1 cisco STUN Priority 1 portTCP 1990 = stun-p1 cisco STUN Priority 1 portTCP 1991 = Stun-P2 Cisco Stun Priority 2 Porttcp 1992 = Stun-P3 Cisco Stun Priority 3 port, ipsendmsg ipsendmsgtcp 1993 =

snmp-tcp-port cisco SNMP TCP portTCP 1994 = stun-port cisco serial tunnel portTCP 1995 = perf-port cisco perf portTCP 1996 = tr-rsrb-port cisco Remote SRB portTCP 1997 = gdp-port cisco Gateway Discovery ProtocolTCP 1998 = x25- svc-port cisco X.25 service (XOT) TCP 2011 = cypress // TCP 2015 = raid-csTCP 2023 = Ripper, Pass Ripper, Hack City Ripper ProTCP 2049 = NFSTCP 2745 = Worm.BBeagle.kTCP 2773 = Backdoor, SubSevenTCP 2774 = SubSeven2.1 & 2.2TCP 3127 = Worm.NovargTCP 3332 = Worm.Cycle.aTCP 3333 = ProsiakTCP 3389 = HyperTerminal TCP 3996 = Portal of DoomTCP 4060 = Portal of DoomTCP 4267 = SubSeven2.1 & 2.2TCP 4321 = BoBoTCP 4899 = Remote Administrator server TCP 5002 = cd00r, ShaftTCP 5025 = WM Remote KeyLoggerTCP 5512 = Illusion MaileTCP 5554 = Worm.SasserTCP 5631 = PCAnyWhere dataTCP 5632 = PCAnyWhereTCP 5556 = BO FacilTCP 5557 = BO FacilTCP 5569 = Robo-HackTCP 5598 = BackDoor 2.03TCP 5631 = PCAnyWhere dataTCP 5632 = pcanywheretcp 5637 = pc crashertcp 5638 = PC CRASHERTCP 5698 = BackDoortcp 5714 = WinCraSH3TCP 5741 = WinCrash3TCP 5742 = WinCraSHT CP 5760 = Portmap Remote Root Linux ExploitTCP 5880 = Y3K RATTCP 5881 = Y3K RATTCP 5889 = Y3K RATTCP 5900 = WinVnc, Wise VGA broadcast port TCP 6000 = Backdoor.ABTCP 6006 = Noknok8TCP 6129 = Dameware Nt Utilities server TCP 6272 = SecretServiceTCP 6267 = wide , girls TCP 6400 = Backdoor.AB, The ThingTCP 6500 = Devil 1.03TCP 6661 = TemanTCP 6666 = TCPshell.cTCP 6666 = TCPshell.cTCP 6667 = NT Remote Control, Wise player receives port TCP 6668 = Wise Video broadcasting port TCP 6669 = Vampyretcp 6670 = Deepthroattcp 6671 = Deep throat 3.0TCP 6711 = Subseventcp 6712 =

SubSeven1.xTCP 6713 = SubSevenTCP 6723 = MstreamTCP 6767 = NT Remote ControlTCP 6771 = DeepThroatTCP 6776 = BackDoor-G, SubSeven, 2000 CracksTCP 6777 = Worm.BBeagleTCP 6789 = Doly TrojaTCP 6883 = DeltaSourceTCP 6912 = Shit HeepTCP 6939 = IndoctrinationTCP 6969 = GateCrasher, Priority, IRC 3TCP 6970 = RealAudio, GateCrasherTCP 7000 = Remote Grab, NetMonitor, SubSeven1.xTCP 7001 = Freak88TCP 7201 = NetMonitorTCP 7215 = BackDoor-G, SubSevenTCP 7001 = Freak88, Freak2kTCP 7300 = NetMonitorTCP 7301 = NetMonitorTCP 7306 = NetMonitor, NetSpy 1.0TCP 7307 = NetMonitor, ProcSpyTCP 7308 = NetMonitor, X SpyTCP 7323 = Sygate server-side TCP 7424 = Host ControlTCP 7597 = QazTCP 7609 = Snid X2TCP 7626 = ice TCP 7777 = The ThingTCP 7789 = Back Door Setup, ICQKillerTCP 8000 = Tencent OICQ server, XDMATCP 8010 = Wingate, LogfileTCP 8080 = WWW proxy, Ring Zero, Chubo, Worm.Novarg.BTCP 8520 = W32.Socay.WormTCP 8897 = Hack Office, ArmageddonTCP 8989 = ReconTCP 9000 = NetministratorTCP 9400 = InCommand 1.0TCP 9401 = InCommand 1.0TCP 9402 = incommand 1.0tcp 9872 = Portal of Doomtcp 9873 = Portal of DoomTCP 9874 = Portal of DoomTCP 9875 = Portal of DoomTCP 9876 = Cyber ​​AttackerTCP 9878 = TransScoutTCP 9989 = Ini-KillerTCP 9898 = Worm.Win32.Dabber.aTCP 9999 = Prayer TrojanTCP 10080 = Worm.Novarg.BTCP 10085 = SyphillisTCP 10086 = SyphillisTCP 10101 = BrainSpyTCP 10168 = Worm.Supnot.78858.c, Worm.LovGate.TTCP 10520 = Acid ShiversTCP 10607 = Coma trojanTCP 11000 = Senna SpyTCP 11050 = Host ControlTCP 11051 = Host ControlTCP 11223 = Progenic, Hack '99KeyLoggerTCP 11831 = Troj_latinus.svrtcp 12076 =

Gjamer, MSH.104bTCP 12223 = Hack'99 KeyLoggerTCP 12345 = GabanBus, NetBus 1.6 / 1.7, Pie Bill Gates, X-billTCP 12346 = GabanBus, NetBus 1.6 / 1.7, X-billTCP 12349 = BioNetTCP 12361 = Whack-a-moleTCP 12362 = Whack-a-moleTCP 12363 = Whack-a-moleTCP 12456 = NetBusTCP 12624 = ButtmanTCP 12631 = WhackJob, WhackJob.NB1.7TCP 12701 = Eclipse2000TCP 12754 = MstreamTCP 13000 = Senna SpyTCP 13010 = Hacker BrazilTCP 13013 = PsychwardTCP 13223 = Tribal Voice of chat program PowWowTCP 13700 = Kuang2 The VirusTCP 14456 = SoleroTCP 14500 = PC InvaderTCP 14501 = PC InvaderTCP 14502 = PC InvaderTCP 14503 = PC InvaderTCP 15000 = NetDaemon 1.0TCP 15092 = Host ControlTCP 15104 = MstreamTCP 16484 = MosuckerTCP 16660 = Stacheldraht (DDoS) TCP 16772 = ICQ RevengeTCP 16959 = PriorityTCP 16969 = PriorityTCP 17027 = provide advertising services Conducent "adbot" shareware TCP 17166 = MosaicTCP 17300 = Kuang2 the VirusTCP 17490 = CrazyNetTCP 17500 = CrazyNetTCP 17569 = Infector 1.4.x 1.6.xTCP 17777 = NephronTCP 18753 = SHAFT (DDoS) TCP 19191 = Blue Flame TCP 19864 = ICQ RevengetCP 20000 = Millennium II (GrilFriend) TCP 20001 = Millennium II (GRILFR iend) TCP 20002 = AcidkoRTCP 20034 = NetBus 2 ProTCP 20168 = LovgateTCP 20203 = Logged, ChupacabraTCP 20331 = BlaTCP 20432 = Shaft (DDoS) TCP 20808 = Worm.LovGate.v.QQTCP 21544 = Schwindler 1.82, GirlFriendTCP 21554 = Schwindler 1.82, GirlFriend , Exloiter 1.0.1.2TCP 22222 = Prosiak, RuX Uploader 2.0TCP 22784 = Backdoor.IntruzzoTCP 23432 = Asylum 0.1.3TCP 23456 = Evil FTP, Ugly FTP, WhackJobTCP 23476 = Donald DickTCP 23477 = Donald DickTCP 23777 = INet SpyTCP 26274 = DeltaTCP 26681 = Spy voicetcp 27374 = SUB Seven 2.0

, Backdoor.BasteTCP 27444 = Tribal Flood Network, TrinooTCP 27665 = Tribal Flood Network, TrinooTCP 29431 = Hack AttackTCP 29432 = Hack AttackTCP 29104 = Host ControlTCP 30001 = Terr0r32TCP 30003 = Death, Lamers DeathTCP 30029 = AOL trojanTCP 30100 = NetSphere 1.27a, NetSphere 1.31TCP 30101 = NetSphere 1.31, NetSphere 1.27Atcp 30102 = NetSphere 1.27A, NetSphere 1.31 port can be divided into 3 Clices: 1) Well Known Ports: From 0 to 1023, they are closely brought to some services. Usually the communication of these ports clearly demonstrates an agreement for a service. For example: 80 ports are actually HTTP communication. 2) Registration port (Registered Ports): from 1024 to 49151. They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used in many other purposes. For example: Many systems processes the dynamic port starting from around 1024. 3) Dynamic and / or private ports (Dynamic and / or Private Ports): from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, the machine usually allocates a dynamic port from 1024. But there are also exceptions: Sun's RPC port begins with 32768. This section describes the information of the usual TCP / UDP port scan in the firewall record. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to other parts of this article. 0 usually used to analyze the operating system. This method can work because "0" in some systems is invalid port, which will produce different results when you try to use a usual closing port to connect it. A typical scan: Use the IP address of 0.0.0.0 to set the ACK bit and broadcast in Ethernet layer. 1 TCPMUX This shows that someone is looking for the SGIIRIX machine. IRIX is the main provider of TCPMUX, which is opened in this system by default. IRIS machines are published in the release of several default unconsored accounts such as LP, Guest, UUCP, NUUCP, DEMOS, TUTOR, DIAG, EZSETUP, OUTOFBOX, and 4DGIFTS. Many administrators have forgotten to delete these accounts. Therefore, Hacker searches for TCPMUX on the Internet and uses these accounts. 7ec, you can see how many people searched to the Fraggle amplifier, send information to X.x.x.0 and X.x.x.255. Common DOS Attacks are echo-loops, and an attacker is sent from a machine to another UDP packet, and the two machines respond to these packets in their fastest way. (See Chargen) Another thing is a TCP connection established by DoubleClick in the word port. There is a product called Resonate Global Dispatch, "which is connected to this port of DNS to determine the nearest routing. Harvest / Squid Cache will send udpecho from the 3130 port:" If you open the cache's source_ping the ON option, it will be the original host The UDP ECHO port responds to a hit reply. "This will produce many such packets.

11 SysStat This is a UNIX service that lists all the running processes on the machine and what is started. This provides many information for intruders and threats to the machine, such as exposing programs known to certain weaknesses or accounts. This is similar to the results of the "ps" command in the UNIX system: ICMP has no port, ICMP port 11 is usually ICMPTYPE = 1119 Chargen This is a service that only sends characters. The UDP version will respond to the package containing the spam after receiving the UDP package. When the TCP is connected, the data stream containing the spam is transmitted to the connection is closed. Hacker uses IP spoofs to launch a DOS attack to falsify two Chargen servers. Due to the server attempt to respond to unlimited round-trip data communication between the two servers. One Chargen and Echo will cause the server to overload. The same Fraggle DOS attack is broadcast to this port of the target address with a packet with counterfeit victim IP, and the victim is overloaded in order to respond to this data. 21 FTP's most common attacker is used to find ways to open "Anonymous" FTP server. These servers have a readable and writable directory. Hackers or Tackers uses these servers as a node that transmits Warez (private programs) and PR0n (deliberately tiered). 22 SSHPCANYWHERE Establish TCP and this connection can be to find SSH. This service has many weaknesses. If configured as specific modes, many have many vulnerabilities using the RSAREF library. (It is recommended to run SSH in other ports) It should also be noted that the SSH Toolkit has a program called ake-ssh-known-hosts. It scans the SSH host of the entire domain. You sometimes be used in unintentional scanning. UDP (rather than TCP) is connected to the 5632 port of the other means that there is a scanning of PCANywhere. 5632 (Hexadecimal 0x1600) After the interchange is 0x0016 (22). 23 Telnet invaders are searching for remote landing UNIX. In most cases, the invaders scan this port is to find the operating system that is running. In addition, use other technologies, invaders will find a password. 25 SMTP Against (Spammer) Finding the SMTP server is to deliver their spam. The invader's account is always turned off, and they need to dial to connect to the high-bandwidth E-mail server to pass simple information to different addresses. SMTP servers (especially Sendmail) are one of the most common methods of entering the system, as they must be completely exposed to the Internet and the route of mail is complex (exposed complex = weaknesses). 53 DNSHACKER or CRACKERS may be trying to perform regional delivery (TCP), deceive DNS (UDP) or hidden other communications. Therefore, the firewall often filters or records 53 ports. It should be noted that you often see the 53 port as the UDP source port. Unstable firewalls typically allow this communication and assume that this is a reply to DNS queries. Hacker often uses this method to penetrate the firewall. Bootp / DHCP on 67 and 68 Bootp and DHCPUDP: The firewall that is often sent to broadcast addresses 255.255.255.255 via DSL and Cable-Modem often see data from the broadcast address 255.255.255.255. These machines request an address assignment to the DHCP server. Hacker often enters them allocated an address to initiate a large number of "man-in-middle) attacks as partial routers. The client is configured to the 68-port (Bootps) broadcast request, and the server responds to the 67-port (Bootpc) broadcast. This response uses broadcast because the client still does not know the IP address that can be sent. 69 TFTP (UDP) Many servers are provided with BootP to facilitate download startup code from the system. But they often configure any files from the system, such as password files.

They can also be used to write files 79 Finger Hacker to the system for obtaining user information, querying operating systems, detecting known buffers overflow errors, responding from their own machines to other machine finger scans. 98 LinuxConf This program provides simple management of LinuxBoxen. Provide a web-based service in the 98 port by integrated HTTP servers. It has found many security issues. Some versions of SETUIDROOT, trust local area network, build files accessible under / TMP, and LANG environment variables have buffers overflow. Also because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, overhead directory, etc.) 109 POP2 is not named POP3, but many servers provide two services (backward compatibility). The vulnerability of POP3 on the same server exists in POP2. 110 POP3 is used for the client access to the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses overflow over the username and password switching buffer (this means that Hacker can enter the system before logging in). There are other buffers overflow errors after successfully logging in. 111 SunRPC Portmap Rpcbind Sun rpcportmapper / rpcbind. Access Portmapper is the first step for the scanning system to view which RPC services allowed. Common RPC services include: pc.mountd, nfs, rpc.statd, rpc.csmd, rpc.ttybd, AMD, etc. The invader found that the allowed RPC service will turn to the specific port test vulnerability of the service. Remember to record Daemon, IDS, or Sniffer in the line, and you can find what program access to the invader is to find what happened. 113 Ident Auth. This is a multi-machine running protocol for identifying TCP connections. This service using standard can obtain information of many machines (will be utilized by Hacker). But it can serve as many services, especially those such as FTP, POP, IMAP, SMTP, and IRC. Usually if you have many customers access these services through the firewall, you will see the connection requests for this port. Remember, if you block this port client feels slow connection with the E-mail server on the other side of the firewall. Many firewalls support back TCP connections during the blocking process of TCP, and will stop this slow connection. 119 NNTP News News Group Transmission Protocol to carry the USEnet communication. This port is usually used when you link to the address, such as: news: p.security.firewalls /. The connection at this port is usually looking for a USENET server. Most ISP limits only their customers can access their newsgroup servers. Open the newsgroup server will allow / read anyone's post, access the restricted newsgroup server, post anonymous to post or send a spam. 135 OC-Serv MS RPC End-Point Mapper Microsoft runs DCE RPC End- Point Mapper for this port for its DCOM service. This is similar to the functionality of UNIX 111 ports. Use DCOM and / or RPC services to register their location using end-point mapper on your machine. When remote customers are connected to the machine, they queries end-point mapper to find the location of the service. This port of the same HACKER scan machine is to find Exchange Server on this machine? What version is it? This port can also be used for direct attacks in addition to query services (such as using EPDUMP). There are some DOS attacks directly for this port.

137 NetBIOS Name Service NBTSTAT (UDP) This is the most common information of the firewall administrator, please read the article after the article, 139 NetBIOS File and Print Sharing from this port is trying to get the NetBIOS / SMB service. This protocol is used for Windows file and printer sharing and Samba. Sharing your own hard drive on the Internet is the most common problem. A large number of ports were started at 1999, and later became less. In 2000, there was a rebound. Some VBS (IE5 VisualBasicscripting) starts copying themselves to this port and trying to breed this port. 143 IMAP and Safety of POP3 above, many IMAP servers have buffer overflow vulnerabilities running in the login process. Remember: A Linux worm (ADMW0RM) will reproduce this port, so many of this port scans from uninformed users who are infected. These vulnerabilities become popular when Radhat allows IMAP by default in their Linux release versions. This is also a widely spread worm after Morris worm. This port is also used in IMAP2, but it is not popular. Some reports have found that some 0 to 143 ports have stem from script. 161 SNMP (UDP) invaders often detect ports. SNMP allows remote management devices. All configurations and running information are stored in the database and are available through SNMP guests. Many administrator error configurations are exposed to the Internet. Crackers will try to use the default password "public" "private" access system. They may test all possible combinations. The SNMP package may be incorrect to point to your network. The Windows machine often uses SNMP for the HP Jetdirect Rmote Management software because the error configuration. HP Object Identifier will receive an SNMP package. The new version of Win98 uses SNMP to resolve domain names, you will see this package in subnet broadcast (Cable Modem, DSL) query sysname and other information. 162 SNMP TRAP may be due to the error configuration 177 XDMCP Many Hacker access to the X-Windows console by it, it needs to open the 6000 port. 513 RWHO may be broadcast from UNIX machines from the subnet using Cable Modem or DSL. These people provide very interesting information for Hacker into their system 553 CORBA IIOP (UDP) If you use Cable Modem or DSL VLAN, you will see this port broadcast. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system. 600 PCServer Backdoor Please see the 1524 port Some children who play Script think they have completely broken the system through the modification of the Ingreslock and PCServer files - Alan J. Rosenthal. 635 MountD Linux MountD bug. This is a popular bug that people scan. Most of this port scan is UDP based, but TCP-based mountD has increased (MountD runs on two ports). Remember, MountD can run in any port (which port is in the end, you need to do a portmap query in port 111), just Linux defaults to 635 port, just like NFS usually runs on 2049 port 1024 Many people ask this port what is done. It is the beginning of a dynamic port. Many programs do not care which port connection network, they request operating systems to assign them "next idle port". Based on this allocation starts from port 1024. This means that the first program that requests the dynamic port to the system will be assigned port 1024.

To verify this, you can restart the machine, open Telnet, open a window to run "natstat -a", you will see Telnet assigned 1024 port. The more programs requested, the more dynamic ports. The port assigned by the operating system will gradually become large. Come again, when you browse the web page, use "NetStat" to view, each web page requires a new port. Ersion 0.4.1, June 20, 2000 [URL] hxxp://www.robertgraham.com/pubs/firewall-seen.html [/ url] Copyright 1998-2000 BY Robert Graham (Mailto: firewall-seen1 @ robertgraham. com. All rights reserved. This document may only be reproduced (whole orin part) for non-commercial purposes. All reproductions must contain this copyright notice and must not be altered, except by permission of the author. 1025 see 10241026 see 10241080 SOCKS The protocol passes through the firewall, allowing many people behind the firewall to access the Internet through an IP address. Theoretically it should only allow the internal communication to reach Internet. However, due to the error configuration, it allows Hacker / Cracker Attacks located outside the firewall pass through the firewall. Or simply respond to a computer located on the Internet, eliminating their direct attacks on you. Wingate is a common Windows personal firewall, often the above error configuration. Chatting in joining IRC This is often seen. 1114 SQL system itself scans this port, but is often part of the SSCAN script. 1243 SUB-7 Trojans (TCP) See the Subseven section. 1524 Ingreslock back door Many attack scripts will install a back door SH * Ll on this port (especially those scripts for Sendmail and RPC services for SUN systems, such as Statd, TTDBServer, and CMSD). If you just installed your firewall, you will see the connection at this port, it is likely It is the above reason. You can try Telnet to this port on your machine to see if it will give you a sh * ll. This problem is also available. 2049 NFS NFS program is often running on this port. I usually need to access portmapper to query which port of this service is running, but most of the situation is installed after the NFS Apricot 龆 冢 冢? Acker / Cracker can thus pass the portmapper directly to test this port. 3128 Squid This is the default port of the Squid HTTP proxy server. The attacker scans this port is to search for an anonymous access to the Internet. You will also see the port of searching for other proxy servers: 000/8001/8080/8888. Another reason for scan this port is that users are entering the chat room. Other users (or server itself) also verify this port to determine if the user's machine supports the agent. Please see Section 5.3. 5632 PCANYWERE You will see a lot of this port scan, depending on your location. When the user opens PCAnyWere, it automatically scans the local area network C-class network to find the possible agent (the translator: refers to Agent instead of proxy). Hacker / Cracker will also find a machine that open this service, so you should check the source address of this scan. Some scanning of PCANYWERE often contains the UDP packet of port 22. See dial scanning.

6776 SUB-7 Artifact This port is a port that is used to transmit data from the SUB-7 host port. For example, when the controller controls another machine through the telephone line, you will see this when the controlled machine is hung up. Therefore, when another person is dial in this IP, they will see continuous, attempting at this port. (Translator: That is to see the connection attempt of the firewall report, do not mean that you have been controlled by SUB-7.) 6970 ReaRaudio ReaRaudio receives audio data streams from the UDP port of the server's 6970-7170. This is the TCP7070 port externally control connection setting 13223 Powwow Powwow is a chat program for TRIBAL VOICE. It allows users to open private chat in this port. This process is very "offensive" for establishing a connection. It will "station" waiting for response in this TCP port. This causes a connection attempt to a heartbeat interval. If you are a dial user, "inherit" from another chat, this is what the IP address is: It seems that many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt. 17027 Conducent This is an outgoing connection. This is because someone has a shared software with Conducent "ADBOT" inside the company. Conducent "Adbot" is an advertising service for shared software. A popular software using this service is pkware. Some people test: Blocking this external connection will not have any problems, but the IP address itself will cause the ADBOTS to try to connect multiple times in each second: the machine will try to resolve DNS name - ADS.CONDUCENT .com, IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I don't know if Netants used to use this phenomenon) 27374 SUB-7 Trojans (TCP) See the Subseven section. 30100 NetSphere Trojan (TCP) usually this port scan is to find NetSphere Trojans. 31337 BACK Orification "Elitehacker 31337 Read" Elite "/ Ei'li: T / (Translator: French, translated as backbone, essence. That is, 3 = E, 1 = L, 7 = T). So many back door procedures Running this port. The most famous is Back Orific. This is the most common scan on the Internet. It is now increasingly popular, and other Trojans are more and more popular. 31789 HACK-A- The UDP communication of TACK is usually due to the "HACK-A-TACK" remote access Trojan (RAT, Remote Access Trojan). This Trojan contains a built-in 31790 port scanner, so any 31789 port to 31789 port is connected means There is already this invasion. (31789 port is control connection, 317890 port is file transfer connection) 32770 ~ 32900 RPC service Sun Solaris RPC service is within this range. Detailed: Early version of Solaris (2.5.1 before) Place PortMapper in this range, even if the low port is closed by the firewall, it still allows Hacker / Cracker to access this port. The port within this range is not to find the portmapper, just to find known RPC services that can be attacked. 33434 ~ 33600 Traceroute If you see the UDP packet (within this range) within the range (only within this range), you may see TraceRoute.

转载请注明原文地址:https://www.9cbs.com/read-71239.html

9cbs

New Post(0)