Hello, I'm Xiao Xu.
See the title Maybe we all know, for the invasion of the most basic content, or to send up, to everyone careful study, know the role of each port, conducive to the implementation of intrusion and self-defense! Please bear in mind!
1 Tcpmux This shows someone looking for the SGI IRIX machine. IRIX is the main provider for implementing Tcpmux, and by default Tcpmux is opened in this system. The Iris Machine was released with several default password-free accounts such as LP, Guest, UUCP, NUUCP, demos, tutor, Diag, Ezsetup, Outofbox, and 4Dgifts. Many administrators forget to delete these accounts after installation. So hacker search the internet for Tcpmux and take advantage of these accounts.
7 Echo You can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers. A common Dos attack is the Echo loop (Echo-loop), where an attacker forges a UDP packet that is sent from one machine to another, and two machines respond to these packets in their fastest way, respectively. Another thing is a TCP connection established by DoubleClick on the word port. There is a product called "Resonate Global Dispatch", which is connected to this port of DNS to determine the most recent route. Harvest/squid cache will send UDP echo from port 3130: "If the source_ping on option of the cache is turned on, it will respond to a hit reply for the UDP Echo port of the original host. "This will produce many of these packets.
Sysstat This is a UNIX service that lists all the running processes on the machine and what started them. This provides the intruder with a lot of information that threatens the security of the machine, such as exposing programs that are known to have certain weaknesses or accounts. This is similar to the result of the "PS" command in UNIX systems. Again: ICMP has no port, ICMP Port 11 is usually ICMP type=11.
Chargen This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving the UDP packets. When a TCP connection is sent, the data stream that contains the junk character knows the connection is closed. Hacker uses IP spoofing to launch Dos attacks. Forge a UDP packet between two Chargen servers. Because the server is attempting to respond to unlimited round-trip data traffic between two servers, a chargen and Echo will cause the server to overload. Similarly Fraggle Dos attacks broadcast a packet with a spoofed victim IP to this port on the destination address, and the victim is overloaded to respond to this data.
FTP The most common attackers are used to look for ways to open the "anonymous" FTP server. These servers have a read-write directory. Hackers or crackers use these servers as nodes that transmit warez (private programs) and pr0n (deliberately misspelled words to avoid being classified by search engines).
The SSH PcAnywhere establishes a connection between TCP and this port may be to find SSH. This service has many weaknesses. Many of the versions that use the RSAREF library have many vulnerabilities if configured in a specific mode. (It is recommended to run SSH on a different port.) It should also be noted that the SSH Toolkit comes with a program called Make-ssh-known-hosts. It scans the SSH host for the entire domain. You can sometimes be accidentally scanned by someone using this program. UDP (instead of TCP) is connected to port 5632 on the other side, which means there is a scan of the search pcanywhere. 5632 (16 0x1600) bit switched is 0x0016 (make binary 22).
The Telnet intruder is searching for services to remotely log on to UNIX. In most cases, intruders scan this port to find the operating system that the machine is running on. In addition, the intruder will find the password using other techniques.
The SMTP attackers (spammer) are looking for SMTP servers to pass their spam. The intruder's account is always shut down and they need to dial up to connect to a high-bandwidth e-mail server and pass simple information to different addresses. SMTP servers (especially SendMail) are one of the most common ways to enter the system because they must be completely exposed to the Internet and the routing of Messages is complex (exposure + complexity = weaknesses).
The DNS hacker or crackers may be attempting to make zone transfer (TCP), spoof DNS (UDP), or hide other traffic. So firewalls often filter or log 53 ports. Note that you will often see port 53 as the UDP source port. An unstable firewall typically allows this communication and assumes that this is a reply to a DNS query. Hacker often use this method to penetrate firewalls.
Bootp/dhcp on 67&68 BOOTP and DHCP UDP: The firewall in DSL and Cable-modem often sees a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address assignment to the DHCP server. Hacker often enter them to assign an address that launches a large number of "man-in-the-middle" (man-in-middle) attacks as a local router. The client broadcasts the request configuration to Port 68 (BOOTPS), and the server broadcasts a response request to 67 port (BOOTPC). This response uses broadcasts because the client does not yet know which IP address can be sent.
A number of TFTP (UDP) servers provide this service with BOOTP for easy download of boot code from the system. However, they are often misconfigured and provide any files, such as password files, from the system. They can also be used to write files to the system.
The finger hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.
The Web site defaults to 80 as a service port, with TCP or UDP protocol.
98 LINUXCONF This program provides simple management of Linux boxen. Provides web-based interface services on port 98 through a consolidated HTTP server. It has been found to have many security issues. Some versions setuid root, trust the local area network, establish an Internet accessible file under/tmp, and the lang environment variable has a buffer overflow. Also because it contains consolidated servers, many typical HTTP vulnerabilities can exist (buffer overflow, calendar catalogs, etc.)
109 POP2 is not as famous as POP3, but many servers offer two services at the same time (backwards compatible). The POP3 vulnerability on the same server also exists in POP2.
The POP3 is used for client access to the server-side mail service. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow (which means that hacker can enter the system before a real login). There are other buffer overflow errors after successful login.
111 Sunrpc portmap rpcbind Sun RPC portmapper/rpcbind. Accessing Portmapper is the earliest step in scanning the system to see which RPC services are allowed. Common RPC services are: Rpc.mountd, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD, etc. The intruder discovered that the allowed RPC service would be diverted to the specific port that provided the service to test the vulnerability. Remember to keep track of Daemon, IDS, or sniffer in the line, and you can find out what program the intruder is using to find out what's going on.
113 Ident Auth This is a protocol that runs on many machines and is used to authenticate users of a TCP connection. The use of the standard service can obtain information on many machines (which will be exploited by hacker). But it can serve as a logger for many services, especially FTP, POP, IMAP, SMTP, and IRC. Often, if there are many customers accessing these services through a firewall, you will see many connection requests for this port. Remember, if you block this port the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support the process of sending back the RST during the blocking of the TCP connection, which stops the slow connection back.
119 NNTP News Newsgroup transport protocol, which hosts Usenet communications. When you link to such as: news://comp.security.firewalls/. This port is typically used when the address is The connection attempts for this port are usually people looking for Usenet servers. Most ISPs restrict access to their newsgroup servers only by their customers. Opening a newsgroup server will allow you to send/read anyone's posts, access restricted newsgroup servers, post anonymously or send spam.
135 Oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point Mapper for its DCOM service on this port. This is similar to the functionality of UNIX 111 ports. Services that use DCOM and/or RPC use end-point mapper on the machine to register their locations. When remote clients connect to the machine, they query end-point mapper to find the location of the service. Also hacker scan the machine for this port to find something like: Running Exchange Server on this machine? What version is it? This port can also be used for direct attacks, in addition to being used to query services (such as using epdump). There are some Dos attacks directly against this port.
137 NetBIOS Name Service nbtstat (UDP) This is the most common information for firewall administrators.
139 NetBIOS File and Print sharing connections entered through this port attempt to obtain the NETBIOS/SMB service. This protocol is used for Windows "File and Printer Sharing" and samba. Sharing your hard disk on the Internet is probably the most common problem. A large number of these ports start at 1999, and then gradually become less. The 2000 has rebounded again. Some VBS (IE5 VisualBasic Scripting) began to copy themselves to this port, trying to breed on this port.
As with 143 IMAP and security issues above POP3, many IMAP servers have buffer overflow vulnerabilities running during the login process. Remember: a Linux worm (ADMW0RM) is propagated through this port, so many of the scans of this port come from unsuspecting infected users. These vulnerabilities became popular when Radhat allowed IMAP by default in their Linux release. Morris worm After this is the first widely spread worm. This port is also used for IMAP2, but it is not popular. Some reports have found that some 0 to 143 port attacks originate from scripts.
161 a port that is often probed by an SNMP (UDP) Intruder. SNMP allows remote management of devices. All configuration and operation information is stored in the database, which is obtained by SNMP customers. Many administrators incorrectly configure them to expose them to the Internet. Crackers will attempt to access the system using the default password "public" "private". They may be experimenting with all possible combinations. The SNMP package may be incorrectly directed to your network. Windows machines often use SNMP for JetDirect remote management software due to misconfiguration. The HP OBJECT identifier will receive the SNMP packet. The new version of Win98 uses SNMP to resolve the domain name, and you will see this packet broadcast within the subnet (cable modem, DSL) query sysname and other information.
162 SNMP trap may be due to misconfiguration
177 XDMCP Many hacker access the X-windows console through it, and it needs to open port 6000 at the same time.
513 rwho may be a broadcast from a UNIX machine in a subnet that uses a cable modem or DSL to log in. These provide interesting information for hacker to enter their system.
553 CORBA IIOP (UDP) If you use a cable modem or DSL VLAN, you will see this port broadcast. CORBA is an object-oriented RPC (remote procedure Call) system. Hacker will use this information to enter the system.
Pcserver Backdoor please see Port 1524.
Some children who play script think they have completely breached the system--Alan J. Rosenthal--by modifying Ingreslock and Pcserver files.
635 Mountd Linux Mountd Bug. This is a popular bug that people scan. Most of the scans for this port are UDP-based, but TCP-based MOUNTD increases (MOUNTD runs on two ports at the same time). Remember, MOUNTD can run on any port (on which port you need to do a portmap query on port 111), but Linux defaults to 635 ports, just as NFS typically runs on port 2049.
1024 Many people ask what this port is for. It is the start of a dynamic port. Many programs do not care which port to use to connect to the network, and they request the operating system to assign them "next idle port". Based on this, the assignment starts at Port 1024. This means that the first program to request a dynamic port assignment to the system will be assigned port 1024. To verify this, you can restart the machine, turn on Telnet, and then open a window to run "natstat-a", and you will see that Telnet is assigned port 1024. The more programs you request, the more dynamic ports you have. The ports that the operating system allocates will gradually become larger. Again, when you browse the Web page with "netstat" view, each Web page needs a new port.
1025,1026 See 1024
SOCKS This protocol is piped through the firewall, allowing many people behind the firewall to access the Internet through an IP address. Theoretically it should only allow internal communication to reach the internet outside. However, due to the wrong configuration, it will allow hacker/cracker attacks outside the firewall to pass through the firewall. Or simply respond to computers located on the Internet to disguise their direct attacks on you. Wingate is a common Windows personal firewall that often occurs with the wrong configuration described above. This is often the case when you join an IRC chat room.
This article is from the "90 @@ base" blog, please be sure to keep this source http://1873281.blog.51cto.com/1863281/1754996
A variety of classic ports