Ports can be divided into three categories:

1) identifies the port (as is well known

Port): from 0 to 1023, which is closely bound to some services. Usually, the communication of these ports clearly indicates the protocol of a certain service. For example, port 80 has always been HTTP communication.

2)

Registered port (registered

Port): from 1024 to 49 15 1. They are loosely bound to some services. In other words, many services are bound to these ports, and these ports are also used for many other purposes. For example, many systems handle a dynamic port of about 1024.

3) dynamic and/or dedicated ports (dynamic and/or dedicated)

Port): from 49 152 to 65535. Theoretically, these ports should not be assigned to services. In fact, machines usually allocate dynamic ports from 1024. But there are exceptions: SUN's RPC port starts at 32768.

This section describes the information of TCP/UDP port scanning in firewall records. Remember: there is no such thing as an ICMP port. If you are interested in interpreting ICMP data, please refer to other parts of this article.

Usually used to analyze the operating system. This method is effective because "0" is an invalid port in some systems. When you try to connect it with an ordinary closed port, it will produce different results. Typical scanning: use the IP address 0.0.0.0, set the ACK bit and broadcast it in the Ethernet layer.

1 tcpmux this means someone is looking for SGI.

Irix machine Irix is the main provider of tcpmux, and it is turned on by default in this system. Iris machine contains several default password-free accounts when it is released, such as lp,

Keywords guests, uucp, nuucp, demonstration, teacher, diagnosis, EZsetup, OutOfBox,

And 4d gifts. Many administrators forget to delete these accounts after installation. So hackers searched for tcpmux online and used these accounts.

7 echo

When searching for Fraggle power amplifier, you can see many messages sent by people to x.x.x.0 and x.x.x.255

A common DoS attack is echo-loop. The attacker forges UDP packets sent from one machine to another, and the two machines respond to these packets in the fastest way. (see Chargen)

Another thing is to double-click the TCP connection established in the word port. There is a product called Resonance Global.

Dispatch ",which is connected with this port of DNS to determine the nearest route.

Harvest/squid cache will send UDP from port 3 130.

Echo: "If the cached source_ping on option is turned on, it will send a hit reply to the UDP echo port of the original host." This will generate many such packets.

1 1 sysstat

This is a UNIX service that lists all the running processes on the machine and the reasons for starting them. This provides a lot of information for intruders, threatening the security of the machine, such as exposing some known weaknesses or accounts. This is similar to the result of "ps" command in UNIX system.

Say it again: ICMP has no port, and ICMP port 1 1 is usually ICMP type = 1 1.

19 chargen

This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP connects, it sends a data stream containing junk characters until the connection is closed.

Hackers can use IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers. Because the server tries to respond to the infinite round-trip data communication between two servers.

Chargen and echo will overload the server. Similarly, Flagell.

DoS attacks broadcast packets with forged victim IP to the port of the target address, and the victim is overloaded in response to these data.

2 1 ftp

The most common attackers are looking for ways to open anonymous ftp servers. These servers have read-write directories. Hacker or cracker

Use these servers as nodes to transmit warez (proprietary programs) and pr0n (deliberately misspelled words to avoid being classified by search engines).

22 shh

PcAnywhere may establish a connection between TCP and this port to find ssh. This service has many weaknesses. If configured in a specific mode, many versions that use the RSAREF library have many loopholes. (It is recommended to run ssh on other ports.)

It should also be noted that the ssh toolkit comes with a program called make-ssh-known-hosts. It scans ssh hosts throughout the domain. Sometimes you are inadvertently scanned by people who use this program.

UDP (instead of TCP) connected to port 5632 at the other end means that there is a scan for searching pcAnywhere. After bit exchange, 5632 (0x 1600 in hexadecimal) is 0x00 16 (22 in decimal).

23 Remote login

Intruders are searching for services to remotely log on to UNIX. In most cases, intruders will scan the port to find the operating system running on the machine. In addition, using other technologies, intruders will find the password.

25 smtp

Attackers (spammers) look for SMTP servers to send their spam. Intruders' accounts are always closed, and they need to dial up to connect to a high-bandwidth email server, which will be simple.

Different addresses. SMTP servers (especially sendmail) are one of the most common ways to enter the system, because they must be completely exposed to the Internet and mail routing.

It is complex (exposure+complexity = weakness).

53 DNS hackers or crackers may try to cheat DNS(UDP) or hide other communications through TCP. Therefore, the firewall usually filters or logs port 53.

It should be noted that you usually think of port 53 as a UDP source port. Unstable firewalls usually allow this kind of communication and think it is a reply to DNS queries. Hackers often use this method to penetrate firewalls.

67 and 68 Bootp and DHCP

Bootp/DHCP over UDP: A large amount of data sent to the broadcast address 255.255.255.255 can often be seen through the firewall of DSL and cable-modem. These machines

The server is requesting address assignment from the DHCP server. Hackers often enter them, assign an address, and use themselves as local routers to launch a large number of "middlemen".

Attack. The client broadcasts request configuration (BOOTP) to 68 ports, and the server broadcasts response request (BOOTP) to 67 ports. This response is broadcast because the client does not know that it can be sent.

IP address.

TFTP (Democratic Party)

Many servers provide this service and bootp, which makes it easy to download the startup code from the system. However, they are usually misconfigured and provide any files in the system, such as password files. They can also be used to write files to the system.

79 finger Hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scanning from one's own machine to other machines.

98 linuxconf This program provides linux.

The simple management of Bosen. Web interface-based services are provided on port 98 through an integrated HTTP server. It found many security problems. Some versions of setuid

Root, trust LAN, create an Internet-accessible file under /tmp, and LANG environment variable has a buffer overflow. In addition, because it contains an integrated server, there may be many typical HTTP vulnerabilities (buffer overflow, directory traversal, etc.). ).

109 POP2 is not as famous as POP3, but many servers provide both services (backward compatibility). On the same server, the vulnerability of POP3 also exists in POP2.

1 10 POP3

Used for the client to access the mail service on the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses about the overflow of user name and password exchange buffer (which means that hackers can enter the system before actually logging in). There are other buffer overflow errors after successful login.

1 1 1 Sun RPC portmap RPC bind Sun RPC

Portmapper /RPCBIND. Accessing Portmapper is the earliest step to scan the system to see which RPC services are allowed. Common RPC services are: rpc.mountd, NFS,

Rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. The intruder found a loophole that the allowed RPC service will be transferred to the specific port test that provides the service.

Remember to record daemons, IDS or sniffers, and you can find out what programs intruders are using to access, so as to understand what happened.

1 13 authentication

This is a protocol that runs on many machines and is used to identify users of TCP connections. With this standard service, you can get information about many machines (which will be used by hackers). But it can be used for many services.

Video recorders, especially FTP, POP, IMAP,

Services such as SMTP and IRC Usually, if many customers access these services through firewalls, you will see many connection requests to this port. Remember, if you block this port, the client will feel the fire.

A slow connection to the email server on the other side of the wall. Many firewalls support sending RST back when TCP connection is blocked to stop this slow connection.

1 19 NNTP news newsgroup transport protocol, carrying USENET communication. When you link to news://comp.security.firewalls/.

This port is usually used for addressing. The connection attempt of this port is usually that people are looking for a USENET server. Most ISPs only allow their customers to access their newsgroup servers. Opening the newsgroup server will allow anyone to post/read, access restricted newsgroup servers, post anonymously or send spam.

135 oc-servms RPC endpoint mapper Microsoft runs DCE RPC endpoints on this port.

Mapper serves its DCOM. This is similar to the function of UNIX11port. Services that use DCOM and/or RPC utilize endpoints on the machine.

The mapper records their positions. When remote customers connect to the machine, they will query the endpoint.

The mapper found the location of the service. Similarly, Hacker scans this port of the machine to find such things as: Is Exchange Server running on this machine? What version is it?

This port can be used not only for query services (such as using epdump), but also for direct attacks. There are some DoS attacks on this port.

137 NetBIOS

Name service nbtstat (UDP) This is the most common information for firewall administrators. Please read the NetBIOS section at the back of the article carefully.

139

NetBIOS file and print sharing

Connections coming in through this port attempt to obtain NetBIOS/SMB services. This protocol is used for Windows File and Printer Sharing and SAMBA. Sharing your hard disk on the Internet is probably the most common problem.

A large number of ports start from 1999, and then gradually decrease. It picked up again in 2000. Some VBS(IE5 VisualBasic)

Script) began to copy itself to this port, trying to breed in this port.

143 IMAP

Like the security problem of POP3 above, many IMAP servers have buffer overflow vulnerabilities, which are entered when logging in. Remember: the Linux worm (admw0rm) will spread through this port.

Breeding, so many scans of this port are from uninformed infected users. These vulnerabilities became popular when RadHat allowed IMAP by default in its Linux distribution.

This is the first widespread worm since Morris worm.

This port is also used for IMAP2, but it is not popular.

Some reports found that some attacks on ports 0 to 143 originated from scripts.

16 1

snmp

Ports that intruders often detect. SNMP allows remote management of devices. All configuration and operation information is stored in the database and obtained through SNMP clients. Many administrators misconfigured and exposed to

Internet. Hackers will try to access the system with the default passwords "public" and "private". They will try all possible combinations.

SNMP packets may be misdirected to your network. Windows machines often connect to HP JetDirect remote due to configuration errors.

Management software uses SNMP. Hp object

Identifiers will receive SNMP packets. The new version of Win98 uses SNMP to resolve domain names, and you will see this kind of package (cable modem,

DSL) query information such as sysName.

162 SNMP trap may be caused by a configuration error.

177 xdmcp

Many hackers access the X-Windows console through it, and it also needs to open 6000 ports.

5 13 may come from the use of cables.

A broadcast from a UNIX machine in the subnet where a modem or DSL logs in. These people provide very interesting information for hackers to access their systems.

IIOP 553 Corba Street

(UDP) If you use a cable modem or DSL VLAN, you will see the broadcast on this port. CORBA is an object-oriented RPC (Remote Procedure).

Call) system. Hackers will use this information to get into the system.

Back door of 600 Pcserver, please check port 1524.

Some children who play script think that they have completely broken the system by modifying ingreslock and pcserver files-Allen J. Rosenthal.

Installation of 635 mountd Linux

Bug. This is a popular Bug that people scan. The scanning of this port is mostly based on UDP, but the mountd based on TCP has increased (mountd runs on both sides at the same time.

Mount d) Remember, mountd can run on any port (at which port, you need to query portmap at port11), but Linux defaults to port 635, just like NFS usually does.

Run on port 2049.

1024

Many people ask what this port is for. This is the beginning of a dynamic port. Many programs don't care which port to use to connect to the network. They asked the operating system to assign them the "next free port". Based on this distribution

Starting from the 1024 port. This means that the first program that requests dynamic port allocation from the system will be allocated port 1024. To verify this, you can restart the machine, turn on Telnet, and then turn on another one.

Window to run "natstat"

-a ",you will see that Telnet is assigned the port 1024. The more programs are requested, the more dynamic ports there are. The ports allocated by the operating system will gradually become larger. When you browse the web, do it again.

In the "netstat" view, each web page needs a new port.

Version 0.4. 1, June 20, 2000

/pubs/firewall-seen.html

Copyright by Robert Graham 1998-2000

(mailtfirewall-seen 1@robertgraham.com。

All rights reserved.

Document.nbspmay can only be copied (complete or

Part) for non-commercial use.

Purpose. All copies must be

Contains this copyright notice and may not

Be changed, except

The author's permission.

1025 See 1024.

1026

See 1024.

1080 socks

Through the firewall, the protocol allows many people behind the firewall to access the Internet through an IP address. Theoretically, it should only allow internal communication to reach the outside.

Internet. However, due to the wrong configuration, hackers/crackers outside the firewall will attack through the firewall. Or simply respond on the internet.

To cover up their direct attack on you WinGate is a common Windows personal firewall, and the above misconfiguration often occurs. When you join an IRC chat room, you often see this situation.

This situation.

1 1 14 SQL

The system itself rarely scans this port, but it is usually part of the sscan script.

1243 7 Trojan Horse (TCP)

See section.

1524 ingreslock back door

Many attack scripts install backdoor programs.

On this port (especially those scripts aiming at the vulnerabilities of Sendmail and RPC services in Sun system, such as statd,

Ttdbserver and cmsd). If you just installed your firewall and you see a connection attempt on this port, it may be the above reason. You can try Telnet to this port on your machine to see if it will give an Sh*ll.

. Connecting to a 600/pcserver also has this problem.

2049 NFS

NFS programs often run on this port. You usually need to visit the port mapper to find out which port this service is running on, but most of the time it is NFS after installation.

Apricot silk burial? Therefore, Acker/Cracker can close the port mapper and test the port directly.

3 128 squid

This is squid

Default port of HTTP proxy server. Attackers scan this port to search for proxy servers and access the Internet anonymously. You will also see the port for searching other proxy servers:

8000/800 1/8080/8888。 Another reason for scanning this port is that the user is entering a chat room. Other users (or the server itself) Q9750406 will also check this port to

Determine whether the user's computer supports the agent. Please refer to section 5.3.

5632 people

Depending on your location, you will see multiple scans of the port. When a user opens pcAnywere, it will automatically scan the LAN Class C network to find possible agents.

Agent instead of agent). Hackers/hackers will also look for machines that turn on this service, so you should check the source address of this scan. Some people are looking for pandas.

Scan UDP packets that usually contain port 22. See dial-up scanning.

6776 sub-7 artifact

This port is separated from the Sub-7 main port and used for data transmission. For example, you will see this situation when the controller controls another machine through a telephone line and the controlled machine hangs up.

Therefore, when another person dials in using this IP, they will see continuous connection attempts on this port. (Translator: When you see the firewall report the connection attempt of this port, it doesn't mean that you have been controlled by Sub-7.

System. )

6970 real audio

The RealAudio client will receive the audio data stream from the UDP port of the server at 6970-7 170. This is set by the output control connection of TCP7070 port.

13223

ceremony

Witchcraft rituals are tribal.

Voice chat program. It allows users to open private chat connections at this port. This process is very rude for establishing a connection. It will "camp" on this TCP port, waiting for a response. This leads to

Connection attempts are similar to heartbeat intervals. If you are a dial-up user and "inherit" the IP address from another chat, this will happen: it seems that many different people are testing this port. The use of this protocol

"OPNG" as the first four bytes of its connection attempt.

17027 conductor

This is an outgoing connection. This is because someone inside the company installed an "advertising robot" with conductance.

* * * Enjoy the software. electric

Adbot is a software display advertising service for * * *. A popular software that uses this service is Pkware. There is nothing wrong with some people trying to block this outbound connection, but blocking the IP address itself will cause adbots to continue trying to connect many times per second, which will lead to the connection overload:

The machine will keep trying to resolve the DNS name-ads.conducent.com, that is, the IP address is 216.33.26438+00.40; 2 16.33. 199.77

; 2 16.33. 199.80 ; 2 16.33. 199.8 1; 2 16.33.2 10.4 1。 (Translator: I wonder if the Radiate used by NetAnts also has this phenomenon)

27374 child 7 Trojan (TCP)

See section.

30 100 network world Trojan (TCP)

This port is usually scanned for network Trojans.

3 1337 "elite" of back orifice plate

In Hacker, 3 1337 is pronounced as "elite" /ei 'li: t/ (translator: French, translated as backbone, essence. That is, 3=E, 1=L,

7=T). So many backdoor programs are running on this port. The most famous one is back.

Orifice. Once, this was the most common scan on the Internet. Now its popularity is getting lower and lower, while other Trojan programs are getting more and more popular.

3 1789

Chop a tack

UDP communication on this port is usually caused by "hacking" remote access Trojan (RAT).

Trojan). This Trojan contains a built-in 3 1790 port scanner, so any connection from 3 1789 port to 3 17890 port means that this intrusion has occurred. (Port 3 1789 is the control connection, and port 3 17890 is the file transfer connection).

32770~32900 RPC service

sun

The RPC service of Solaris is in this range. Specifically, earlier versions of Solaris (before 2.5.1) put the port mapper in this range, even though the low-end ports were protected.

Firewall shutdown still allows hackers to access this port. Scan the ports in this range to find port mapper or known ports that can be attacked.

RPC service.

33434~33600 traceroute

If you see UDP packets within this port range (and only within this range), it may be due to traceroute. See the traceroute section.

4 1508

Inoculation

Earlier versions of Inoculan will generate a lot of UDP communication in the subnet to identify each other. see

http://www.circlemud.org/~jelson/software/udpsend.html

http://www.ccd.bnl.gov/nss/tips/inoculan/index.html

(2)

What do the following source ports mean?

Port 1~ 1024 is a reserved port, so it is hardly a source port. There are some exceptions, such as connections from NAT machines. See 1.9.

We often see that the port is followed by 1024, which is a "dynamic port" assigned by the system to applications, and these applications don't care which port to connect.

Server client service description

The 1-5/tcp dynamic FTP 1-5 port represents the sscan script.

20/tcp dynamic FTP FTP server transfer file port.

53

Dynamic FTP DNS sends UDP response from this port. You can also see TCP connections at the source/destination ports.

123 dynamic S/NTP

Port running Simple Network Time Protocol (S/NTP) server. They will also send a broadcast to this port.

279 10~2796 1/udp dynamic earthquake

Games driven by Thor's Hammer or Thor's Hammer engine run their servers on this port. So UDP packets from this port range or UDP packets sent to this port range are usually games.

More than 6 1000

Ports above dynamic FTP 6 1000 may come from Linux NAT server (IP masquerade).