1 tcpmux this means that someone is looking for the SGI Irix machine. Irix is the main provider of tcpmux, which is turned on by default in this system. Iris machine contains several default password-free accounts when it is released, such as LP, Guest, UUCP, NuUCP, Demos, Tutor, Diag, EzSetup, OutofBox, 4Dgifts, etc. Many administrators forget to delete these accounts after installation. So hackers searched for tcpmux online and used these accounts.
7 Echo You can see the messages sent by many people to x.x.x.0 and x.x.x.255 when searching for the Fraggle amplifier. A common DoS attack is echo-loop. The attacker forges UDP packets sent from one machine to another, and the two machines respond to these packets in the fastest way. Another thing is to double-click the TCP connection established in the word port. There is a product called "Resonance Global Scheduling", which connects this port of DNS and determines the nearest route. Harvest/squid cache will send UDP echo from port 3 130: "If the source_ping on option of the cache is turned on, it will send a hit reply to the UDP echo port of the original host." This will generate many such packets.
1 1 sysstat This is a UNIX service that lists all running processes on the machine and the reasons for starting them. This provides a lot of information for intruders, threatening the security of the machine, such as exposing some known weaknesses or accounts. This is similar to the result of "ps" command in UNIX system. Say it again: ICMP has no port, and ICMP port 1 1 is usually ICMP type = 1 1.
19 chargen This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP connects, it sends a data stream containing junk characters until the connection is closed. Hackers can use IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers. Because the server tries to respond to the infinite round-trip data communication between two servers, a chargen and an echo will cause the server to be overloaded. Similarly, the fraggle DoS attack will broadcast a packet with a forged victim IP to this port of the target address, and the victim will be overloaded in response to the data.
The most common attacker of 2 1 ftp is to try to open an "anonymous" ftp server. These servers have read-write directories. Hackers or crackers use these servers as nodes to transmit warez (proprietary programs) and pr0n (deliberately misspelled words to avoid being classified by search engines).
22 ssh PcAnywhere may establish a connection between TCP and this port to find ssh. This service has many weaknesses. If configured in a specific mode, many versions that use the RSAREF library have many loopholes. (It is recommended to run ssh on other ports). It should also be noted that the ssh toolkit comes with a program called make-ssh-known-hosts. It scans ssh hosts throughout the domain. Sometimes you are inadvertently scanned by people who use this program. UDP (instead of TCP) connected to port 5632 at the other end means that there is a scan to search pcAnywhere. After bit exchange, 5632 (0x 1600 in hexadecimal) is 0x00 16 (22 in decimal).
Telnet intruders are searching for services that remotely log on to UNIX. In most cases, intruders will scan the port to find the operating system running on the machine. In addition, using other technologies, intruders will find the password.
SMTP attackers (spammers) look for SMTP servers to deliver their spam. Intruders' accounts are always closed. They need to dial up to a high-bandwidth email server and send simple messages to different addresses. SMTP servers (especially sendmail) are one of the most commonly used ways to enter the system, because they must be completely exposed on the Internet, and the routing of mail is also very complicated (exposure+complexity = weakness).
53 DNS hackers or crackers may try to cheat DNS(UDP) or hide other communications through TCP. Therefore, the firewall usually filters or logs port 53. It should be noted that you usually think of port 53 as a UDP source port. Unstable firewalls usually allow this kind of communication and think it is a reply to DNS queries. Hackers often use this method to penetrate firewalls.
67 & ampBootp/DHCP on BOOTP and DHCP UDP: A large amount of data sent to the broadcast address 255.255.255.255 is often seen through the firewall of DSL and cable-modem. These machines are requesting address assignment from DHCP server. Hackers often enter them, assign an address, and use themselves as local routers to launch a large number of "man in the middle" attacks. The client broadcasts request configuration (BOOTP) to 68 ports, and the server broadcasts response request (BOOTP) to 67 ports. This response is broadcast because the client does not know the IP address that can be sent.