Hadoop-definitions of Computer Network Ports
Port Introduction
The ports described in this article are all logical ports, which refer to the ports in the TCP/IP protocol. The port number ranges from 0 to 65535, for example, port 80 used to browse Web Services, port 21 for the FTP service.
Here we will introduce the logical port.
A. Distribution by port number (1) Well-Known Ports)
A well-known port is a well-known port number ranging from 0 to 1023. These ports are usually allocated to some services.
For example, port 21 is allocated to the FTP service, port 25 is allocated to the SMTP (Simple Mail Transfer Protocol) service, port 80 is allocated to the HTTP service, and port 135 is allocated to the RPC (Remote process call) service) services.
(2) register the port (Registered Ports)
The port number ranges from 1025 to 49151. They are loosely bound to some services. Also, many services are bound to these ports. These ports are also used for many other purposes.
Most of these ports do not clearly define the service objects. Different programs can define these ports according to actual needs. For example, the remote control software and trojan programs described later will define these ports.
Remember that these common program ports are necessary for protection and detection of Trojans. The ports used by common Trojans are listed in detail later.
(3) Dynamic Ports)
The range of dynamic ports is from 49152 to 65535. These ports are generally not allocated to a service, that is, many services can use these ports.
As long as the program runs to the system to request access to the network, the system can assign a port number for the program to use.
For example, port 1024 is allocated to the first application to the system. After the program process is closed, the occupied port number is released.
However, dynamic ports are often used by viruses and Trojans. For example, the default connection ports of glaciers are 7626, WAY 2.4 is 8011, Netspy 3.0 is 7306, and YAI is 1024.
B. Divided by protocol type
Divided by protocol type, can be divided into TCP, UDP, IP, ICMP (Internet Control Message Protocol) and other ports. The following describes TCP and UDP ports:
(1) TCP port
TCP port, that is, the transmission control protocol port, must be connected between the client and the server to provide reliable data transmission. Common include port 21 of the FTP service, port 23 of the Telnet service, port 25 of the SMTP service, and port 80 of the HTTP service.
(2) UDP port
UDP port, that is, the user data packet protocol port, does not need to establish a connection between the client and the server, security is not guaranteed. Common services include DNS Service port 53, SNMP (Simple Network Management Protocol) Service port 161, and QQ port 8000 and port 4000.
Important port list
Port: 0
Service: Reserved
Description: it is usually used to analyze the operating system. This method works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses the IP address 0.0.0.0 to set the ACK bit and broadcast it on the Ethernet layer.
Port: 1
Service: tcpmux
Note: This shows someone is looking for an SGI Irix machine. Irix is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. Irix machines are released with several default password-free accounts, such as IP, guest uucp, NUUCP, DEMOS, TUTOR, DIAG, and OUTOFBOX. Many administrators forget to delete these accounts after installation. Therefore, HACKER searches for tcpmux on the INTERNET and uses these accounts.
Port: 7
Service: Echo
Note: When many people search for the Fraggle amplifier, the information sent to X. X. X.0 and X. X. X.255 is displayed.
Port: 19
Service: Character Generator
Note: This is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, data streams containing spam characters are sent until the connection is closed. HACKER uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data.
Port: 21
Service: FTP
Description: The port opened by the FTP server for uploading and downloading. The most common attacker is used to find the method to open the FTP server of anonymous. These servers have read/write directories. Ports opened by Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash, and Blade Runner.
Port: 22
Service: Ssh
Note: The TCP Connection established by PcAnywhere to this port may be used to search for ssh. This service has many vulnerabilities. If configured in a specific mode, many versions using the RSAREF library may have many vulnerabilities.
Port: 23
Service: Telnet
Description: Remote logon. Intruders are searching for remote logon to UNIX services. In most cases, this port is scanned to find the operating system on which the machine runs. There are other technologies that allow intruders to find their passwords. The Tiny Telnet Server of the Trojan opens this port.
Port: 25
Service: SMTP
Description: The port opened by the SMTP server for sending emails. Intruders look for SMTP servers to pass their SPAM. The intruder's account is closed and they need to connect to a high-bandwidth E-MAIL server, passing simple information to different addresses. This port is available for trojans such as Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, and WinSpy.
Port: 31
Service: MSG Authentication
Note: This port is enabled for Trojan Master Paradise and Hackers Paradise.
Port: 42
Service: WINS Replication
Note: WINS replication
Port: 53
Service: Domain Name Server (DNS)
Description: The port opened by the DNS server. Intruders may attempt to pass through the region (TCP), spoof DNS (UDP), or hide other communications. Therefore, firewalls often filter or record this port.
Port: 67
Service: Bootstrap Protocol Server
Note: Through the DSL and Cable modem firewalls, you will often see a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. HACKER often enters them and assigns an address to act as a local router to initiate a large number of man-in-middle attacks. The client broadcasts the request configuration to port 68, and the server broadcasts the response to the request to port 67. This response uses broadcast because the client does not know the IP address that can be sent.
Port: 69
Service: Trival File Transfer
Note: many servers and bootp provide this service to download startup code from the system. However, they often enable intruders to steal any files from the system due to misconfiguration. They can also be used to write files to the system.
Port: 79
Service: Finger Server
Note: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to Finger scans from their own machines to other machines.
Port: 80
Service: HTTP
Description: used for Web browsing. The trojan Executor opens this port.
Port: 99
Service: metemedirelay
Note: The backdoor program ncx99 opens this port.
Port 102
Service: Message transfer agent (MTA)-X.400 over TCP/IP
Description: message transmission proxy.
Port 109
Service: Post Office Protocol-Version3
Note: The POP3 Server opens this port to receive mails and the client accesses the mail service on the server. POP3 services have many common vulnerabilities. There are at least 20 vulnerabilities in username and password exchange buffer overflow, which means that intruders can log on to the system. There are other buffer overflow errors after successful login.
Port 110
Service: all ports of SUN's RPC service
Note: Common RPC services include rpc. mountd, NFS, rpc. statd, rpc. csmd, rpc. ttybd, and amd.
Port 113
Service: Authentication Service
Note: This is a protocol run on many computers to identify users with TCP connections. Using standard services, you can obtain information from many computers. However, it can serve as a recorder for many services, especially FTP, POP, IMAP, SMTP, IRC and other services. If many customers access these services through the firewall, they will see many connection requests on this port. Remember, if you block this port, the client will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support the release of RST during TCP connection blocking. This will stop the slow connection.
Port 119
Service: Network News Transfer Protocol
Note: The message group transmission protocol supports USENET communication. The connection to this port is usually found on USENET servers. Most ISP restrictions allow only their customers to access their newsgroup servers. Opening the newsgroup server will allow you to send/read any post, access the restricted newsgroup server, and post anonymously or send SPAM messages.
Port 135
Service: Location Service
Note: Microsoft runs dce rpc end-point mapper on this port to serve its DCOM. This is similar to the function of UNIX port 111. Services using DCOM and RPC use end-point mapper on the computer to register their locations. When remote customers connect to a computer, they find the end-point mapper to locate the service location. HACKER scans the computer's port to find the computer that runs the Exchange Server? What version? Some DOS attacks directly target this port.
Ports: 137, 138, and 139
Service: NETBIOS Name Service
Note: ports 137 and 138 are UDP ports. This port is used when files are transmitted through network peers. Port 139: the connection through this port tries to obtain the NetBIOS/SMB service. This protocol is used for windows file and printer sharing and SAMBA. Also, WINS Regisrtation also uses it.
Port 143
Service: Interim Mail Access Protocol v2
Note: Like POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: a LINUX worm (admv0rm) will multiply through this port, so many scans of this port come from unknown infected users. When REDHAT allows IMAP by default in their LINUX releases, these vulnerabilities become very popular. This port is also used for IMAP2, but is not popular.
Port 161
Service: SNMP
Note: SNMP allows remote device management. All configuration and operation information is stored in the database and can be obtained through SNMP. Many administrator error configurations will be exposed on the Internet. Cackers tries to use the default password public and private to access the system. They may test all possible combinations. The SNMP package may be incorrectly directed to the user's network.
Port 177
Service: X Display Manager Control Protocol
Note: many intruders use it to access the X-windows console, and Port 6000 must be enabled at the same time.
Port 389
Services: LDAP and ILS
Note: The light Directory Access Protocol and NetMeeting Internet Locator Server share this port.
Port 443
Service: Https
Note: The Web browsing port provides encryption and transmission over a secure port.
Port 456
Service: [NULL]
Note: This port is enabled for Trojan hackers paradise.
Port 513
Service: Login, remote login
Note: It is a broadcast sent from a UNIX computer that uses cable modem or DSL to log on to the subnet. These provide information for intruders to access their systems.
Port 544
Service: [NULL]
Note: kerberos kshell
Port 548
Service: Macintosh, File Services (AFP/IP)
Description: Macintosh, file service.
Port 553
Service: corba iiop (UDP)
Note: cable modem, DSL, or VLAN can be used to broadcast the port. CORBA is an object-oriented RPC system. Intruders can use this information to access the system.
Port 555
Service: DSF
Note: This port is enabled for Trojans PhAse1.0, Stealth Spy, and IniKiller.
Port 568
Service: Membership DPA
Note: DPA is a member.
Port 569
Service: Membership MSN
Description: MSN is a member.
Port 635
Service: mountd
Description: mountd Bug in Linux. This is a popular scanning BUG. Most of the scans for this port are based on UDP, but the TCP-based mountd is increased (mountd runs on both ports at the same time ). Remember that mountd can run on any port (which port is used in port 111 for portmap query), but the default port of Linux is 635, just as NFS usually runs on port 2049.
Port 636
Service: LDAP
Note: SSL (Secure Sockets layer)
Port 666
Service: Doom Id Software
Description: This port is enabled for Trojan Attack FTP and Satanz Backdoor.
Port 993
Service: IMAP
Note: SSL (Secure Sockets layer)
Port: 1001, 1011
Service: [NULL]
Description: Port 1001 is enabled for Trojan Horse Silencer and WebEx. Trojan Doly Trojan open port 1011.
Port 1024
Service: Reserved
Note: It is the beginning of a dynamic port. Many programs do not care which port is used to connect to the network. They request the system to assign them an idle port. From port 1024. This means that the first request to the system will be allocated to port 1024. You can restart the machine, open Telnet, and then open a window to run natstat-a. the Telnet port is allocated to port 1024. In addition, SQL session also uses this port and 5000 port.
Port: 1025, 1033
Service: 1025: network blackjack 1033: [NULL]
Note: The Trojan netspy opens these two ports.
Port 1080
Service: SOCKS
Note: This Protocol passes through the firewall as a channel, allowing people behind the firewall to access the INTERNET through an IP address. Theoretically, it should only allow internal communication to reach the INTERNET. However, due to incorrect configuration, it allows attacks outside the firewall to pass through the firewall. This error often occurs in WinGate, which is often seen when you join the IRC chat room.
Port 1170
Service: [NULL]
Note: This port is enabled for Trojan Streaming Audio Trojan, Psyber Stream Server, and Voice.
Ports: 1234, 1243, 6711, and 6776
Service: [NULL]
Description: PORTS 1234 and 6776 are enabled for Trojan SubSeven2.0 and Ultors Trojan. Trojan SubSeven1.0/1.9 opens ports 1243, 6711, and 6776.
Port 1245
Service: [NULL]
Note: This port is enabled for Trojan Vodoo.
Port 1433
Service: SQL
Description: The port opened by Microsoft SQL service.
Port 1492
Service: stone-design-1
Note: This port is enabled for Trojan FTP99CMP.
Port 1500
Service: RPC client fixed port session queries
Notes: RPC client fixed port session Query
Port 1503
Service: NetMeeting T.120
Description: NetMeeting T.120
Port 1524
Service: ingress
Note: Many attack scripts will install a backdoor SHELL on this port, especially for Sendmail and RPC vulnerabilities in SUN systems. If the connection attempt on this port is displayed after the firewall is installed, it is probably because of the above reasons. Try Telnet to the port on your computer to see if it will give you a SHELL. This problem also exists when you connect to the 600/pcserver.