TCP/UDP Common port number
7 Echo (PING)
19 Word Fuzhou Builder
20/TCP FTP Data
21/TCP FTP Control File Transfer Protocol
22/TCP SSH Secure Login, File transfer (SCP), and port redirection
23/tcp Telnet Unsafe Text transfer
25/tcp SMTP Simple Mail Transfer Protocol (easy Mail Transfer Protocol) (e-mail)
53/TCP Domain Name server
69/UDP TFTP Daily File Transfer Protocol (Trivial files Transfer Protocol)
80/TCP WWW (HTTP Hypertext Transfer Protocol)
88/TCP Kerberos Authenticating Agent
110/TCP POP3 Post Office Protocol (post offices Protocol) (e-mail)
113/TCP ident Old Identification Server system
119/TCP NNTP Network new transport Protocol (network new Transfer Protocol) used for Usenet newsgroups
137/UDP NetBIOS Names Service (NetBIOS name Service,nbname)
138/UDP NetBIOS Datagram Service (NetBIOS Datagram Service,nbdatagram)
139/tcp NetBIOS Session service (NetBIOS Sessions service,nbsession)
161/UDP SNMP Easy Network Management Protocol (simple networking Management Protocol)
220/TCP IMAP3 Internet Messaging Access Protocol (Internet message, Access Protocol)
443/TCP HTTPS Encrypted HTTP (used for securely transferring web pages)
636/TCP LDAP Lightweight Directory Access Protocol (Lightweight Directory Access Protocol)
1080/tcp SOCKScommon port numbers for TCP/IP protocol
Keyword Port number port description
TcpMux0 1 TCP Port Service multiplexer
Echo 1 7 return (Echo Loopback all received data)
Discard2 9 Delete (delete all accepted data statically)
SYSTAT3 11 Current users
Daytime 13 Daytime
QUOTD 17 Daily References
Chargen 19 Generating characters
Ftp-data 20 File Transfer (default data)
FTP 21 File Transfer (control port)
Telnet 23 Remote Communication Network
SMTP 25 Simple Mail Transfer Protocol
Time 37 times
Nicname 43 who
Domain 53 name servers
BOOTPS 67 Bootstrapper Protocol Server
BOOTPC 68 Bootstrapper Protocol Client
Tftp 69 common File Transfer Protocol
Finger 79 dialing
POP2 109 Postal Protocol version 2
POP3 110 Postal Protocol version 3
SUNRPC 111 Sun Terminal Program call
NNTP 119 Network News Transfer Protocol
NTP 123 Network Time Protocol
Netbios-ns 137 network basic input and output system naming service
NETBIOS-NS 138 network basic Input output System datagram service
NETBIOS-SSN 139 Network basic input/output system service
IMAP2 143 Intermediate Mail Access Protocol V2
SNMP 161 Simple Network Management Protocol
BGP 179 Border Gateway Protocol
Syslog 514 System Lander
Description: Typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using the usual closed port. A typical scan with an IP address of 0.0.0.0, set the ACK bit and broadcast on the Ethernet layer.
Description: This shows someone looking for the SGI IRIX machine. IRIX is the main provider for implementing Tcpmux, and by default Tcpmux is opened in this system. The IRIX machine is released with several default password-free accounts, such as: IP, GUEST UUCP, NUUCP, DEMOS, TUTOR, DIAG, Outofbox, etc. Many administrators forget to delete these accounts after installation. So hacker search the internet for Tcpmux and take advantage of these accounts.
Description: You can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers.
Service: Character Generator
Description: This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving the UDP packets. A TCP connection sends a stream of data that contains garbage characters until the connection is closed. Hacker uses IP spoofing to launch Dos attacks. Forge a UDP packet between two Chargen servers. Similarly Fraggle Dos attacks broadcast a packet with a spoofed victim IP to this port on the destination address, and the victim is overloaded to respond to this data.
Description: The FTP server is open to the port for uploading, downloading. The most common attackers are used to look for ways to open an anonymous FTP server. These servers have a read-write directory. Trojan doly ports open for Trojan, Fore, Invisible FTP, WebEx, Wincrash, and Blade Runner.
Description: The connection between TCP and this port established by pcanywhere may be to look for SSH. This service has many weaknesses, and if configured in a specific mode, many of the versions that use the RSAREF library will have a number of vulnerabilities.
Description: Telnet, the intruder is searching for services that Telnet to UNIX. In most cases, this port is scanned to find the operating system that the machine is running on. and using other technologies, intruders will also find passwords. Trojan Tiny Telnet Server will open this port.
Description: The port that the SMTP server is open for sending messages. Intruders look for SMTP servers to pass their spam. The intruder's account is closed and they need to be connected to a high-bandwidth e-mail server to pass simple information to different addresses. Trojan antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WINPC, winspy all open this port.
Service: MSG Authentication
Description: Trojan Master Paradise, Hackers Paradise Open this port.
Service: WINS Replication
Description: WINS replication
Service: Domain Name Server (DNS)
Description: The DNS server is open to ports where intruders may be trying to make zone transfers (TCP), spoof DNS (UDP), or hide other traffic. So firewalls often filter or log this port.
Service: Bootstrap Protocol Server
Description: A firewall with DSL and cable modems often sees a large amount of data sent to broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. Hacker often enter them, assigning an address that initiates a large number of middlemen (man-in-middle) attacks as a local router. The client broadcasts the request configuration to port 68, and the server broadcasts a response request to port 67. This response uses broadcasts because the client does not yet know which IP address can be sent.
Service: Trival File Transfer
Description: Many servers work with BOOTP to provide this service for easy download of boot code from the system. However, they often allow intruders to steal any file from the system due to misconfiguration. They can also be used to write files to the system.
Service: Finger Server
Description: An intruder is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.
Description: Used for web browsing. Trojan Executor open this port.
Service: Gram Relay
Description: The Backdoor program ncx99 Open this port.
Service: Message transfer agent (MTA)-x.400 over TCP/IP
Description: The message transfer agent.
Service: Post Office Protocol-version3
Description: The POP3 server opens this port for receiving mail and client access to the server-side mail service. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow, which means intruders can enter the system before a real login. There are other buffer overflow errors after successful login.
Service: All ports for the RPC service of sun Company
Description: Common RPC services include RPC.MOUNTD, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD, etc.
Services: Authentication Service
Description: This is a protocol that runs on many computers and is used to authenticate users of a TCP connection. Using standard services, you can obtain information on many computers. However, it can be used as a logger for many services, especially FTP, POP, IMAP, SMTP, and IRC services. Often, if there are many customers accessing these services through a firewall, they will see many connection requests for this port. Remember that if you block this port the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support the blocking process of TCP connections to send back the RST. This will stop the slow connection.
Service: Network News Transfer Protocol
Description: The News newsgroup transport protocol, which hosts Usenet communications. This port is usually connected to people looking for Usenet servers. Most ISPs limit that only their customers can access their newsgroup servers. Opening a newsgroup server will allow you to send/read anyone's posts, access restricted newsgroup servers, post anonymously or send spam.
Service: Location Service
Description: Microsoft runs DCE RPC end-point Mapper for its DCOM service on this port. This is similar to the functionality of UNIX 111 ports. Services that use DCOM and RPC use end-point mapper on the computer to register their locations. When a remote client connects to the computer, they find the location of the service end-point mapper. Hacker scan the computer for this port to find out if you are running Exchange Server on this computer. What version. There are also some Dos attacks directed at this port.
Ports: 137, 138, 139
Service: NETBIOS Name Service
Note: where 137, 138 is a UDP port, this port is used when transferring files over a network neighbor. and port 139: The connection entered through this port attempts to obtain the NETBIOS/SMB service. This protocol is used for Windows file and printer sharing and for Samba. And WINS Regisrtation also uses it.
Service: Interim Mail Access Protocol v2
Description: As with POP3 security issues, many IMAP servers have buffer overflow vulnerabilities. Remember: a Linux worm (ADMV0RM) is propagated through this port, so many of the scans of this port come from unsuspecting users who have already been infected. These vulnerabilities became popular when Redhat allowed IMAP by default in their Linux release. This port is also used for IMAP2, but it is not popular.
Description: SNMP allows remote management of devices. All configuration and operational information is stored in the database and is available through SNMP. Many administrator error configurations will be exposed to the Internet. Cackers will attempt to use the default password public, private access system. They may be experimenting with all possible combinations. SNMP packets may be incorrectly directed to the user's network.
Service: X Display Manager Control Protocol
Description: Many intruders access the X-windows console, which also needs to open port 6000.
Services: LDAP, ILS
Description: The Lightweight Directory Access Protocol and NetMeeting Internet Locator server share this port.
Description: A Web browsing port that can provide encryption and another HTTP transmission over a secure port.
Description: Trojan Hackers paradise open this port.
Service: Login,remote Login
Description: A broadcast from a UNIX computer that logs on to a subnet using a cable modem or DSL. These have provided information for intruders to enter their systems.
Description: Kerberos Kshell
Service: Macintosh,file Services (AFP/IP)
Description: Macintosh, File services.
Service: CORBA IIOP (UDP)
Description: Use the cable modem, DSL, or VLAN to see the broadcast of this port. CORBA is an object-oriented RPC system. Intruders can use this information to enter the system.
Description: Trojan PhAse1.0, Stealth Spy, Inikiller Open this port.
Service: Membership DPA
Description: Membership DPA.
Service: Membership MSN
Description: Membership MSN.
Description: Linux mountd Bug. This is a popular bug in scanning. Most of the scans for this port are UDP-based, but TCP-based MOUNTD increases (MOUNTD runs on two ports at the same time). Remember that MOUNTD can run on any port (which port you need to do Portmap query on port 111), but the Linux default port is 635, just as NFS typically runs on port 2049.
Description: SSL (Secure Sockets layer)
Service: Doom Id Software
Description: Trojan attack FTP, Satanz backdoor Open this port
Description: SSL (Secure Sockets layer)
Ports: 1001, 1011
Description: Trojan silencer, WebEx Open 1001 port. Trojan Doly Trojan Open 1011 port.
Description: It is the start of a dynamic port, and many programs do not care which port to use to connect to the network, and they request the system to assign them the next idle port. Based on this, the assignment starts at Port 1024. This means that the first request to the system is assigned to port 1024. You can restart the machine, open Telnet, and then open a window to run natstat-a and you will see that Telnet is assigned port 1024. There is also SQL session with this port and Port 5000.
Ports: 1025, 1033
Service: 1025:network Blackjack 1033:[null]
Description: Trojan Netspy open these 2 ports.
Description: This protocol passes through the firewall in a channel way, allowing people behind the firewall to access the Internet through an IP address. Theoretically it should only allow internal communication to reach the internet outside. But because of the wrong configuration, it allows an attack outside the firewall to pass through the firewall. This error often occurs in Wingate, which is frequently seen when joining IRC chat rooms.
Description: Trojan streaming Audio Trojan, Psyber Stream Server, voice open this port.
Ports: 1234, 1243, 6711, 6776
Description: Trojan SubSeven2.0, Ultors Trojan open 1234, 6776 ports. Trojan subseven1.0/1.9 Open 1243, 6711, 6776 ports.
Description: Trojan Vodoo Open this port.
Description: Microsoft SQL Services Open ports.
Description: Trojan ftp99cmp Open this port.
Service: RPC client Fixed port session queries
Description: RPC Client fixed port session query
Service: NetMeeting T.120
Description: NetMeeting T.120
Description: Many attack scripts will install a backdoor shell on this port, especially for SendMail and RPC service vulnerabilities in Sun systems. If you have just installed a firewall and see the connection attempt on this port, this is probably the reason. You can try telnet to this port on the user's computer to see if it will give you a shell. This problem also exists when connecting to 600/pcserver.
Description: Trojan Shivka-burka Open this port.
Description: NetMeeting h.233 call Setup.
Service: NetMeeting Audio call Control
Description: NetMeeting audio call control.
Description: Trojan Spysender Open this port.
Description: Trojan Shockrave Open this port.
Service: Cisco identification port
Description: Trojan Backdoor open this port.
Description: Trojan Girlfriend 1.3, Millenium 1.0 Open this port.
Description: Trojan Millenium 1.0, Trojan Cow Open this port.
Service: Xinuexpansion 4
Description: Trojan Pass Ripper Open this port.
Description: NFS programs often run on this port. It is often necessary to access the Portmapper query which port the service runs on.
Description: Trojan bugs open this port.
Ports: 2140, 3150
Description: Trojan deep Throat 1.0/3.0 Open this port.
Service: RPC client using a fixed port session replication
Description: An RPC client that applies a fixed-port session replication