The ports can be divided into 3 main categories:
1) Recognized ports (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of a certain service. For example: Port 80 is actually always HTTP traffic.
2) Register port (registered Ports): from 1024 to 49151. They are loosely tied to some services. This means that there are many services bound to these ports, which are also used for many other purposes. For example: Many systems handle dynamic ports starting around 1024.
3) Active and/or private ports (dynamic and/or private Ports): from 49152 to 65535. In theory, these ports should not be assigned to the service. In fact, machines typically allocate dynamic ports from 1024 onwards. But there are exceptions: Sun's RPC port starts at 32768.
This section describes the information that is typically TCP/UDP port scanning in a firewall record. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, see the rest of this article. 0 is typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect it using a typical closed port. A typical scan: Use an IP address of 0.0.0.0, set the ACK bit and broadcast on the Ethernet layer. 1 Tcpmux This shows someone looking for a sgiirix machine. IRIX is the main provider for implementing Tcpmux, and by default Tcpmux is opened in this system. The Iris Machine was released with several default password-free accounts, such as Lp,guest, UUCP, NUUCP, demos, tutor, Diag, Ezsetup, Outofbox, and 4Dgifts. Many administrators forget to delete these accounts after installation. So hacker search the internet for Tcpmux and take advantage of these accounts. 7Echo you can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers. A common Dos attack is the Echo loop (Echo-loop), where an attacker forges a packet from one machine to another, and two machines respond to the packets in their fastest way, respectively. (see Chargen) Another thing is a TCP connection established by DoubleClick on the word port. There is a product called resonate Global Dispatch, which is connected to this port of DNS to determine the most recent route. Harvest/squid Cache will send Udpecho from port 3130: "If the source_ping on option of the cache is turned on, it responds to a hit reply to the UDP Echo port of the original host. "This will produce many of these packets.
Sysstat This is a UNIX service that lists all the running processes on the machine and what started them. This provides the intruder with a lot of information that threatens the security of the machine, such as exposing programs that are known to have certain weaknesses or accounts. This is similar to the result of the "PS" command in UNIX systems again: ICMP has no port, ICMP Port 11 is usually icmptype=1119 Chargen this is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving the UDP packets. When a TCP connection is sent, the data stream that contains the junk character knows the connection is closed. Hacker using IP spoofing can initiate a Dos attack to forge UDP between two Chargen servers due to the server attempting to respond to an unlimited round-trip data communication between two servers a chargen and echo will cause the server to overload. Similarly Fraggle Dos attacks broadcast a packet with a spoofed victim IP to this port on the destination address, and the victim is overloaded to respond to this data.
FTP The most common attackers are used to look for ways to open the "anonymous" FTP server. These servers have a read-write directory. Hackers or tackers use these servers as nodes that transmit warez (private programs) and pr0n (deliberately misspelled words to avoid being classified by search engines).
Sshpcanywhere establish TCP and this port connection may be to find SSH. This service has many weaknesses. Many of the versions that use the RSAREF library have many vulnerabilities if configured in a specific mode. (It is recommended to run SSH on another port) Also note that the SSH toolkit comes with a program called Ake-ssh-known-hosts. It scans the SSH host for the entire domain. You can sometimes be accidentally scanned by someone using this program. UDP (instead of TCP) is connected to port 5632 on the other side, which means there is a scan of the search pcanywhere. 5632 (16 0x1600) bit switched is 0x0016 (make binary 22).
The Telnet intruder is searching for services to remotely log on to UNIX. In most cases, intruders scan this port to find the operating system that the machine is running on. In addition, the intruder will find the password using other techniques.
The SMTP attackers (spammer) are looking for SMTP servers to pass their spam. The intruder's account is always shut down and they need to dial up to connect to a high-bandwidth e-mail server and pass simple information to different addresses. SMTP servers (especially SendMail) are one of the most common ways to enter the system because they must be completely exposed to the Internet and the routing of Messages is complex (exposure + complexity = weaknesses).
The Dnshacker or crackers may be trying to make zone transfer (TCP), spoof DNS (UDP), or hide other traffic. So firewalls often filter or log 53 ports. Note that you will often see port 53 as the UDP source port. An unstable firewall typically allows this communication and assumes that this is a reply to a DNS query. Hacker often use this method to penetrate firewalls.
67 and Bootp/dhcp on BOOTP and DHCPUDP: The firewalls in DSL and Cable-modem often see a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address assignment to the DHCP server. Hacker often enter them to assign an address that launches a large number of "man-in-the-middle" (man-in-middle) attacks as a local router. The client broadcasts the request configuration to Port 68 (BOOTPS), and the server broadcasts a response request to 67 port (BOOTPC). This response uses broadcasts because the client does not yet know which IP address can be sent. A number of TFTP (UDP) servers provide this service with BOOTP for easy download of boot code from the system. However, they are often misconfigured and provide any files, such as password files, from the system. They can also be used to write files to the system
The finger hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.
98 linuxconf This program provides linuxboxen simple management. Provides web-based interface services on port 98 through a consolidated HTTP server. It has been found to have many security issues. Some versions setuidroot, trust the local area network, establish an Internet accessible file under/tmp, and the lang environment variable has a buffer overflow. In addition, because it contains consolidated servers, many typical HTTP vulnerabilities can exist (buffer overflow, calendar directory, etc.) 109 POP2 is not as famous as POP3, but many servers offer two services at the same time (backwards compatible). The POP3 vulnerability on the same server also exists in POP2.
The POP3 is used for client access to the server-side mail service. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow (which means that hacker can enter the system before a real login). There are other buffer overflow errors after successful login.
111 Sunrpc portmap rpcbind Sun rpcportmapper/rpcbind. Accessing Portmapper is the earliest step in scanning the system to see which RPC services are allowed. Common RPC services are: Pc.mountd, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD, etc. The intruder discovered that the allowed RPC service would be diverted to the specific port that provided the service to test the vulnerability. Remember to keep track of Daemon, IDS, or sniffer in the line, and you can find out what program the intruder is using to find out what's going on.
113 Ident Auth. This is a protocol that runs on many machines and is used to authenticate users of a TCP connection. The use of the standard service can obtain information on many machines (which will be exploited by hacker). But it can serve as a logger for many services, especially FTP, POP, IMAP, SMTP, and IRC. Often, if there are many customers accessing these services through a firewall, you will see many connection requests for this port. Remember, if you block this port the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support sending back t during the blocking of TCP connections, which will stop this slow connection.
119 NNTP News Newsgroup transport protocol, which hosts Usenet communications. When you link to such as: news:p.security.firewalls/. This port is typically used when the address is The connection attempts for this port are usually people looking for Usenet servers. Most ISPs restrict access to their newsgroup servers only by their customers. Opening a newsgroup server will allow you to send/read anyone's posts, access restricted newsgroup servers, post anonymously or send spam.
135 Oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point Mapper for its DCOM service on this port. This is similar to the functionality of UNIX 111 ports. Services that use DCOM and/or RPC use end-point mapper on the machine to register their locations. When remote clients connect to the machine, they query end-point mapper to find the location of the service. The same hacker scans this port of the machine to find something like: Is running Exchange Server on this machine? What version is it? This port can also be used for direct attacks, in addition to being used to query services (such as using epdump). There are some Dos attacks directly against this port.
137 NetBIOS Name Service nbtstat (UDP) This is the most common information for firewall administrators, please read the NetBIOS section later in this article 139 NetBIOS File and Print sharing access through this port attempt to obtain to NETBIOS/SMB services. This protocol is used for Windows "File and Printer Sharing" and samba. Sharing your hard disk on the Internet is probably the most common problem. A large number of these ports start at 1999, and then gradually become less. The 2000 has rebounded again. Some VBS (IE5 visualbasicscripting) begin to copy themselves to this port, trying to breed on this port.
As with 143 IMAP and security issues above POP3, many IMAP servers have buffer overflow vulnerabilities running during the login process. Remember: a Linux worm (ADMW0RM) is propagated through this port, so many of the scans of this port come from unsuspecting infected users. These vulnerabilities became popular when Radhat allowed IMAP by default in their Linux release. Morris worm After this is the first widely spread worm. This port is also used for IMAP2, but it is not popular. Some reports have found that some 0 to 143 port attacks originate from scripts.
161 a port that is often probed by an SNMP (UDP) Intruder. SNMP allows remote management of devices. All configuration and operation information is stored in the database, which is obtained by SNMP customers. Many administrators incorrectly configure them to expose them to the Internet. Crackers will attempt to access the system using the default password "public" "private". They may be experimenting with all possible combinations. The SNMP package may be incorrectly directed to your network. Windows machines often use SNMP for JetDirect rmote management software due to misconfiguration. The HP OBJECT identifier will receive the SNMP packet. The new version of Win98 uses SNMP to resolve the domain name, and you will see this packet broadcast within the subnet (cable modem, DSL) query sysname and other information.
162 SNMP trap may be due to misconfiguration
177 XDMCP Many hacker access the X-windows console through it, and it needs to open port 6000 at the same time.
513 rwho may be a broadcast from a UNIX machine in a subnet that uses a cable modem or DSL to log in. These people have provided interesting information for hacker into their systems.
553 CORBA IIOP (UDP) If you use a cable modem or DSL VLAN, you will see this port broadcast. CORBA is an object-oriented RPC (remote procedure Call) system. Hacker will use this information to enter the system. Pcserver Backdoor Please view Port 1524 Some children who play script think they have completely breached the system by modifying the Ingreslock and Pcserver files--Alan J. Rosenthal.
635 Mountd Linux Mountd Bug. This is a popular bug that people scan. Most of the scans for this port are UDP-based, but TCP-based MOUNTD increases (MOUNTD runs on two ports at the same time). Remember, MOUNTD can run on any port (on which port you need to do a portmap query on port 111), but Linux defaults to 635 ports, just as NFS typically runs on 2049 ports 1024 Many people ask what this port is for. It is the start of a dynamic port. Many programs do not care which port to use to connect to the network, and they request the operating system to assign them "next idle port". Based on this, the assignment starts at Port 1024. This means that the first program to request a dynamic port assignment to the system will be assigned port 1024. To verify this, you can restart the machine, turn on Telnet, and then open a window to run "natstat-a", and you will see that Telnet is assigned port 1024. The more programs you request, the more dynamic ports you have. The ports that the operating system allocates will gradually become larger. Again, when you browse the Web page with "netstat" view, each Web page needs a new port.
1025 See also 1024
1026 See also 1024
SOCKS This protocol is piped through the firewall, allowing many people behind the firewall to access the Internet through an IP address. Theoretically it should only allow internal communication to reach the internet outside. However, due to the wrong configuration, it will allow hacker/cracker attacks outside the firewall to pass through the firewall. Or simply respond to computers located on the Internet to disguise their direct attacks on you. Wingate is a common Windows personal firewall that often occurs with the wrong configuration described above. This is often the case when you join an IRC chat room.
The 1114 SQL system itself rarely scans this port, but is often part of the Sscan script.
1243 Sub-7 Trojan (TCP) See the SubSeven section.
1524 Ingreslock Backdoor Many attack scripts will install a backdoor sh*ll on this port (especially those scripts for SendMail and RPC service vulnerabilities in sun systems, such as Statd,ttdbserver and CMSD). If you have just installed your firewall and see a connection attempt on this port, this is probably the reason. You can try telnet to this port on your machine and see if it will give you a sh*ll. This problem also exists when connecting to 600/pcserver.
2049 NFS NFS programs often run on this port. It is usually necessary to access the Portmapper query which port the service runs on, but most of the cases are NFS apricot down supper nightmares, after installation. Acker/cracker thus can be closed portmapper direct test this port.
3128 squid This is squid. The default port for the HTTP proxy server. The attacker scanned the port for anonymous access to the Internet for the purpose of searching for a proxy server. You will also see the port to search for other proxy servers: 000/8001/8080/8888. Another reason for scanning this port is that the user is entering a chat room. Other users (or the server itself) will also examine this port to determine whether the user's machine supports proxies. Please see section 5.3.
5632 Pcanywere you'll see a lot of scanning for this port, which depends on where you are. When the user opens Pcanywere, it automatically scans the LAN Class C network for possible proxies (translator: agent instead of proxy). Hacker/cracker will also look for machines that open this service, so you should check the source address of this scan. Some scans that search for pcanywere often contain UDP packets on port 22. See also dial-up scanning.
6776 Sub-7 Artifact This port is a port separated from the Sub-7 primary port for transmitting data. For example, when a controller controls another machine over a telephone line, you will see this when the controlled machine hangs up. So when another person dials in with this IP, they will see a connection attempt that continues on this port. (Translator: When you see a firewall reporting connection attempts at this port, it does not mean that you have been Sub-7 controlled.) 6970 RealAudio RealAudio Customer will receive the audio data stream from the 6970-7170 UDP port on the server. This is a chat program that is set 13223 PowWow PowWow is tribal voice by TCP7070 port outgoing control connection settings. It allows the user to open a private chat connection on this port. This procedure is very "offensive" for establishing a connection. It will be "stationed" waiting for a response on this TCP port. This causes a connection attempt similar to the heartbeat interval. If you are a dial-up user, "Inherit" the IP address from the other person's hand, this happens: as if many different people are testing this port. This protocol uses "Opng" as the first four bytes of its connection attempt.
17027 Conducent This is an outgoing connection. This is because someone inside the company has installed shareware with conducent "Adbot". Conducent "Adbot" is for the sharing software display advertising services. One of the popular software for using this service is pkware. Some trials: Blocking this outgoing connection will not have any problem, but the closure of the IP address itself will cause the adbots to continue attempting to connect multiple times per second, causing the connection to Overload: The machine will constantly try to resolve DNS name ─ads.conducent.com, that is, IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81;216.33.210.41. (Translator: I do not know whether the netants used radiate also have this phenomenon)
27374 Sub-7 Trojan (TCP) See the SubSeven section.
30100 Netsphere Trojan (TCP) Usually this one-port scan is to look for the Netsphere Trojan.
31337 Back Orifice "Elitehacker 31337 reads" Elite "/ei ' li:t/(translator: French, translated into backbone, essence.) namely 3=e, 1=l, 7=t). So many backdoor programs run at this port. One of the most famous is back orifice. It was the most common scan on the internet for some time. Now it is becoming less popular, and other Trojan programs are becoming more popular.
31789 hack-a-tack UDP traffic at this end of the port is usually due to the "hack-a-tack" Remote Access Trojan (Rat,remote access Trojan). This trojan contains a built-in 31790-Port scanner, so any 31789-port to 317890-port connection means that this intrusion has already been made. (31789 port is control connection, 317890 port is file transfer connection)
32770~32900 RPC Service is within this range of the RPC services of Sun Solaris. In detail: Earlier versions of Solaris (prior to 2.5.1) put Portmapper in this range, even though a low-end port was blocked by a firewall and still allowed Hacker/cracker access to this port. Scanning the ports in this range is not to look for portmapper, but to look for known RPC services that can be attacked.
33434~33600 Traceroute If you see a UDP packet within this port range (and only within this range) it may be due to traceroute. See traceroute points.
41508 Inoculan Earlier versions of Inoculan generate large amounts of UDP traffic within subnets to identify each other. See http://www.circlemud.org/~jelson/software/udpsend.html
Http://www.ccd.bnl.gov/nss/tips/inoculan/index.html
Port 1~1024 are reserved ports, so they are hardly source ports. However, there are some exceptions, such as connections from a NAT machine. Often see the ports immediately following 1024, which are "dynamic ports" that the system assigns to applications that do not care which port to use. Server Client Service Description
1-5/TCP Dynamic FTP 1-5 port means the Sscan script
20/TCP Dynamic FTP FTP server port for transferring files
53 Dynamic FTP DNS sends a UDP response from this port. You may also see a TCP connection to the source/destination port.
123 Dynamic S/NTP A Simple Network Time Protocol (S/NTP) server that is running a port. They will also be sent to this port for broadcast.
The 27910~27961/UDP dynamic Quake Quake or Quake engine-driven game runs its server at this end of the port. So UDP packets from this port range or UDP packets sent to this port range are usually games.
More than 61000 dynamic FTP ports above 61000 may come from a Linux NAT server (IP asquerade)