The port can be divided into 3 main categories:
1) Accepted ports (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of some kind of service. For example: Port 80 is actually always HTTP traffic.
2 registration port (registered Ports): from 1024 to 49151. They are loosely bound to some services. This means that there are many services that are bound to these ports and are used for many other purposes. For example, many systems handle dynamic ports starting at around 1024.
3 dynamic and/or private ports (dynamically and/or private Ports): from 49152 to 65535. In theory, these ports should not be assigned to services. In fact, machines typically allocate dynamic ports from 1024. But there are exceptions: Sun's RPC port starts at 32768.
This section describes the information that typically TCP/UDP ports are scanned in the firewall record. Remember: There is no ICMP port. If you are interested in interpreting ICMP data, see the other parts of this article.
0 is typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a common closed port. A typical scan: Use an IP address of 0.0.0.0 to set the ACK bit and broadcast on the Ethernet layer.
1 Tcpmux This shows someone looking for the SGI IRIX machine. IRIX is the primary provider of implementation Tcpmux, and Tcpmux is opened in this system by default. The Iris Machine is released with several default password-free accounts, such as LP, Guest, UUCP, NUUCP, demos, tutor, Diag, Ezsetup, Outofbox, and 4Dgifts. Many administrators forgot to delete these accounts after installation. So hacker search Tcpmux on the Internet and use these accounts.
7 Echo You can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers.
A common Dos attack is the Echo loop (Echo-loop), where an attacker forges a UDP packet sent from one machine to another, and two machines respond to the packets in their quickest way. (See Chargen)
Another thing is a TCP connection established by DoubleClick in the word port. There is a product called the "resonate Global Dispatch", which is connected to the port at this end of DNS to determine the most recent route.
Harvest/squid cache will send UDP echo from port 3130: "If the cache's source_ping on option is turned on, it will respond to a hit reply on the original host's UDP Echo port." "This will produce many such packets.
One sysstat this is a UNIX service that lists all the running processes on the machine and what it is that started these processes. This provides intruders with a lot of information that threatens the safety of the machine, such as exposing certain vulnerabilities or accounts known to the program. This is similar to the result of the "PS" command in UNIX systems
Say again: ICMP does not have a port, ICMP Port 11 is usually ICMP type=11
Chargen This is a service that sends only characters. The UDP version will respond to packets that contain junk characters after the UDP packet is received. When a TCP connection is sent, the data stream that contains the garbage character is known to be closed. Hacker uses IP spoofing to launch a Dos attack. Fake UDP packets between two Chargen servers. Because the server attempted to respond to an unlimited round-trip data communication between two servers one chargen and Echo will cause the server to overload. The same Fraggle DOS attack broadcasts a packet of spoofed victim IP to this port on the destination address, and the victim is overloaded in response to the data.
FTP The most common attacker is used to find ways to open the FTP server for "anonymous". These servers have a read-write directory. Hackers or crackers use these servers as a node to transmit warez (private programs) and pr0n (intentionally misspelled words to avoid being sorted by search engines).
SSH pcanywhere the connection between TCP and this port may be to find SSH. There are many weaknesses in this service. Many versions that use the RSAREF library have a number of vulnerabilities if configured to a specific pattern. (It is recommended that you run SSH on a different port)
It should also be noted that the SSH Toolkit comes with a program called Make-ssh-known-hosts. It scans the entire domain for SSH hosts. You are sometimes accidentally scanned by someone using the program.
UDP (not TCP) connected to the 5632 port on the other end means there is a scan for the search pcanywhere. The 5632 (16-0x1600) bit is exchanged after the 0x0016 (22 of the system).
A Telnet intruder searches for remote UNIX services. In most cases, intruders scan this port to find the operating system that the machine is running on. In addition to using other techniques, intruders will find the password.
The SMTP attacker (spammer) is looking for an SMTP server to pass their spam. An intruder's account is always closed, and they need to dial up to a high-bandwidth e-mail server to deliver simple information to different addresses. SMTP servers (especially SendMail) are one of the most common ways to get into the system, because they must be fully exposed to the Internet and the routing of Messages is complex (exposed + complex = weakness).
The DNS hacker or crackers may be attempting to perform zone transfer (TCP), spoof DNS (UDP), or hide other traffic. Therefore, firewalls often filter or record port 53.
Note that you will often see 53 ports as UDP source ports. Unstable firewalls typically allow this communication and assume that this is a reply to a DNS query. Hacker often use this method to penetrate a firewall.
67 and Bootp/dhcp on the BOOTP and DHCP UDP: Firewalls in DSL and Cable-modem often see large numbers of data sent to broadcast address 255.255.255.255. These machines are requesting an address assignment from the DHCP server. Hacker often enter them to assign an address that initiates a large number of "man-in-the-Middle" (man-in-middle) attacks as local routers. The client configures the 68 port (BOOTPS) broadcast request, and the server broadcasts a response request to port 67 (BOOTPC). This response uses the broadcast because the client is unaware of the IP address that can be sent.
(UDP) Many servers together with BOOTP provide this service to facilitate downloading of boot code from the system. But they are often incorrectly configured to provide any file from the system, such as a password file. They can also be used to write files to the system.
The hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.
Linuxconf This program provides simple management of Linux boxen. Provides Web-interface based services on 98 ports through a consolidated HTTP server. It has found a number of security issues. Some versions setuid root, trust the local area network, establish Internet accessible files in/tmp, and the lang environment variable has a buffer overflow. In addition, because it contains consolidated servers, many typical HTTP vulnerabilities may exist (buffer overflow, calendar directory, etc.)
109 POP2 is not as famous as POP3, but many servers offer two of services (backwards compatible). POP3 vulnerabilities exist on the same server in POP2.
The POP3 is used for client access to server-side mail services. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow (which means that hacker can enter the system before a real login). There were other buffer overflow errors after the successful landing.
Sunrpc portmap rpcbind Sun RPC portmapper/rpcbind. Access Portmapper is the first step in scanning the system to see which RPC services are allowed. Common RPC services are: Rpc.mountd, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD and so on. The intruder found that the allowed RPC service would be diverted to the specific port test vulnerability that provided the service.
Remember to keep track of Daemon, IDS, or sniffer, and you can find out what programs the intruder is using to find out what happened.
113 Ident Auth This is a protocol that is running on many machines to authenticate users of TCP connections. The use of standard services can be used to obtain information about many machines (which will be hacker). But it can serve as a logger for many services, especially FTP, POP, IMAP, SMTP and IRC services. Usually if there are many customers accessing these services through the firewall, you will see many connection requests for this port. Remember, if you block this port the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support the return of RST during the blocking of a TCP connection, which stops the slow connection.
119 The NNTP News Newsgroup transport protocol, which hosts Usenet traffic. When you link to things like: news://comp.security.firewalls/. This port is usually used when addressing the address. The connection attempt for this port is usually people looking for Usenet servers. Most ISPs restrict access to their newsgroup servers only by their customers. Opening a newsgroup server will allow you to send/read anyone's posts, visit a Restricted newsgroup server, post anonymously, or send spam.
135 Oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point mapper for its DCOM service on this port. This is similar to the capabilities of UNIX 111 ports. Services that use DCOM and/or RPC register their location with the end-point mapper on the machine. When the remote client connects to the machine, they query the location where the end-point mapper find the service. The same hacker scans the machine for this port to find such things as: Running Exchange Server on this machine? What version is it?
This port can also be used for direct attacks, in addition to being used to query services, such as using Epdump. Some Dos attacks are directed at this port.
137 NetBIOS Name Service nbtstat (UDP) This is the most common information for firewall administrators, please read the NetBIOS section later in this article
139 NetBIOS File and Print sharing incoming connections through this port to attempt to obtain NETBIOS/SMB services. This protocol is used for Windows "File and Printer Sharing" and samba. Sharing your own hard disk on the Internet is probably the most common problem.
A large amount of this port begins at 1999, and then gradually becomes less. 2000 has rebounded again. Some VBS (IE5 VisualBasic scripting) begin copying themselves to this port, attempting to reproduce on this port.
143 IMAP and above POP3 security issues, many IMAP servers have buffer overflow vulnerabilities running into the login process. Remember: a Linux worm (ADMW0RM) will breed through this port, so many of this port scans come from unsuspecting infected users. These vulnerabilities became popular when radhat the default allowed IMAP in their Linux release versions. After the Morris worm, it was the first widely transmitted worm of all time.
This port is also used for IMAP2, but it is not popular.
There have been reports that some 0 to 143 ports of attack originate from scripts.
161 SNMP (UDP) Intruders are frequently probed ports. SNMP allows remote management of devices. All configuration and running information is stored in the database, which is obtained through the SNMP customer. Many administrator errors are configured to expose them to the Internet. Crackers will attempt to access the system using the default password "public" "private". They may experiment with all possible combinations.
SNMP packets may be incorrectly pointing to your network. Windows machines often use SNMP for HP JetDirect remote management software because of an error configuration. HP OBJECT identifier will receive SNMP packets. The new version of Win98 uses SNMP to resolve domain names, and you will see this packet in the subnet (cable modem, DSL) query sysname and other information.
The 162 SNMP trap may be due to an incorrect configuration
177 XDMCP Many hacker use it to access the X-windows console, which also needs to open port 6000.
513 rwho may be a broadcast from a UNIX machine on a subnet that uses the cable modem or DSL. These people provide interesting information for hacker access to their systems.
553 CORBA IIOP (UDP) If you use the cable modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system.
Pcserver Backdoor Please check port 1524
Some children who play script think they have completely breached the system by modifying Ingreslock and Pcserver files-Alan J. Rosenthal.
635 Mountd Linux Mountd bugs. This is a popular bug scanned by people. Most scans of this port are based on UDP, but TCP-based mountd have increased (Mountd runs on two ports at the same time). Remember, MOUNTD can run on any port (in which port you need to do PORTMAP queries on port 111), but Linux defaults to 635 ports, just as NFS is typically running on port 2049.
1024 Many people ask what this port is for. It is the start of a dynamic port. Many programs do not care which port to connect to the network, and they request the operating system to assign them "next idle port." Based on this point, the assignment starts with port 1024. This means that the first program that assigns a dynamic port to the system request will be assigned port 1024. To verify this, you can reboot the machine, turn on Telnet, and then open a window to run "natstat-a", and you will see that Telnet is assigned 1024 ports. The more programs you request, the more dynamic ports are. The operating system's assigned ports will become larger. Again, when you browse the Web page with a "netstat" view, each Web page requires a new port.
? ersion 0.4.1, June 20, 2000
Http://www.robertgraham.com/pubs/firewall-seen.html
Copyright 1998-2000 by Robert Graham (mailto:firewall-seen1@robertgraham.com.
All rights reserved. This document May is reproduced (whole or
In the part) for non-commercial purposes. All reproductions must
Contain this copyright notice and must is altered, except by
permission of the author.
1025 See also 1024
1026 See also 1024
1080 SOCKS
This protocol passes through the firewall in a piped way, allowing many people behind the firewall to access the Internet through an IP address. Theoretically, it should only allow internal communication to reach the Internet. However, because of the wrong configuration, it would allow hacker/cracker attacks outside the firewall to pass through the firewall. Or simply respond to computers that are located on the Internet, thereby masking their direct attacks on you. Wingate is a common Windows personal firewall that often occurs with this error configuration. This is often seen when you join an IRC chat room.
1114 SQL
The system itself rarely scans this port, but is often part of the Sscan script.
1243 Sub-7 Trojan Horse (TCP)
See SubSeven section.
1524 Ingreslock back Door
Many attack scripts will install a backdoor sh*ll to this port (especially those that target SendMail and RPC service vulnerabilities in sun systems, such as STATD, Ttdbserver, and CMSD). If you have just installed your firewall to see the connection attempt on this port, most likely this is the reason. You can try telnet to this port on your machine to see if it will give you a sh*ll. Connecting to 600/pcserver also has this problem.
2049 NFS
NFS programs often run on this port. It is often necessary to access the Portmapper query which port the service runs on, but most of the cases are installed after the NFS apricot 谡 chiselled 龆 Silk mound? Acker/cracker so you can close the portmapper to test this port directly.
3128 Squid
This is the default port for Squid HTTP proxy server. The attacker scanned the port for anonymous access to the Internet in search of a proxy server. You will also see ports searching for other proxies: 8000/8001/8080/8888. Another reason to scan this end is that the user is entering the chat room. Other users (or the server itself) will also check this port to determine whether the user's machine supports proxies. Please see section 5.3.
5632 Pcanywere
You will see a lot of this port scan, which depends on where you are. When the user opens the Pcanywere, it automatically scans the LAN Class C network for possible proxies (translator: agent rather than proxy). Hacker/cracker will also look for machines that open the service, so you should look at the source address for this scan. Some search Pcanywere scans often contain UDP packets for Port 22. See dial-up scanning.
6776 Sub-7 Artifact
This port is a port separated from the Sub-7 primary port for data transfer. For example, when a controller controls another machine over a telephone line, you will see this when the controlled machine hangs up. So when another person dials in with this IP, they will see an ongoing connection attempt on this port. It does not mean that you are under SUB-7 control when you see a firewall reporting a connection attempt at this end. )
6970 RealAudio
The RealAudio customer will receive the audio stream from the server's 6970-7170 UDP port. This is set by the TCP7070 port outward control connection.
13223 PowWow
PowWow is the tribal voice chat program. It allows the user to open a private chat connection on this port. This procedure is very "offensive" for establishing a connection. It will be "stationed" on this TCP port to wait for a response. This causes a connection attempt similar to the heartbeat interval. If you're a dial-up user, "Inherit" the IP address from another person, this can happen: it's like a lot of different people are testing this end. This protocol uses "Opng" as the first four bytes of its connection attempt.
17027 conducent
This is an outward connection. This is because someone inside the company has a shared software with Conducent "Adbot" installed. Conducent "Adbot" is a display of advertising services for shared software. One popular software for using this service is pkware. It has been tested that blocking this outward connection will not have any problems, but the closure of the IP address itself will cause Adbots to continue to attempt to connect multiple times per second, causing the connection to Overload:
The machine will constantly attempt to parse DNS name ─ads.conducent.com, that is, IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81;216.33.210.41. (Translator: I do not know whether the use of netants radiate also have this phenomenon)
27374 Sub-7 Trojan Horse (TCP)
See SubSeven section.
30100 Netsphere Trojan Horse (TCP)
Usually this one-port scan is in search of the Netsphere Trojan.
31337 Back Orifice "Elite"
Hacker 31337 read "Elite"/ei ' li:t/(translator: French, translated as the backbone, the essence. namely 3=e, 1=l, 7=t). So many backdoor programs run at this end. One of the most famous is back orifice. This is the most common scan on the internet for some time. Now it's becoming less popular, and other Trojans are becoming more and more popular.
31789 Hack-a-tack
This port of UDP traffic is usually due to the "hack-a-tack" Remote Access Trojan (RAT, remote Access Trojan). This trojan contains a built-in 31790-port scanner, so any 31789-port to 317890-port connection means there is already an intrusion. (31789 ports are control connections, 317890 ports are file transfer connections)
32770~32900 RPC Service
The Sun Solaris RPC service is within this scope. In detail: Earlier versions of Solaris (2.5.1) placed Portmapper in this range, even though the low-end port was blocked by a firewall and still allowed Hacker/cracker access to the port. Scans of this range of ports are not meant to look for portmapper, but to look for known RPC services that can be attacked.
33434~33600 traceroute
If you see a UDP packet at the end of this port (and only within this range) it may be due to traceroute. See Traceroute section.
41508 Inoculan
Earlier versions of Inoculan generated a large amount of UDP traffic in the subnet to identify each other. See
Http://www.circlemud.org/~jelson/software/udpsend.html
Http://www.ccd.bnl.gov/nss/tips/inoculan/index.html
(b) What does the following source ports mean?
Port 1~1024 are reserved ports, so they are almost never the source port. But there are some exceptions, such as connections from NAT machines. See also 1.9.
Often see the port immediately after 1024, which is the "dynamic port" that the system assigns to those applications that do not care which port to use.
Server Client Service Description
1-5/TCP Dynamic FTP 1-5 port means the Sscan script
20/TCP Dynamic FTP FTP server port to transfer files
53 Dynamic FTP DNS sends UDP responses from this port. You may also see a TCP connection to the source/destination port.
123 Dynamic S/NTP The Simple Network Time Protocol (S/NTP) server runs the port. They are also sent to broadcast on this port.
27910~27961/UDP dynamic Quake Quake or Quake engine-driven games run its servers at this port. Therefore, UDP packets from this one-port range or UDP packets sent to this end-port range are usually games.
More than 61000 of dynamic FTP 61000 ports may come from Linux NAT server (IP Masquerade)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.