We often see "ports" such as 135, 137, 139, and 443 in various network or website technical articles. But what is the use of these network ports? Will it pose a potential threat to our computers? How many ports are useful?
Port: 0 service: Reserved Description: usually used to analyze the operating system. This method works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses the IP address 0.0.0.0 to set the ACK bit and broadcast it on the Ethernet layer. Port: 1 service: tcpmux Note: This shows someone is looking for an sgi irix machine. IRIX is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. IRIX machines are released with several default password-free accounts, such as IP, guest uucp, nuucp, demos, tutor, DIAG, and outofbox. Many administrators forget to delete these accounts after installation. Therefore, hacker searches for tcpmux on the Internet and uses these accounts. Port: 7 service: Echo Note: when many people search for the Fraggle amplifier, the information sent to x. x. x.0 and x. x. x.255 is displayed. Port: 19 service: character generator Description: This is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, data streams containing spam characters are sent until the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data. Port: 21 Service: ftp Description: port opened by the FTP server (such as ftp://www.hualai.net.cn), for upload, download. The most common attacker is used to find the method to open the FTP server of anonymous. These servers have read/write directories. Ports opened by Doly Trojan, fore, invisibleftp, WebEx, WinCrash, and Blade Runner. Port: 22 Service: SSH note: the connection between TCP established by pcAnywhere and this port may be used to find ssh. This service has many vulnerabilities. If configured in a specific mode, many versions using the rsaref library may have many vulnerabilities. Port: 23 service: Telnet Description: Remote logon. Intruders are searching for remote logon to UNIX services. In most cases, this port is scanned to find the operating system on which the machine runs. There are other technologies that allow intruders to find their passwords. The Tiny Telnet server of the Trojan opens this port. Port: 25 service: SMTP Description: port opened by the SMTP server for sending emails. Intruders look for SMTP servers to pass their spam. The intruder's account is closed and they need to connect to a high-bandwidth E-MAIL server, passing simple information to different addresses. This port is available for trojans such as antigen, email password sender, haebu coceda, shtrilitz stealth, winpc, and winspy. Port: 31 service: MSG authentication Description: this port is enabled for Trojan master paradise and hackersparadise. Port: 42 service: WINS replication Description: WINS replication port: 53 service: Domain Name Server (DNS) Description: The port opened by the DNS server, intruders may attempt to perform regional transmission (TCP), spoof DNS (UDP), or hide other communications. Therefore, firewalls often filter or record this port. Port: 67 service: Bootstrap Protocol server Description: Through the DSL and cable modem firewalls, you will often see a large amount of data sent to the broadcast address 255.255.255. These machines are requesting an address from the DHCP server. Hacker often enters them and assigns an address to act as a local router to initiate a large number of man-in-middle attacks. The client broadcasts the request configuration to port 68, and the server broadcasts the response to the request to port 67. This response uses broadcast because the client does not know the IP address that can be sent. Port: 69 service: trival File Transfer Description: many servers provide this service together with BOOTP to download startup code from the system. However, they often enable intruders to steal any files from the system due to misconfiguration. They can also be used to write files to the system. Port: 79 service: Finger server Description: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from their machines to other machines. Port: 80 service: HTTP Description: for Web browsing (such as http://www.hualai.net.cn ). The trojan executor opens this port. Port: 99 service: metemedirelay Description: The backdoor program ncx99 opens this port. Port: 102 Service: Message Transfer Agent (MTA)-x.400 over TCP/IP Description: message transmission agent. Port: 109 service: Post Office Protocol-version3 Description: The POP3 Server opens this port for receiving mails and the client accesses the mail service on the server. POP3 services have many common vulnerabilities. There are at least 20 vulnerabilities in the user name and password exchange buffer overflow, which means that intruders can log on to the system. There are other buffer overflow errors after successful login. Port: 110 service: all ports of Sun's RPC service description: Common RPC services include RPC. mountd, NFS, RPC. STATD, RPC. csmd, RPC. port 113, such as ttybd and AMD: Authentication Service Description: This is a protocol running on many computers and is used to identify users with TCP connections. Using standard services, you can obtain information from many computers. However, it can serve as a recorder for many services, especially FTP, Pop, IMAP, SMTP, IRC and other services. If many customers access these services through the firewall, they will see many connection requests on this port. Remember, if you block this port, the client will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support the release of RST during TCP connection blocking. This will stop the slow connection. Port: 119 service: Network News Transfer Protocol Description: News news group transmission protocol, which carries Usenet communication. The connection to this port is usually found on Usenet servers. Most ISP restrictions allow only their customers to access their newsgroup servers. Opening the newsgroup server will allow you to send/read any post, access the restricted newsgroup server, and post anonymously or send spam messages. Port: 135 service: location service description: Microsoft runs dce rpc end-point mapper for its DCOM Service on this port. This is similar to the function of UNIX port 111. Services using DCOM and RPC use end-point mapper on the computer to register their locations. When remote customers connect to a computer, they find the end-point Mapper to locate the service location. Hacker scans the computer's port to find the computer that runs the Exchange server? What version? Some DoS attacks directly target this port. Port: 137, 138, 139 service: NetBIOS Name Service Description: 137 and 138 are UDP ports, which are used when files are transmitted through network neighbors. Port 139: the connection through this port tries to obtain the NetBIOS/smb service. This protocol is used for Windows file and printer sharing and samba. Also, wins regisrtation also uses it. Port: 143 service: Interim mail access protocolv2 Note: Like POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (admv0rm) will multiply through this port, so many scans of this port come from unknown infected users. When RedHat allows IMAP by default in their Linux releases, these vulnerabilities become very popular. This port is also used for imap2, but is not popular. Port: 161 service: SNMP Description: SNMP allows remote device management. All configuration and operation information is stored in the database and can be obtained through SNMP. Many administrator error configurations will be exposed on the Internet. Cackers tries to use the default password public and private to access the system. They may test all possible combinations. The SNMP package may be incorrectly directed to the user's network. Port: 177 service: X Display Manager Control Protocol Description: many intruders use it to access the X-Windows console. It also needs to open port 6000. Port: 389 service: LDAP, ils Description: The light Directory Access Protocol and Netmeeting Internet locatorserver share this port. Port: 443 service: https Description: Web browsing port, which provides encryption and transmission over secure ports. Port: 456 service: [null] Description: Hackers Paradise opens this port. Port: 513 service: Login, remote login Description: broadcast from using cable modem or DSL to a Unix computer in the subnet. These provide information for intruders to access their systems. Port: 544 service: [null] Description: Kerberos kshell port: 548 service: Macintosh, fileservices (AFP/IP) Description: Macintosh, file service. Port: 553 service: corba iiop (UDP) Description: Cable Modem, DSL, or VLAN can be used to view the broadcast of this port. CORBA is an object-oriented RPC system. Intruders can use this information to access the system. Port: 555 service: DSF Description: This port is enabled for Trojan phase1.0, Stealth Spy, and inikiller. Port: 568 service: Membership DPA Description: Membership DPA. Port: 569 service: Membership MSN Description: Member qualification MSN. Port: 635 service: MOUNTD Description: MOUNTD bug of Linux. This is a popular scanning bug. Most of the scans for this port are based on UDP, but the TCP-based mountd is increased (mountd runs on both ports at the same time ). Remember that mountd can run on any port (which port is used in port 111 for Portmap query), but the default port of Linux is 635, just as NFS usually runs on port 2049. Port: 636 service: LDAP Description: SSL (Secure Sockets Layer) Port: 666 service: Doom ID Software Description: Trojan attack FTP, satanz backdoor open this port: 993 service: IMAP Description: SSL (Secure Sockets Layer) Port: 1001, 1011 service: [null] Description: Trojan silencer, WebEx open port 1001. Trojan Doly Trojan open port 1011.