Readers who have some hacker attacks will know that in fact, those so-called hackers are not as far as people think, but they are truthful from your computer "gate". The "gate" of the computer is what we usually say "port", which includes physical ports of the computer, such as computer serial port, parallel port, input / output device, and adapter interface, etc. (these ports are visible), but more It is an invisible software port that is described in this article refers to "software port", but for convenience, it is still collectively referred to as "port". This article only introduces the basic knowledge of the port,
First, the port introduction
With the development of computer network technology, the original physical interface (such as keyboard, mouse, network card, display card and other input / output interface) can not meet the requirements of network communication, the TCP / IP protocol is solved as the standard protocol of network communication. This communication problem. The TCP / IP protocol integrates into the kernel of the operating system, which is equivalent to introducing a new input / output interface technology in the operating system, because in the TCP / IP protocol introduced a "Socket) Linked) "Application interface. With such an interface technology, a computer can communicate with any computer with a socket interface by software. The port is "Socket Interface" on the computer.
After these ports, how do these ports work? For example, why can a server can be a web server, or an FTP server, or a mail server, etc. One of the important reasons is that various services provide different services, such as: TCP / IP protocol specified the WEB using an 80-port port, FTP uses ports, etc., and the mail server is a 25th port. In this way, through different ports, the computer can interfere with each other with the outside world.
According to experts, the number of server ports can have a maximum of 65535, but in fact, dozens of ports that are often used, thereby seeing that unsearable ports are quite. This is so many hacker programs to use some way to define a special port to achieve the purpose of the invasion. To define this port, you must rely on some program to automatically load into memory before the computer starts, and forcibly control the computer to open that special port. This program is the "back door" program, which is often the Trojan. Simply put, these Trojans are first implanted in a personal computer before the invasion, open a particular port, commonly known as "backdoor", make this computer change A FTP server that is extremely open (user has high permissions), and then the purpose of invading from the back door.
Second, the classification of ports
The classification of the port has different division methods depending on its reference object. If the nature of the port is nature, it can usually be divided into the following three categories:
(1) Well Known Ports: This type of port is also known as "common port". The port numbers of such ports are from 0 to 1024, which are closely brought to some specific services. Usually the communication of these ports clearly indicates a protocol for a service, which is not redefined to redefine its role object. For example, the 80 port is actually used by HTTP communication, and the 23 port is dedicated to Telnet service. These ports usually do not use hackers such as Trojans. In order to make everyone aware of these common ports, the services of these ports should be listed in this chapter, and the services of these ports will be detailed for all understanding and reference.
(2) Registered ports: The port number ranges from 1025 to 49151. They are loosely bound to some services. Also, many services are bound to these ports, which are also used in many other purposes. Most of these ports do not have a clear definition of service objects. Different programs can be defined according to actual needs, as defined in the remote control software and Trojans to be described later. Remember that these common program ports are very necessary to protect and kill in Trojans. The port used by common Trojans will have a detailed list later.
(3) Dynamic and / or private ports (Dynamic and / or Private Ports): The port number is from 49152 to 65535. In theory, the commonly used services should not be assigned to these ports. In fact, some of the more special procedures, especially some Trojans, very much like to use these ports, because these ports often do not pay attention, easy to hide.
If the port can be divided into "TCP Protocol Port" and "UDP protocol port" in accordance with the provided service method provided. Because the communication between the computer is generally used in these two communication protocols. The "connection mode" described above is a connection to the receiver. After sending information, it can confirm whether the information arrives, this method uses the TCP protocol; the other is directly connected to the receiver, only Place the information on the Internet, regardless of whether the information arrives, is the "unconnected manner" described in the previous. Most of this approach use UDP protocols, the IP protocol is also a connectionless way. The port provided by the service provided by these two communication protocols is divided into "TCP Protocol Port" and "UDP Protocol Port."
The common ports using the TCP protocol have the following:
(1) FTP: Defines the file transfer protocol and use the 21 port. It is often said that a computer has opened an FTP service to start the file transfer service. Download the file, upload the home page, you have to use the FTP service.
(2) Telnet: It is a port for remote login, and the user can connect to the computer with its own identity, and can provide a communication service based on DOS mode through this port. If the previous BBS is a pure character interface, the server that supports BBS opens 23 ports and provides services.
(3) SMTP: Defines a simple mail delivery protocol, and now many mail servers are used by this protocol, which is used to send mail. If the common free mail service is this mail service port, so you often see this box in the email settings, the server is open is the 25th port.
(4) POP3: It corresponds to SMTP, and POP3 is used to receive mail. Typically, the POP3 protocol is used in the 110 port. Also, as long as you have a corresponding program using the POP3 protocol (such as Foxmail or Outlook), you can not log in to the mailbox interface in a web method. You can receive the email directly (if you don't have to enter Netease first. Website, then enter your own mailbox to receive it).
Using the UDP protocol port is common:
(1) http: This is the most used agreement, which is often the "hypertext transmission protocol". When browsing the web online, you have to open the 80 number on the computer that provides a web page to provide services. It often said that "WWW service", "web server" is this port.
(2) DNS: For domain name resolution services, this service is used in the Windows NT system. Each computer on the Internet has a network address with the corresponding IP address, which is represented in pure digital ".". However, this is inconvenient to remember, so there is a domain name. When accessing the computer, you only need to know the domain name, the change between the domain name, and the IP address is completed by the DNS server. The DNS is used for the 53th port. (3) SNMP: Simple network management protocol, use 161 port, is used to manage network devices. Due to many network devices, unconnected services reflect their advantages.
(4) OICQ: OICQ program accepts both services, but also serves, so that two chats are equal. OICQ is unconnected protocol, but it is used to use the UDP protocol. The OICQ server is a port of 8000, and if there is information, the client uses the 4000 port and send information outward. If the above two ports are being used (there are many people chatting with several friends), they will be added in order.
With more than 60,000 ports of the computer, the port number 1024 is typically referred to as a common port, and the services corresponding to these common ports are typically fixed. Table 1 is all of the server default ports, which are not allowed, and the general communication process is mainly used for these ports.
Table 1
Service Type Default Port Service Type Default Port
Echo 7 Daytime 13
FTP 21 Telnet 23
SMTP 25 TIME 37
WHOIS 43 DNS 53
Gopher 70 finger 79
WWW 80 POP3 110
NNTP 119 IRC 194
Different proxy servers often use the following ports:
(1). HTTP protocol proxy server common port number: 80/8080/3128/8081/9080
(2). SOCKS agent protocol server common port number: 1080
(3). FTP protocol proxy server common port number: 21
(4). Telnet protocol proxy server common port: 23
A hacking program like Trojans is to achieve its purpose by intrusion of ports. On the use of ports, hacker programs usually have two ways, that is, "port listening" and "port scan".
"Port Listening" and "Port Scan" are two port technologies that are often used in hacker attacks and protection. Use them in hacker attacks to find their targets, access useful information, in terms of personal and network protection Through this type of port technology, the hacker attack and some security vulnerabilities can be found in time. Let's first briefly introduce the difference in the two port technology.
"Port Listening" is to monitor the port of the target computer using some programs. It can be used in the target computer. By listening can also capture other people useful information, mainly in hacker software, but it is also very useful for individuals, you can use the listener to protect your own computer, monitor the selected port of your computer. This can be found and intercept some hackers' attacks. You can also listen to the specified port of the computer, see if it is idle, so that the invasion.
"Port Scanning" is to determine what the service is running and then obtain the corresponding user information by connecting to the TCP protocol or UDP protocol port of the target system. There are now many people to mix "port listening" and "port scan" as a talk, and if they are unclear, they should use listening technology, and what kind of scanning technology should be used. However, this type of software now seems to be a bit blurred on these two technologies, and some simply integrate two functions in one. "Port Saire" is similar to "Port Scan", there is also a difference, similar places can monitor the target computer, the local area is "port listening" belongs to a passive process, waiting for others The appearance of the connection, through the other party's connection to detect the information required. In a personal application, if it is set to report this function to the user immediately when it is listened to the user, it can effectively listen to the hacker's connection attempt, and the Trojans reside on this unit are cleared. This listener is generally installed on the target computer. "Port listening" in hackers is usually the information that the hacker sends a server-side to capture hackers when the server is waiting for normal activity, and then transmits it through the UDP protocol. "Port Scan" is an active process, which is actively scanning the selected port of the target computer, discovers all activities of the selected port in real time (especially for some online activities). Scanners are typically installed on the client, but it is also mainly connected to the server-side connection to the UDP protocol connection without connection.
In the network, when the information is propagated, the tool can be used to set the network interface to the listening mode, and the network can be accepted or captured in the network, thereby attacking. Port listens can be performed in any of the locations in the network, and hackers generally use port listening to intercept user passwords.
Fourth, port listening principle
The Ethernet protocol is a way to send the data to which you want to send towards all your computers connected. The correct address of the computer that should receive the packet should be received in the header, as only the computer that is consistent with the target address in the packet can receive the packet. However, when the computer works in listening mode, the computer will be able to receive it regardless of the target physical address in the packet. When two computers in the same network communicate, the source computer directs the packet of the computer address directly to the purpose, or when a computer in the network communicates with the external computer, the source computer will write a purpose. The data package of the computer IP address is sent to the gateway. However, this packet does not send it directly to the high level of the protocol stack, and the packet to be sent must be handed over to the network interface from the IP protocol layer of the TCP / IP protocol. The network interface does not recognize the IP address, in the network interface, the data package with IP address from the IP protocol layer adds a part of the Ethernet frame header information. In the frame head, there are two domains for the source computer and the physical address of the destination computer that can be identified by the network interface. This is a 48-bit address, which corresponds to the IP address. In other words, an IP address will also correspond to a physical address. For a computer as a gateway, because it is connected to multiple networks, it also has many IP addresses, which have one in each network. The relay relay, relay, relay, is carried by the physical address of the gateway.
The frame of the physical address is filled out from the network port (or from the gateway port), transferred to the physical line from the network port. If the local area network is connected by a coarse coaxial cable or a thin-shaft cable, the digital signal transmits the signal on the cable to reach each computer on the line. When the hub is used, the transmitted signal reaches the hub, and the hub is then forwarded to each line connected to the hub. This allows the digital signal transmitted on the physical line to reach each computer connected to the hub. When the digital signal arrives at a network interface of a computer, the network interface checks the data frame in the normal state, such as the physical address carried in the data frame is your own or physical address is a broadcast address, then the data frame will be confused. Give IP protocol layer software. This process is performed for each data frame that reaches the network interface. But when the computer works in listening mode, all data frames will be handed over to the upper protocol software processing. When a computer connected to the same cable or hub is logically divided into several subnets, if there is a computer in a listening mode, it can receive the swirpion and you are not in the same subnet (using different masks) The data packet of the computer of the code, IP address, and gateway, all information transmitted on the same physical channel can be received.
On the UNIX system, when a user with super-permissions wants to enable the computer that you control into the listening mode, you only need to send an I / O control command to the interface (network interface), you can set the computer to the listening mode. In the Windows 9x system, you can be implemented by directing the listening tool by using the user if the user has permission.
When the port is in a listener, a large amount of information is often saved (also contains a lot of spam), and will make a lot of information to the collected information, which will make the computer that is listening to the request of other users. very slow. At the same time, the listener needs to consume a lot of processor time when it is running. If you have a detailed analysis package, many packages will not be received and received. So the listening process will make the listened package in the file waiting later. Analysis of the detected data package is a very headache, because the packets in the network are very complicated. Continuously transmit and receive data packets between the two computers, which must add some other computer interactions in the result of the listening. The listener will be quite easy to consolidate the package of the same TCP protocol session, if you still expect to organize the user's detailed information, you need a lot of analysis based on the protocol.
The protocol used in the network is designed earlier, and many of the implementations of the agreement are based on a very friendly and communicative basis. Under the usual network environment, the user's information includes passwords to be transmitted online in a clear text, so port listening is performed to obtain user information is not a difficult thing, as long as you have a preliminary TCP / IP protocol knowledge It can easily detect the desired information.
V. Port scanning principle
"Port Scan" typically refers to the transmission of all the desired scanned ports of the target computer, and then analyzes whether the port of the target computer is opened according to the return port state. An important feature of the "port scan" is: there are many packages from the same source address to different destination ports during a short period of time.
For those who attack with port scans, an attacker can always do it, which makes it difficult to discovery or difficult to be backward while obtaining the scan results. In order to hide the attack, the attacker can slowly scan. Unless the target system is usually idle (such a data packet that does not have a Listen port caused by administrator), it is difficult to identify. The way to hide the source address is to send a large number of spoofing port scan packages (1000), only one of which is from the real source address. In this way, even if all the packages (1000) are perceived, they are recorded, and no one knows which is the true source address. It is only "once scanned". It is also because such hackers will not continue to use this port scan technology to reach the target computer information and make malicious attacks. Tools that typically perform port scans currently primarily use port scanning software, also known as "port scanner", port scanning can provide three purposes:
(1) Identify TCP protocols and UDP protocol services running on the target system.
(2) Identify the operating system type of the target system (Windows 9X, Windows NT, or UNIX, etc.).
(3) Identify the version number of an application or a particular service.
The port scanner is a program that automatically detects remote or local computer security weaknesses. By using the scanner you can discover the allocation and service of the various TCP protocol ports of the remote server, you can also learn what they are using Software version! This will make indirect understanding of security issues in remote computers.
The port scanner records the answers to the target computer port by selecting the service different from the remote TCP / IP protocol, which can collected a lot of useful information about the target computer (such as: Is there a port in listening? Anonymous login? Do you have a writable FTP directory, whether you can use Telnet or the like.
The port scanner is not a program that directly attacks the network vulnerability, which only helps find some intrinsic weaknesses of the target machine. A good scanner can also analyze the data it get to help find the vulnerability of the target computer. But it does not provide a system detailed steps.
The port scanner has the following three aspects of the scanning process:
(1) Discover the ability of a computer or network;
(2) Once a computer is found, there is the ability to find what service is running;
(3) The ability to exist vulnerabilities by testing these services on the target computer.
Writing scanners must have many TCP / IP protocol programs to write and c, perl, and or shell language knowledge. There is a need for some socket programming, a method of developing a client / service application.
6. Common port
With more than 60,000 ports of the computer, the port number is typically referred to as a common port, and the services corresponding to these common ports are typically fixed, so it is understood that these common ports are very necessary on certain procedures. Here Table 2 lists the services corresponding to the common port of the computer (Note: The numbers in the "=" in this list are port numbers, "=", and "=" is the corresponding port service.).
1 = TCPMUX (TCP Protocol Port Service Multiplexer)
401 = UPS (Uninterruptible Power Supply)
2 = compressNet = management utility
402 = genie (Genie Protocol) 3 = compressNet = Compression Process
403 = DECAP
5 = RJE (Remote Job Entry)
404 = nced
7 = echo = echo
405 = NCLD
9 = Discard
406 = IMSP (Interactive Mail Support Protocol)
11 = SYSTAT, ACTIVE USERS
407 = TIMBUKTU
13 = daytime
408 = PRM-SM (ProSpero Resource Manager Sys. Man.)
17 = qotd (quote of the day)
409 = PRM-NM (Prospero Resource Manager Node Man.)
18 = MSP (Message Send Protocol)
410 = DecladeBug (Decladebug Remote Debug Protocol)
19 = Character Generator
411 = RMT (Remote MT Protocol)
20 = ftp-data (File Transfer [Default Data])
412 = Synoptics-Trap (TRAP Convention Port)
21 = ftp (file transfer [control])
413 = SMSP
22 = SSH
414 = INFOSEEK
23 = Telnet
415 = BNET
24Private Mail System
416 = SilverPlatter
25 = SMTP (Simple Mail Transfer)
417 = ONMUX
27 = NSW-Fe (NSW User System Fe)
418 = Hyper-g
29 = MSG-ICP
419 = Ariel1
31 = msg-auth
420 = SMPTE
33 = DISPLAY Support Protocol
421 = Ariel2
35 = Private Printer Server
422 = Ariel3
37 = TIME
423 = OPC-Job-Start (IBM Operations Planning and Control Start)
38 = RAP (Route Access Protocol)
424 = OPC-JOB-TRACK (IBM Operations Planning and Control TRACK)
39 = RLP (Resource Location Protocol)
425 = ICAD-EL (ICAD)
41 = graphics
426 = smartsdp
42 = Nameserver (Wins Host Name Server)
427 = SVRLOC (Server location)
43 = nicname (WHO IS) 428 = OCS_CMU
44 = MPM-FLAGS (MPM Flags Protocol)
429 = OCS_AMU
45 = MPM (Message Processing Module [RECV])
430 = UTMPSD
46 = MPM-SND (MPM [Default Send])
431 = UTMPCD
47 = Ni-ftp
432 = IASD
48 = Digital Audit Daemon
433 = NNSP
49 = TACACS (Login Host Protocol (TACACS))
434 = MobileIP-Agent
50 = RE-MAIL-CK (Remote Mail Checking Protocol)
435 = mobilip-mn
51 = la-maint (IMP Logical Address Maintenance)
436 = DNA-CML
52 = xns-time (XNS Time Protocol)
437 = COMSCM
53 = Domain Name Server
438 = DSFGW
54 = XNS-CH (Xns clearinghouse)
439 = DASP (DASP THOMAS OBERMAIR)
55 = ISI-GL (ISI Graphics Language)
440 = SGCP
56 = xns-auth (xns authent)
441 = DECVMS-SYSMGT
57 = Private Terminal Access
442 = CVC_Hostd
58 = xns-mail (xns mail)
443 = HTTPS (HTTPS MCOM)
59 = private file service
444 = SNPP (Simple Network Paging Protocol)
61 = ni-mail (ni mail)
445 = Microsoft-DS
62 = ACAS (ACA Services)
446 = DDM-RDB
63 = WHOIS WHOIS
447 = DDM-DFM
64 = COVIA (Communications Integrator (CI))
448 = DDM-BYTE
65 = TACACS-DS (TACACS-Database Service)
449 = as-servermap
66 = SQL * NET (Oracle SQL * NET)
450 = TSERVER
67 = bootps (Bootstrap Protocol Server)
451 = SFS-SMP-Net (CRAY NETWORK SEMAPHORE Server)
68 = BootPC (Bootstrap Protocol Client)
452 = SFS-Config (Cray SFS Config Server) 69 = TFTP (TRIVIAL FILE Transfer)
453 = Creative Server
70 = gopher
454 = ContentServer
71 = Netrjs-1, Remote Job Service
455 = CreativePartnr
72 = Netrjs-2, Remote Job Service
456 = Macon-TCP
73 = Netrjs-3, Remote Job Service
457 = scohelp
74 = Netrjs-4, Remote Job Service
458 = AppleQTC (Apple Quick Time)
75 = Private Dial Out Service
459 = AMPR-RCMD
76 = Deos (Distributed External Object Store)
460 = SKRONK
77 = Private RJE Service
461 = DataSurfsrv
78 = vettcp
462 = DataSurfsrvsec
79 = Finger
463 = Alpes
80 = HTTP (World Wide Web HTTP)
464 = kpasswd
81 = HOSTS2-NS (Hosts2 Name Server)
465 = SSMTP
82 = XFER (XFer Utility)
466 = DIGITAL-VRC
83 = MIT-ML-DEV (MIT ML DEVICE)
467 = Mylex-mapd
84 = CTF (Common TRACE FACILITY)
468 = Photuris
85 = mit-ml-dev (MIT ML DEVICE)
469 = RCP (Radio Control Protocol)
86 = MFCOBOL (Micro Focus COBOL)
470 = SCX-Proxy
87 = Private Terminal Link
471 = Mondex
88 = Kerberos
472 = LJK-Login
89 = SU-MIT-TG (SU / MIT TELNET GATEWAY)
473 = Hybrid-Pop
90 = DNSIX (Dnsix Securit Attribute Token Map)
474 = TN-TL-W1
91 = Mit-DOV (Mit Dover Spooler)
475 = TCPNETHASPSRV
92 = NPP (NetWork Printing Protocol)
476 = TN-TL-FD1
93 = DCP (Device Control Protocol)
477 = SS7NS
94 = ObjCall (Tivoli Object Dispatcher)
478 = SPSC
95 = SUPDUP
479 = Iafserver
96 = DIXIE (DIXIE Protocol Specification 480 = iafdbase
97 = SWIFT-RVF (SWIFT Remote Virtural File Protocol)
481 = pH (pH service)
98 = tacnews
482 = BGS-NSI
99 = Metagram, Metagram RELAY
483 = ULPNET
100 = newAcct, [unauthorized use]
484 = INTEGRA-SME (Integra Software Management Environment Environment)
101 = Hostname, Nic Host Name Server
485 = Powerburst (Air Soft Power Burst)
102 = ISO-TSAP (ISO-TSAP Class 0)
486 = avian
103 = GPPITNP (Genesis Point-to-Point Trans Net)
487 = SAFT
104 = ACR-NEMA (Acr-Nema Digital Imag. & Comm. 300)
488 = GSS-HTTP
105 = Mailbox Name Nameserver
489 = Nest-Protocol
106 = 3COM-TSMUX (3COM-TSMUX)
490 = MICOM-PFS
107 = RTELNET (REMOTE TELNET Service)
491 = Go-login
108 = SNAGAS (SNA Gateway Access Server)
492 = TiCF-1 (Transport Independent Convergence for FNA)
109 = POP2 (Post Office Protocol - Version 2)
493 = TiCF-2 (Transport Independent Convergence for FR)
110 = POP3 (Post Office Protocol - Version 3)
494 = POV-ray
111 = SunRPC (Sun Remote Procedure Call)
495 = INTECOOURIER
112 = MCIDAS (Mcidas Data Transmission Protocol)
496 = PIM-RP-DISC
113 = Authentication Service
497 = DANTZ
114 = AudionEws (Audio News Multicast)
498 = SIAM
115 = SFTP (Simple File Transfer Protocol)
499 = ISO-ILL (ISO ILL Protocol)
116 = ansanotify (Ansa Rex Notify)
500 = isakmp
117 = uucp-path (uucp path service) 501 = STMF
118 = SQLSERV
502 = Asa-Appl-Proto
119 = NNTP (NetWork News Transfer Protocol)
503 = Intrinsa
120 = cfdptkt
504 = CITADEL
121 = ERPC (Encore Expedified Remote Pro.Call)
505 = Mailbox-LM
122 = SMAKYNET
506 = OHIMSRV
123 = NTP (NetWork Time Protocol)
507 = CRS
124 = Ansatrader (Ansa Rex Trader)
508 = XVTTP
125 = LOCUS-MAP (Locus PC-Interface Net Map Ser)
509 = SNARE
126 = Unisys Unity Login
510 = FCP (FirstClass Protocol)
127 = Locus-conn (Locus PC-Interface CONN Server)
511 = MyNet (MyNet-AS)
128 = GSS-XLICEN (GSS X License Verification)
512 = EXEC (Remote Process Execution)
129 = PWDGEN (Password Generator Protocol)
513 = login (Remote Login a La Telnet)
130 = Cisco-FNA (Cisco Fnative)
514 = shell, cmd
131 = Cisco-TNA (Cisco TNATIVE)
515 = Printer, Spooler
132 = Cisco-Sys (Cisco Sysmaint)
516 = Video Videotex
133 = STATSRV (STATISTICS Service)
517 = Talk (Like Tenex Link)
134 = INGRES-NET (Ingres-Net Service)
518 = NTALK
135 = EPMAP (DCE EndPoint Resolution)
519 = Utime (UnixTime)
136 = Profile (Profile Naming System)
520 = EFS (Extended File Name Server)
137 = NetBIOS-NS (Netbios Name Service)
521 = RIPNG
138 = NetBIOS-DGM (NetBIOS DataGram Service)
522 = ULP
139 = NetBIOS-SSN (Netbios Session Service) 523 = IBM-DB2
140 = EMFIS-DATA (EMFIS DATA Service)
524 = NCP
141 = EMFIS-CNTL (EMFIS Control Service)
525 = TIMED (TIMESERVER)
142 = BL-IDM (Britton-Lee IDM)
526 = Tempo (NewDate)
143 = IMAP (Internet Message Access Protocol)
527 = STX (stock ixchange)
144 = News
528 = Custix (Customer IXChange)
145 = UAAC (UAAC Protocol)
529 = IRC-Serv
146 = ISO-TP0
530 = Courier, RPC
147 = ISO-IP
531 = Conference, Chat
148 = jargon
532 = NetNews
149 = AED-512 (AED 512 Emulation Service)
533 = NetWall (for Emergency Broadcasts)
150 = SQL-NET
534 = mm-admin (megamedia admin)
151 = HEMS
535 = IIOP
152 = BFTP (Background File Transfer Program)
536 = OPALIS-RDV
153 = SGMP
537 = NMSP (NetWorked Media Streaming Protocol)
154 = Netsc-Prod, Netsc
538 = GDOMAP
155 = Netsc-dev, Netsc
539 = Apertus-LDP (Apertus Technologies Load Determination)
156 = SQLSRV (SQL Service)
540 = uucp
157 = KNET-CMP (KNET / VM Command / Message Protocol)
541 = uucp-rlogin
158 = PCMAIL-SRV
542 = Commerce
159 = NSS-Routing
543 = klogin
160 = SGMP-TRAPS
544 = kshell, krcmd
161 = SNMP
545 = AppleQTCSRVR
162 = SNMPTRAP
546 = DHCPV6-Client
163 = CMIP-Man
547 = DHCPV6-Server
164 = CMIP-Agent
548 = afpovertcp (AFP over TCP protocol)
165 = XNS-Courier (Xerox)
549 = IDFP
166 = S-Net (Sirius Systems)
550 = new-rwho
167 = namp551 = cybercash
168 = RSVD
552 = Deviceshare
169 = Send
553 = PIRP
170 = Print-SRV (Network PostScript)
554 = RTSP (Real Time Stream Control Protocol)
171 = Multiplex (NetWork Innovations Multiplex)
555 = DSF
172 = CL / 1 (Network Innovations CL / 1)
556 = Remotefs (RFS Server)
173 = XYPLEX-MUX (XYPLEX)
557 = OpenVMS-SYSIPC
174 = Mailq
558 = SDNSKMP
175 = VMNET
559 = TEEDTAP
176 = Genrad-MUX
560 = rmonitor
177 = XDMCP (X Display Manager Control Protocol)
561 = Monitor,?
178 = NextStep (NextStep Window Server)
562 = Chshell, CHCMD
179 = BGP (Border Gateway Protocol)
563 = SNEWS
180 = RIS (Intergraph)
564 = 9PFS (Plan 9 file service)
181 = Unify
565 = WhoAmi
182 = AUDIT (Unisys Audit Sitp)
566 = streettalk
183 = OCBINDER
567 = Banyan-RPC
184 = OCserve
568 = MS-Shuttle (Microsoft Shuttle)
185 = Remote-Kis
569 = MS-ROME (Microsoft Rome)
186 = KIS (Kis Protocol)
570 = meter, Demon
187 = ACI (Application Communication Interface)
571 = meter, udemon
188 = MUMPS (Plus Five's Mumps)
572 = Sonar
189 = QFT (Queued File Transport)
573 = Banyan-VIP
190 = GATEWAY Access Control Protocol
574 = ftp-agent (ftp Software agent system)
191 = Prospero (ProSpero Directory Service)
575 = vemmi
192 = OSU-NMS (OSU NetWork Monitoring System)
576 = IPCD
193 = SRMP (Spider Remote Monitoring Protocol) 577 = VNAS
194 = IRC (Internet Relay Chat Protocol)
578 = ipdd
195 = DN6-NLM-AUD (DNSIX Network Level Module Audit)
579 = DECBSRV
196 = DN6-SMM-Red (DNSIX Session Mgt Module Audit Redir)
580 = SNTP-HeartBeat = SNTP HeartBeat
197 = DLS (Directory Location Service)
581 = BDP (Bundle Discovery Protocol)
198 = DLS-MON (Directory Location Service Monitor)
600 = IPCSERVER (Sun IP Protocol C Server)
199 = SMUX
606 = URM (CRAY UNIFIED RESOURCE MANAGER)
200 = SRC (IBM System Resource Controller)
607 = NQS
201 = AT-RTMP (AppleTalk Routing Maintenance)
608 = NSIFT-UFT (Sender-Initiated / UnsolicIn
202 = AT-NBP (AppleTalk Name Binding)
609 = NPMP-TRAP
203 = AT-3 (AppleTalk Unused)
610 = NPMP-LOCAL
204 = At-echo (AppleTalk Echo)
611 = NPMP-GUI
205 = AT-5 (AppleTalk Unused)
612 = HMMP-IND (HMMP IND)
206 = At-Zis (AppleTalk Zone Information)
613 = HMMP-OP (HMMP Operation)
207 = AT-7 (AppleTalk Unused)
614 = SSHELL (SSLSHELL)
208 = AT-8 (AppleTalk Unused)
615 = SCO-INETMGR (Internet Configuration Manager)
209 = QMTP (THE Quick Mail Transfer Protocol)
616 = SCO-SYSMGR (SCO System Administration Server)
210 = Z39.50 (ANSI Z39.50)
617 = SCO-DTMGR (SCO Desktop Administration Server)
211 = 914C / G (Texas Instruments 914C / G Terminal) 618 = DEI-ICDA
212 = ANET (ATEXSSTR)
619 = DIGITAL-EVM
213 = IPX
620 = SCO-Websrvrmgr (SCO Webserver Manager)
214 = VMPWSCS
633 = ServStat (Service Status Update (Sterling Software))
215 = SOFTPC (Insignia Solutions)
634 = GINAD
216 = Cailic (Computer Associates Int'l License Server)
635 = rlzdbase
217 = DBASE (DBASE UNIX)
636 = SSL-LDAP
218 = MPP (Netix Message Posting Protocol)
637 = lanserver
219 = UARPS (Unisys ARPS)
666 = MDQS
220 = IMAP3 (Interactive Mail Access Protocol v3)
667 = Disclose (Campaign Contribution Disclosures - SDR Technologies)
221 = FLN-SPX (Berkeley Rlogind with SPX Auth)
668 = mecomm
222 = RSH-SPX (Berkeley RSHD with SPX Auth)
669 = meregister
223 = CDC (CERTIFICATE DISTRIBUTION center)
670 = VACDSM-SWS
242 = Direct
671 = VACDSM-APP
243 = surremement
672 = VPPS-qua
244 = dayna
673 = CIMPLEX
245 = LINK
674 = ACAP
246 = DSP3270 (Display Systems Protocol)
704 = Elcsd (Errlog Copy / Server Daemon)
256 = RAP
705 = Agentx
257 = SET (Secure Electronic Transaction)
709 = Entrust-KMSH (Entrust Key Management Service Handler)
258 = Yak-chat (Yak Winsock Personal Chat)
710 = Entrust-ASH (Entrust Administration Service Handler)
259 = ESRO-GEN (Efficient Short Remote Operations)
729 = NetViewDM1 (IBM NetView DM / 6000 Server / Client) 260 = OpenPort
730 = NetViewDM2 (IBM NETVIEW DM / 6000 Send)
261 = Naming-IIOP-SSL (IIOP Naming Service (SSL))
731 = NetViewDM3 (IBM NetView DM / 6000 Receive)
262 = arcisdms
741 = NETGW
263 = HDAP
742 = NETRCS (NetWork Based Rev. Cont. Sys.)
280 = http-mgmt
744 = flexlm (flexible license manager)
281 = Personal-Link
747 = Fujitsu-dev (Fujitsu Device Control)
282 = CABLEPORT-AX
748 = RIS-CM (Russell Info Sci Calendar Manager)
309 = entrusttime
749 = Kerberos-ADM (Kerberos Administration)
1435 = IBM-CICS
750 = RFILE
344 = PDAP (Prospero Data Access Protocol)
751 = PUMP
345 = Pawserv (Perf Analysis Workbench)
752 = qrh
346 = ZSERV (Zebra Server)
753 = RRH
347 = FatServ (Fatmen Server)
754 = Tell, Send
348 = CSI-SGWP (Cabletron Management Protocol)
758 = NLOGIN
349 = MFTP
759 = con
350 = Matip-Type-a
760 = ns
351 = Matip-Type-B
761 = RXE
371 = CLEARCASE
762 = quotad
372 = ulistproc (listprocessor)
763 = CycleServ
373 = Legent-1 (Legent Corporation)
764 = OMserve
374 = legent-2 (Legent Corporation)
765 = Webster
375 = hasle
767 = Phonebook, Phone
376 = NIP (Amiga Envoy Network Inquiry Proto)
769 = VID
377 = TNETOS (NEC Corporation)
770 = CADLOCK
378 = Dsetos (NEC Corporation)
771 = RTIP
379 = IS99C (TIA / EIA / IS-99 MODEM Client)
772 = CycleServ2
380 = IS99S (TIA / EIA / IS-99 MODEM Server)
773 = SUBMIT
381 = HP-Collector (HP Performance Data Collector)
774 = rpasswd
382 = hp-managed-node (HP Performance Data Managed Node)
775 = ENTOMB
383 = HP-ALARM-MGR (HP Performance Data Alarm Manager)
776 = WPAGES
384 = arns (a Remote Network Server System)
780 = WPGS
385 = IBM-APP (IBM Application)
786 = Concert
386 = ASA (ASA Message Router Object DEF.)
800 = mdbs_daemon
387 = AURP (AppleTalk Update-Based Routing Pro.)
801 = Device
388 = Unidata-LDM (Unidata LDM Version 4)
886 = ICLCNET-LOCATE (ICL CONETION LOCATE SERVER)
389 = LDAP (LightWeight Directory Access Protocol)
887 = ICLCNET_SVINFO (ICL CONETION Server Info)
390 = uis
888 = AccessBuilder
391 = SYNOTICS-RELAY (SYNOPTICS SNMP RELAY Port)
911 = XACT-BACKUP
392 = SYNOTICS-BROKER (Synoptics Port Broker Port)
991 = NAS (NETNews Administration System)
393 = DIS (Data Interpretation System)
995 = SPOP3 (SSL Based POP3)
394 = EMBL-NDT (EMBL Nucleic Data Transfer)
996 = vsinet
395 = Netcp (NetScout Control Protocol)
997 = Maitrd
396 = NetWare-IP (Novell NetWare Over IP protocol)
998 = busboy
397 = MPTN (Multi Protocol Trans. Net.)
999 = GARCON
398 = Kryptolan
1000 = CADLOCK
399 = ISO-TSAP-C2 (ISO Transport Class 2 Non-Control Over TCP protocol)
1023 = Reserved (reserved)
400 = Work-Sol (Workstation Solutions)
1024 = reserved (reserved) Seven, common Trojans used ports
Trojans are usually attacked by a specific port, so it is very useful to find some computer ports used in common Trojans, which is very useful for the attack of the Hummer hacking program. Table 3 below lists some common Trojan programs. The port used.
Domestic common Trojan use port
31338 = BACK OrIr
8102 = Network Cabin
31338 = Deepbo
2000 = Black Cave 2000
31339 = Netspy DK
2001 = Black Hole 2001
31666 = Bowhack
6267 = Guangxiang girl
34324 = Biggluck
7306 = Network Elf 3.0, Netspy3.0
40412 = the spy
7626 = Ice
40421 = MASTERS PARADISE
8011 = Wry, Lai Xiaozi, Fire Phoenix
40422 = MASTERS Paradise 1.x
23444 = Network Bull, NetBull
40423 = MASTERS Paradise 2.x
23445 = Network Bull, NetBull
40426 = MASTERS Paradise 3.x
19191 = Blue flame
50505 = Sockets de Troie
27374 = Sub Seven 2.0 , 77, Oriental Magic
50766 = Fore
Frequent Trojans
53001 = Remote Windows Shutdown
121 = bo jammerkillahv
61466 = Telecommando
666 = Satanz Backdoor
65000 = Devil
1001 = Silencer
6400 = The Thing
1600 = Shivka-Burka
12346 = Netbus 1.x
1807 = spysender
20034 = NetBus Pro
1981 = shockrave
1243 = SUBSEVEN
1001 = Webex
30100 = NetSphere
1011 = Doly Trojan
1001 = Silencer
1170 = Psyber Stream Server
20000 = Millenium
1234 = Ultors Trojan
65000 = Devil 1.03
1245 = VOODOO DOLL
7306 = NetMonitor
1492 = ftp99cmp
1170 = streaming audio trojan
1999 = Backdoor
30303 = Socket23
2001 = Trojan COW
6969 = GATCRASHER
2023 = RIPPER
61466 = Telecommando
2115 = BUGS
12076 = gjamer
2140 = Deep Throat
4950 = ICQTROJEN
2140 = The Invasor
16969 = PriTrity
2801 = phineas phucker
1245 = VODOO
30129 = MASTERS PARADISE
5742 = WinCrash
3700 = Portal of Doom
2583 = WinCrash2
4092 = WinCrash1033 = Netspy
4590 = ICQTROJAN
1981 = shockrave
5000 = Sockets de Troie
555 = stealth spy
5001 = Sockets de Troie 1.x
2023 = Pass Ripper
5321 = Firehotcker
666 = attack ftp
5400 = Blade Runner
21554 = Girlfriend
5401 = Blade Runner 1.x
50766 = fore = SCHWINDLER
5402 = Blade Runner 2.x
34324 = Tiny Telnet Server
5569 = ROBO-HACK
30999 = Kuang
6670 = Deepthroat
11000 = SENNA SPY TROJANS
6771 = Deepthroat
23456 = WHACKJOB
6969 = GATCRASHER
555 = PHASE0
6969 = priority
5400 = Blade Runner
7000 = Remote Grab
4950 = ICQTROJAN
7300 = NetMonitor
9989 = INIKILLER
7301 = NetMonitor 1.x
9872 = Portal of Doom
7306 = NetMonitor 2.x
11223 = Progenic Trojan
7307 = NetMonitor 3.X
22222 = Prosiak 0.47
7308 = NetMonitor 4.x
53001 = Remote Windows Shutdown
7789 = ICKILLER
5569 = Robohack
9872 = Portal of Doom
1001 = Silencer
9873 = Portal of Doom 1.x
2565 = Striker
9874 = Portal of Doom 2.x
40412 = theespy
9875 = Portal of doom 3.x
2001 = TROJANCOW
10067 = Portal of Doom 4.x
23456 = UGLYFTP
10167 = Portal of Doom 5.x
1001 = Webex
9989 = ini-killer
1999 = Backdoor
11000 = SENNA SPY
2801 = phineas
11223 = Progenic Trojan
1509 = psyber streaming server
12223 = HACK? 99 Keylogger
6939 = IndocTrination
1245 = Gabanbus
456 = HACKERS PARADISE
1245 = Netbus
1011 = Doly Trojan
12361 = WHACK-A-MOLE
1492 = ftp99cmp
12362 = WHACK-A-MOLE 1.X
1600 = Shiva Burka
16969 = priority
53001 = Remote Windows Shutdown
20001 = MILLENNIUM
34324 = Biggluck = 20034 = Netbus 2 Pro
31339 = Netspy DK
21544 = Girlfriend
12223 = HACK? 99 Keylogger
22222 = Prosiak
9989 = ini-killer
33333 = Prosiak
7789 = ICQKiller
23456 = Evil FTP
9875 = Portal of Doom
23456 = UGLY FTP
5321 = Firehotcker
26274 = DELTA
40423 = Master Paradise
