Detailed explanation of the strongest ports in history from 0 to 33600

In network technology, a port has two meanings: one is a physical port, for example, ADSL modem, Hub, switch, router is used to connect other network equipment interface, such as RJ-45 port, SC port and so on. The second is the logical port, which generally refers to the port in the TCP/IP protocol. The port number ranges from 0 to 65535, for example, port 80 used to browse Web Services, port 21 for the FTP service. Here we will introduce the logical port. To view the port in Windows 2000/XP/Server 2003, run the netstat command: Click Start> Run, type cmd, and press enter to open the Command Prompt window. Type "netstat-a-n" in the command prompt. Press the Enter key to view the TCP and UDP connection port numbers and statuses displayed in numbers. Before introducing the functions of various ports, we will first introduce how to disable/enable ports in windows, many insecure or useless ports are enabled, for example, port 23 of the Telnet service, port 21 of the FTP service, port 25 of the SMTP service, and port 135 of the RPC service. To ensure system security, we can use the following method to disable/enable the port. To close the port, for example, to disable port 25 of the SMTP service in Windows 2000/XP, open "Control Panel", double-click "Administrative Tools", and then double-click "service ". In the displayed service window, find and double-click the "Simple Mail Transfer Protocol (SMTP)" service and click "stop" to stop the service, select "disabled" in "Start type" and click "OK. In this way, closing the SMTP service is equivalent to closing the corresponding port. To enable a port, select "Auto" in "Start type", click "OK", and then open the service, in "service status", click "start" to enable the port. Finally, click "OK. Tip: the "service" option is not available in Windows 98. You can use the firewall rule setting function to disable/enable the port. In the logic sense, port classification has multiple classification standards. The following describes two common classifications: 1. by distribution of port numbers (1) well-known ports (well-known ports) are well-known port numbers ranging from 0 to 1023. These ports are usually allocated to some services. For example, port 21 is allocated to the FTP service, port 25 is allocated to the SMTP (Simple Mail Transfer Protocol) service, port 80 is allocated to the HTTP service, and port 135 is allocated to the RPC (Remote process call) service) services. (2) The range of dynamic ports is from 1024 to 65535. These ports are generally not allocated to a service, that is, many services can use these ports. As long as the program runs to the system to request access to the network, the system can assign a port number for the program to use. For example, port 1024 is allocated to the first application to the system. After the program process is closed, the occupied port number is released. However, dynamic ports are often used by viruses and Trojans. For example, the default connection ports of glaciers are 7626, way 2.4 is 8011, NetSpy 3.0 is 7306, and Yai is 1024. 2. Divided by protocol type, can be divided into TCP, UDP, IP, ICMP (Internet Control Message Protocol) and other ports. The following describes TCP and UDP ports: (1) TCP port: namely, the transmission control protocol port. A connection must be established between the client and the server to provide reliable data transmission. Common include port 21 of the FTP service, port 23 of the Telnet service, port 25 of the SMTP service, and port 80 of the HTTP service. (2) UDP port: user data packet protocol port. You do not need to establish a connection between the client and the server, and the security is not guaranteed. Common services include DNS Service port 53, SNMP (Simple Network Management Protocol) Service port 161, and QQ port 8000 and port 4000. Common network port basic knowledge port control port: 0 service: Reserved Description: usually used to analyze the operating system. This method works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses the IP address 0.0.0.0 to set the ACK bit and broadcast it on the Ethernet layer. Port: 1 service: tcpmux Note: This shows someone is looking for an sgi irix machine. IRIX is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. IRIX machines are released with several default password-free accounts, such as IP, guest uucp, nuucp, demos, tutor, DIAG, and outofbox. Many administrators forget to delete these accounts after installation. Therefore, hacker searches for tcpmux on the Internet and uses these accounts. Port: 7 service: Echo Note: when many people search for the Fraggle amplifier, the information sent to x. x. x.0 and x. x. x.255 is displayed. Port: 19 service: character generator Description: This is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, data streams containing spam characters are sent until the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data. Port: 21 Service: ftp Description: port opened by the FTP server for uploading and downloading. The most common attacker is used to find the method to open the FTP server of anonymous. These servers have read/write directories. Ports opened by Doly Trojan, fore, invisible FTP, WebEx, WinCrash, and Blade Runner. Port: 22 Service: SSH note: the connection between TCP established by pcAnywhere and this port may be used to find ssh. This service has many vulnerabilities. If configured in a specific mode, many versions using the rsaref library may have many vulnerabilities. Port: 23 service: Telnet Description: Remote logon. Intruders are searching for remote logon to UNIX services. In most cases, this port is scanned to find the operating system on which the machine runs. There are other technologies that allow intruders to find their passwords. The Tiny Telnet server of the Trojan opens this port. Port: 25 service: SMTP Description: port opened by the SMTP server for sending emails. Intruders look for SMTP servers to pass their spam. The intruder's account is closed. They need to connect to the high-bandwidth e-mail server and pass simple information to different addresses. This port is available for trojans such as antigen, email password sender, haebu coceda, shtrilitz stealth, winpc, and winspy. Port: 31 service: MSG authentication Description: this port is enabled for Trojan master paradise and Hackers Paradise. Port: 42 service: WINS replication Description: WINS replication port: 53 service: Domain Name Server (DNS) Description: The port opened by the DNS server, intruders may attempt to perform regional transmission (TCP), spoof DNS (UDP), or hide other communications. Therefore, firewalls often filter or record this port. Port: 67 service: Bootstrap Protocol server Description: Through the DSL and cable modem firewalls, you will often see a large amount of data sent to the broadcast address 255.255.255. These machines are requesting an address from the DHCP server. Hacker often enters the system and assigns an address to act as a local router to initiate a large number of man-in-middle attacks. The client broadcasts the request configuration to port 68. The server broadcasts the response to port 67. This response uses broadcast because the client does not know the IP address that can be sent. Port: 69 service: trival File Transfer Description: many servers provide this service together with BOOTP to download startup code from the system. However, they often enable intruders to steal any files from the system due to misconfiguration. They can also be used to write files to the system. Port: 79 service: Finger server Description: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from their machines to other machines. Port: 80 service: HTTP Description: used for Web browsing. The trojan executor opens this port. Port: 99 service: metemedirelay Description: The backdoor program ncx99 opens this port. Port: 102 Service: Message Transfer Agent (MTA)-x.400 over TCP/IP Description: message transmission agent. Port: 109 service: Post Office Protocol-version3 Description: The POP3 Server opens this port for receiving mails and the client accesses the mail service on the server. POP3 services have many common vulnerabilities. There are at least 20 vulnerabilities in username and password exchange buffer overflow, which means that intruders can log on to the system. There are other buffer overflow errors after successful login. Port: 110 service: all ports of Sun's RPC service description: Common RPC services include RPC. mountd, NFS, RPC. STATD, RPC. csmd, RPC. port 113, such as ttybd and AMD: Authentication Service Description: This is a protocol running on many computers and is used to identify users with TCP connections. Using standard services, you can obtain information from many computers. However, it can serve as a recorder for many services, especially FTP, Pop, IMAP, SMTP, IRC and other services. If many customers access these services through the firewall, they will see many connection requests on this port. Remember, if you block this port, the client will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support the release of RST during TCP connection blocking. This will stop the slow connection. Port: 119 service: Network News Transfer Protocol Description: News news group transmission protocol, which carries Usenet communication. The connection to this port is usually found on Usenet servers. Most ISP restrictions allow only their customers to access their newsgroup servers. Opening the newsgroup server will allow you to send/read any post, access the restricted newsgroup server, and post anonymously or send spam messages. Port: 135 service: location service description: Microsoft runs dce rpc end-point mapper for its DCOM Service on this port. This is similar to the function of UNIX port 111. Services using DCOM and RPC use end-point mapper on the computer to register their locations. When remote customers connect to a computer, they find the end-point Mapper to locate the service location. Hacker scans the computer's port to find the computer that runs the Exchange server? What version? Some DoS attacks directly target this port. Port: 137, 138, 139 service: NetBIOS Name Service Description: 137 and 138 are UDP ports, which are used when files are transmitted through network neighbors. Port 139: the connection through this port tries to obtain the NetBIOS/smb service. This protocol is used for Windows file and printer sharing and samba. Also, wins regisrtation also uses it. Port: 143 service: Interim mail access protocol V2 Description: Like POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (admv0rm) will multiply through this port, so many scans of this port come from unknown infected users. When RedHat allows IMAP by default in their Linux releases, these vulnerabilities become very popular. This port is also used for imap2, but is not popular. Port: 161 service: SNMP Description: SNMP allows remote device management. All configurations and operation information are stored in the database and can be obtained through SNMP. Many administrator error configurations will be exposed on the Internet. Cackers tries to use the default password public and private to access the system. They may test all possible combinations. The SNMP package may be incorrectly directed to the user's network. Port: 177 service: X Display Manager Control Protocol Description: many intruders use it to access the X-Windows console. It also needs to open port 6000. Port: 389 service: LDAP, ils Description: The light Directory Access Protocol and Netmeeting Internet locator server share this port. Port: 443 service: https Description: Web browsing port, which provides encryption and transmission over secure ports. Port: 456 service: [null] Description: Hackers Paradise opens this port. Port: 513 service: Login, remote login Description: broadcast from using cable modem or DSL to a Unix computer in the subnet. These provide information for intruders to access their systems. Port: 544 service: [null] Description: Kerberos kshell port: 548 service: Macintosh, file services (AFP/IP) Description: Macintosh, file service. Port: 553 service: corba iiop (UDP) Description: Cable Modem, DSL, or VLAN can be used to view the broadcast of this port. CORBA is an object-oriented RPC system. Intruders can use this information to access the system. Port: 555 service: DSF Description: This port is enabled for Trojan phase1.0, Stealth Spy, and inikiller. Port: 568 service: Membership DPA Description: Membership DPA. Port: 569 service: Membership MSN Description: Member qualification MSN. Port: 635 service: MOUNTD Description: MOUNTD bug of Linux. This is a popular scanning bug. Most of the scans for this port are based on UDP, but the TCP-based mountd is increased (mountd runs on both ports at the same time ). Remember that mountd can run on any port (which port is used in port 111 for Portmap query), but the default port of Linux is 635, just as NFS usually runs on port 2049. Port: 636 service: LDAP Description: SSL (Secure Sockets Layer) Port: 666 service: Doom ID Software Description: Trojan attack FTP, satanz backdoor open this port: 993 service: IMAP Description: SSL (Secure Sockets Layer) Port: 1001, 1011 service: [null] Description: Trojan silencer, WebEx open port 1001. Trojan Doly Trojan open port 1011. Port: 1024 service: Reserved Description: it is the beginning of a dynamic port, many programs do not care which port is used to connect to the network, they request the system to allocate them an idle port. From port 1024. This means that the first request to the system will be allocated to port 1024. You can restart the machine, open telnet, and then open a window to run natstat-A. the telnet port is allocated to port 1024. In addition, SQL session also uses this port and 5000 port. Port: 1025, 1033 service: 1025: Network blackjack 1033: [null] Description: The Trojan NetSpy opens these two ports. Port: 1080 service: SOCKS Description: This Protocol passes through the firewall through a channel, allowing people behind the firewall to access the Internet through an IP address. Theoretically, it should only allow internal communication to reach the internet. However, due to incorrect configuration, it allows attacks outside the firewall to pass through the firewall. This error often occurs in Wingate, which is often seen when you join the IRC chat room. Port: 1170 service: [null] Description: This port is enabled for Trojan streaming audio Trojan, psyber stream server, and voice. Port: 1234, 1243, 6711, 6776 service: [null] Description: Trojan subseven2.0, Ultors Trojan open ports 1234, 6776. Trojan subseven1.0/1.9 opens ports 1243, 6711, and 6776. Port: 1245 service: [null] Description: This port is enabled for Trojan vodoo. Port: 1433 service: SQL Description: port opened by Microsoft SQL service. Port: 1492 service: Stone-design-1 Description: This port is enabled for Trojan ftp99cmp. Port: 1500 Service: RPC client fixed port session queries Description: RPC client fixed port session query port: 1503 service: netmeeting t.120 Description: netmeeting t.120 port: 1524 service: Ingress description: many attack scripts will install a backdoor shell on this port, especially for Sendmail and RPC vulnerabilities in Sun systems. If the connection attempt on this port is displayed after the firewall is installed, it is probably because of the above reasons. Try telnet to the port on your computer to see if it will give you a shell. This problem also exists when you connect to the 600/pcserver. Common network port (supplemented) 553 corba iiop (UDP) If you use cable modem or dsl vlan, you will see the broadcast of this port. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker uses this information to access the system. 600 view port 1524 for pcserver backdoor. Some script-based children think that they have completely cracked the mountd bug in the system-Alan J. Rosenthal. 635 mountd Linux by modifying the Ingreslock and pcserver files. This is a popular bug that people scan. Most of the port scanning is based on UDP, but the TCP-based mountd is increased (mountd runs on both ports at the same time ). Remember, mountd can run on any port (in which port, You need to perform Portmap query on port 111), but Linux uses port 635 by default, just as NFS usually runs on port 2049. 1024 many people asked what the port was doing. It is the beginning of a dynamic port. Many programs do not care which port is used to connect to the network. They request the operating system to allocate "the next idle port" to them ". From port 1024. This means that the first program to allocate a dynamic port to the system request will be allocated port 1024. To verify this, You can restart the machine, open telnet, and run "natstat-a" in another window. You will see port 1024 allocated to telnet. The more applications are requested, the more dynamic ports are. The port allocated by the operating system will gradually increase. Again, use "netstat" to view web pages. Each web page requires a new port. 1024, 1080 see Socks. This Protocol passes through the firewall in a pipe, allowing many people behind the firewall to access the Internet through an IP address. Theoretically, it should only allow internal communication to reach the internet. However, due to incorrect configuration, it will allow hacker/cracker attacks outside the firewall to pass through the firewall. Or simply respond to computers on the Internet to conceal their direct attacks against you. Wingate is a common Windows personal firewall. The above configuration Errors often occur. This often happens when you join the IRC chat room. 1114 the SQL System itself seldom scans this port, but it is often part of the sscan script. 1243 sub-7 Trojan (TCP) 1524 Ingreslock backdoor many attack scripts will install a backdoor shell on this port (especially those scripts for Sendmail and RPC service vulnerabilities in Sun System, such as statd, TTDBServer and CMSD ). If you have just installed your firewall and you see the connection attempt on this port, it is probably because of the above reasons. You can try telnet to the port on your machine to see if it will give you a shell. This problem also exists when you connect to the 600/pcserver. 2049 NFS programs run on the port. Generally, you need to access Portmapper to query the port on which the service runs, but most of the cases are that NFS runs on this port after installation. Therefore, hacker/cracker can open Portmapper and directly test this port. 3128 squid: This is the default port of the Squid HTTP proxy server. Attackers scan this port to search for a proxy server and access the Internet anonymously. You will also see the port for searching other proxy servers: 8000/8001/8080/8888. Another reason for scanning this port is that the user is entering the chat room. Other users (or the server itself) will also check this port to determine whether the user's machine supports proxy. 5632 pcanywere you will see a lot of scans on this port, depending on your location. When a user opens pcanywere, it will automatically scan the LAN Class C network to find a possible proxy (TRANSLATOR: Agent rather than proxy ). Hacker/cracker will also look for machines that open such services, so you should check the source address of such scanning. Some scans for pcanywere usually contain UDP packets of port 22. The 6776 sub-7 artifact port is the data transfer port separated from the sub-7 main port. For example, when the controller controls another machine over a telephone line and the controlled machine hangs up, you will see this situation. So when another user calls this IP address, they will see continuous connection attempts on this port. (TRANSLATOR: When the firewall reports a connection attempt on this port, it does not mean that you have been controlled by sub-7 .) 6970 RealAudio customers will receive audio data streams from the UDP port 6970-7170 of the server. This is set by the outgoing control connection of the tcp7070 port. 13223 powwow Powwow is the chat program of tribal voice. It allows users to open private chat connections on this port. This program is very "offensive" for establishing connections ". It will be "stationed" on this TCP port to wait for a response. This causes connection attempts similar to heartbeat intervals. If you are a dial-up user and "inherit" the IP address from another user, this will happen: As if many different people are testing this port. The protocol uses "opng" as the first four bytes of its connection attempt. 17027. This is an external connection. This is because someone in the company has installed the Shared Software with conducent "adbot. Conducent "adbot" is used to display advertisement services for shared software. A popular software that uses this service is pkware. Some people tried to block this external connection, but blocking the IP address itself will cause adbots to continuously try to connect multiple times per second, resulting in connection overload: the machine constantly tries to resolve the DNS name -ads.conducent.com, that is, the IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I wonder if the radiate used by NetAnts also has this phenomenon.) 27374 sub-7 Trojan (TCP) 30100 NetSphere Trojan (TCP) generally, this port is scanned to find A NetSphere Trojan. 31337 Back Orifice "elite" hacker reads "elite"/EI 'li: T. That is, 3 = E, 1 = L, 7 = T ). Therefore, many Backdoor programs run on this port. The most famous one is Back Orifice. In the past, this was the most common scan on the Internet. Nowadays, it is becoming increasingly popular, and other trojan programs are becoming increasingly popular. 31789 the UDP Communication on the hack-a-tack port is usually caused by "hack-a-tack" Remote Access Trojan (rat, remote access trojan ). This trojan contains a built-in 31790 port scanner, so any connection from Port 31789 to port 317890 already has this intrusion. (Port 31789 is a control connection and port 317890 is a File Transfer connection) 32770 ~ 32900 the RPC service of Sun Solaris is in this range. In details, earlier versions of Solaris (earlier than version 2.5.1) Put Portmapper in this range, and allow hacker/cracker to access this port even if the low port is closed by the firewall. Scanning the ports in this range is not for Portmapper, but for known RPC services that can be attacked. 33434 ~ 33600 traceroute if you see UDP packets within the port range (and only within this range), it may be because of traceroute.