Help explain the purpose of some TCP port numbers.

0 is usually used to analyze the operating system. This method is effective because "0" is an invalid port in some systems when you try to use a universal closed port.

Connecting them will produce different results. Typical scanning: use the IP address 0.0.0.0, set the ACK bit and broadcast it in the Ethernet layer.

1 tcpmux this means that someone is looking for the SGI Irix machine. Irix is the main provider of tcpmux, which is turned on by default in this system.

Iris machine contains several default password-free accounts when it is released, such as LP, Guest, UUCP, NuUCP, Demos, Tutor, Diag, EzSetup, OutofBox,

And 4d gifts. Many administrators forget to delete these accounts after installation. So hackers searched for tcpmux online and used these accounts.

7 Echo You can see the messages sent by many people to x.x.x.0 and x.x.x.255 when searching for the Fraggle amplifier.

A common DoS attack is echo-loop. The attacker forges UDP packets sent from one machine to another, and the two machines send them in the form of echo-loop.

They respond to these packets in the fastest way. (see Chargen)

Another thing is to double-click the TCP connection established in the word port. There is a product called "Resonance Global Scheduling", which is related to this end of DNS.

Port connection to determine the nearest route.

Harvest/squid cache will send UDP echo from port 3 130: "If the source_ping on option of the cache is turned on, it will send UDP echo to the original host.

The port responds with a hit reply. This will generate many such packets.

1 1 sysstat This is a UNIX service that lists all running processes on the machine and the reasons for starting them. This provided many letters for the intruders.

Threaten the security of the machine, such as exposing some known weaknesses or accounts. This is similar to the result of "ps" command in UNIX system.

Say it again: ICMP has no port, and ICMP port 1 1 is usually ICMP type = 1 1.

19 chargen This is a service that only sends characters. The UDP version will respond to packets containing junk characters after receiving UDP packets. When TCP connects, it sends messages containing spam.

The data stream of junk characters knows that the connection is closed. Hackers can use IP spoofing to launch DoS attacks. Forge UDP packets between two chargen servers. Due to server enterprises

The figure reflects the infinite round-trip data communication between two servers. A chargen and echo will overload the server. Similarly, fragledos attacks this at the target address.

The port broadcasts data packets with forged victim IP, and the victim is overloaded in response to these data.

The most common attacker of 2 1 ftp is to try to open an "anonymous" ftp server. These servers have read-write directories. Hacker or cracker

Use these servers as nodes to transmit warez (proprietary programs) and pr0n (deliberately misspelled words to avoid being classified by search engines).

22 ssh PcAnywhere may establish a connection between TCP and this port to find ssh. This service has many weaknesses. If configured in a specific mode, many use the.

There are many loopholes in the version of RSAREF library. (It is recommended to run ssh on other ports.)

It should also be noted that the ssh toolkit comes with a program called make-ssh-known-hosts. It scans ssh hosts throughout the domain. You are sometimes used for this journey.

Sequences that people inadvertently scan.

UDP (instead of TCP) connected to port 5632 at the other end means that there is a scan to search pcAnywhere. After bit exchange, 5632 (hex 0x 1600) is 0x00 16.

(22 in decimal).

Telnet intruders are searching for services that remotely log on to UNIX. In most cases, intruders will scan the port to find the operating system running on the machine. In addition to making

Using other technologies, intruders will find the password.

SMTP attackers (spammers) look for SMTP servers to deliver their spam. Intruders' accounts are always closed, so they need to dial up for high bandwidth.

E-mail server, sending simple information to different addresses. SMTP server (especially sendmail) is one of the most common ways to enter the system, because

They must be completely exposed to the Internet, and the routing of mail is complicated (exposure+complexity = weakness).

53 DNS hackers or crackers may try to cheat DNS(UDP) or hide other communications through TCP. So firewalls often filter or record.

Port 53.

It should be noted that you usually think of port 53 as a UDP source port. Unstable firewalls usually allow this kind of communication and think it is a reply to DNS queries. Hackers often

Penetrating the firewall in this way.

Bootp/DHCP Bootp and DHCP UDP on 67 and 68: Through the firewall of DSL and cable-modem, you can often see a large number of messages sent to the broadcast address 255.255.255.255.

Data. These machines are requesting address assignment from DHCP server. Hackers often enter them to assign an address and use themselves as local routers to start a large number.

Man in the middle attack. The client broadcasts request configuration (BOOTP) to 68 ports, and the server broadcasts response request (BOOTP) to 67 ports.

This response is broadcast because the client does not know the IP address that can be sent.

69 TFTP(UDP) Many servers provide this service together with bootp, so it is easy to download the startup code from the system. But they are often misconfigured and downloaded from the system.

Provide any files, such as password files. They can also be used to write files to the system.

79 finger Hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scanning from one's own machine to other machines.

80=Http

98 linuxconf This program provides simple management of linux boxen. Web interface-based services are provided on port 98 through an integrated HTTP server. It has been found that there are

A lot of security issues. Some versions of setuid root trust LAN, create Internet-accessible files under /tmp, and the LANG environment variable has a buffer overflow. this

Because it contains an integrated server, there may be many typical HTTP vulnerabilities (buffer overflow, directory traversal, etc.). ).

109 POP2 is not as famous as POP3, but many servers provide both services (backward compatibility). On the same server, the vulnerability of POP3 is the same as that of POP2.

Existence.

110ppop3 is used for the client to access the mail service on the server side. POP3 services have many recognized weaknesses. The weakness about user name and password exchange buffer overflow at least

There are 20 (which means that hackers can get into the system before actually logging in). There are other buffer overflow errors after successful login.

1 1 1 sunrpc portmapper rpcbind Sun RPC portmapper /RPCBIND. Access portmapper is the earliest step to scan the system to see which RPC services are allowed.

Common RPC services include: RPC.mountd, NFS, RPC.statd, RPC.csmd, RPC.ttybd, AMD, etc. Intruders find that the allowed RPC services will turn to provide services.

Specific port test vulnerability.

Remember to record daemons, IDS or sniffers, and you can find out what programs intruders are using to access, so as to understand what happened.

1 13 Ident auth This is a protocol that runs on many machines and is used to identify users of TCP connections. With this standard service, you can get information about many machines.

(it will be used by hackers). But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. Usually, if there are many customers.

Access these services through the firewall, and you will see many connection requests for this port. Remember, if you block this port, the client will feel it is on the other side of the firewall.

The connection to the e-mail server is slow. Many firewalls support sending RST back when TCP connection is blocked to stop this slow connection.

1 19 NNTP news newsgroup transport protocol, carrying USENET communication. When you link to an address, such as: news://comp.security.firewalls/.

This port is usually used in the following situations. The connection attempt of this port is usually that people are looking for a USENET server. Most Internet service providers only allow their customers to access their news.

Group server. Opening the newsgroup server will allow anyone to post/read, access restricted newsgroup servers, post anonymously or send spam.

12 1=BO jammerkillah

135 oc-servms RPC endpoint mapper Microsoft runs DCE RPC endpoint mapper on this port as its DCOM service. This is the same as UNIX 1 1 1.

The functions of ports are similar. Services using DCOM and/or RPC register their locations with the endpoint mapper on the machine. When remote customers connect to the machine, they check.

Ask the endpoint mapper to find the location of the service. Similarly, Hacker scans this port of the machine to find such things as: Is Exchange Server running on this machine?

What version is it?

This port can be used not only for query services (such as using epdump), but also for direct attacks. There are some DoS attacks on this port.

137 NetBIOS name service nbtstat (UDP) This is the most common information for firewall administrators. Please read the NetBIOS section at the back of the article carefully.

138 = NetBios DGN

139 NetBIOS

The connection of file and print sharing through this port attempts to obtain NetBIOS/SMB service. This protocol is used for Windows File and Printer Sharing.

And samba. Sharing your hard disk on the Internet is probably the most common problem.

A large number of ports start from 1999, and then gradually decrease. It picked up again in 2000. Some VBS(IE5 VisualBasic Scripting) began to copy themselves to.

This port, trying to breed in this port.

143 IMAP is the same as the security problem of POP3 above. Many IMAP servers have buffer overflow vulnerabilities, which are entered during login. Remember: a Linux worm (admw0rm)

Will breed through this port, so many scans of this port are from uninformed infected users. When RadHat allows IMAP by default in the Linux distribution,

After that, these vulnerabilities became popular. This is the first widespread worm since Morris worm.

This port is also used for IMAP2, but it is not popular.

Some reports found that some attacks on ports 0 to 143 originated from scripts.

16 1 port frequently detected by SNMP (UDP) intruders. SNMP allows remote management of devices. All configuration and operation information is stored in the database and obtained through SNMP clients.

This information. Many administrators misconfigured them and exposed them on the Internet. Hackers will try to access the system with the default passwords "public" and "private". he

Scientists may try all possible combinations.

SNMP packets may be misdirected to your network. Due to configuration errors, Windows machines usually use SNMP as HP JetDirect remote management software.

The HP object identifier will receive SNMP packets. The new version of Win98 uses SNMP to resolve domain names, and you will see this kind of packet broadcast in the subnet (DSL).

Query sysName and other information.

162 SNMP trap may be caused by a configuration error.

177 xdmcp Many hackers access the X-Windows console through it, and it also needs to open 6000 ports.

194=Irc

443=Https

456 = hacker paradise

5 13 rwho may be a broadcast from a UNIX computer in a subnet that is logged in using a cable modem or DSL. These people give hackers access to their systems.

Interesting information.

553 CORBA

IIOP (UDP) If you use a cable modem or DSL VLAN, you will see the broadcast on this port. CORBA is an object-oriented RPC (Remote Procedure).

Call) system. Hackers will use this information to get into the system.

555 = stealth spy (stage)

Back door of 600 Pcserver, please check port 1524.

Some children who play script think that they have completely broken the system by modifying ingreslock and pcserver files-Allen J. Rosenthal.

Mountd Bug of 635 mountd Linux. This is a popular Bug that people scan. Most scans for this port are based on UDP, but TCP.

Mountd has been increased (mountd runs on both ports at the same time). Remember, mountd can run on any port (which port is it, you need to do it on port11).

Portmap query), but Linux defaults to port 635, just as NFS usually runs on port 2049.

666 = attack FTP

100 1 = muffler

100 1=WebEx

1010 = Dolly Trojan v 1.35

10 1 1 = Dolly Troy

1015 = Dolly Trojan v 1.5

1024 Many people ask what this port does. This is the beginning of a dynamic port. Many programs don't care which port to use to connect to the network. They require an operating system.

They assign the "next free port". Based on this, the allocation starts from port 1024. This means that the first program that requires the system to allocate dynamic ports will be allocated.

Port 1024. To verify this, you can restart the machine, open Telnet, and then open a window to run "natstat -a", and you will see that Telnet is split.

Equipped with 1024 port. The more programs are requested, the more dynamic ports there are. The ports allocated by the operating system will gradually become larger. Again, use "netstat" when browsing the web.

Look, every web page needs a new port.

1025 See 1024.

1026 See 1024.

1033=Netspy

1042=Bla 1. 1

1047 = uninvited guest

1047=GateCrasher.c

1080 socks

Through the firewall, the protocol allows many people behind the firewall to access the Internet through an IP address. Theoretically, it should only allow internal

Communication takes place through the Internet. However, due to the wrong configuration, hackers/crackers outside the firewall will attack through the firewall. Or Jane

Just reply to the computers on the Internet to cover up their direct attacks on you. WinGate is a common Windows personal firewall, which is often sent.

Give birth to the above wrong configuration. You often see this situation when you join IRC chat rooms.

1 1 14 SQL

The system itself rarely scans this port, but it is usually part of the sscan script.

1243 7 Trojan Horse (TCP)

See section.

1245 = voodoo

1269 = matrix of calves.

1492 = FTP 99 CMP(back riffice。 FTP)

1524 ingreslock back door

Many attack scripts will install a backdoor shell on this port (especially for the vulnerabilities of Sendmail and RPC services in Sun system, such as statd,

Ttdbserver and cmsd). If you just installed your firewall and you see a connection attempt on this port, it may be the above reason. You can try

Telnet to this port on your machine and see if it will give you a Shell. Connecting to a 600/pcserver also has this problem.

1807=SpySender

198 1=ShockRave

1999 = Back door (YAI)

1999 = back door .200

1999 = Back door. 20 1

1999 = Back door

1509 = Streaming Media Server

1600=Shiv

200 1=TrojanCow

2023 = Through the ripper

2049 NFS

NFS programs often run on this port. You usually need to visit the port mapper to find out which port the service is running on, but most of the time NFS is running after installation.

Therefore, a hacker can close the port mapper and test the port directly.

2 140 = deep throat. 10

2 140 = invalid

2283=Rat

2565 = striker

2583=Wincrash2

280 1 = phineas

3 128 squid

This is the default port of Squid HTTP proxy server. Attackers scan this port to search for proxy servers and access the Internet anonymously. You'll watch it, too

Search the ports of other proxy servers: 8000/800 1/8080/8888. Another reason for scanning this port is that the user is entering a chat room. Other users

(or the server itself) will also check this port to determine whether the user's machine supports the proxy. Please refer to section 5.3.

3 129=MastersParadise.92

3 150 = deep throat 1.0

32 10 = school bus

4000=OICQ client

4567=FileNail

4950=IcqTrojan

5000 = suit jacket 5

5 190=ICQ query

532 1=Firehotcker

5400=BackConstruction 1.2

5400 = Oscar Pistorius

5550=Xtcp

5569 = Robot Huck

5632 people

Depending on your location, you will see multiple scans of this port. When the user opens pcAnywere, it will automatically scan the possibility of LAN class C network.

Agent (translator: refers to an agent rather than an agent). Hackers/hackers will also look for machines that turn on this service, so you should check the source address of this scan.

Some scans searching for pcAnywere usually contain UDP packets on port 22. See dial-up scanning.

57 14=Wincrash3

5742 = Winchester

6400 = Things

6669 = Vampire

6670 = deep throat

67 1 1=SubSeven

67 13=SubSeven

6767=NT remote control

677 1 = deep throat 3

6776 sub-7 artifact

This port is separated from the Sub-7 main port and used for data transmission. For example, when the controller controls another machine through a telephone line and the controlled machine hangs up.

You will see this situation in time. Therefore, when another person dials in using this IP, they will see continuous connection attempts on this port. (translator: See you soon.

When the firewall reports the connection attempt of this port, it doesn't mean that you have been controlled by Sub-7. )

6883 = Incremental source

6939 = indoctrination

6969 = uninvited guest

6970 real audio

The RealAudio client will receive the audio data stream from the UDP port of the server at 6970-7 170. This is set by the output control connection of TCP7070 port.

7306 = Network Monitor (Cyber Spy)

7307=ProcSpy

7308=X spy

7626= Troy Glacier

7789=ICQKiller

8000=OICQ server

9400 = command

940 1=InCommand

9402 = command

9872 = Doors of Destruction

9875 = Doors of Destruction

9989=InIkiller

10 167 = Doomsday Gate

10607 = coma

1 1000 = Senna Spy Trojan.

1 1223 = progenictroman

12076 = Jia Mo

12076=MSH. 104b

12223 = black? Keyboard recorder

12345 = network bus1.x.

12346 = network bus1.x.

1263 1=WhackJob。 NB 1.7

13223 wizard ceremony

PowWow is a chat show of tribal voices. It allows users to open private chat connections at this port. This process is very rude for establishing a connection.

It will "camp" on this TCP port, waiting for a response. This will lead to a connection attempt similar to the heartbeat interval. If you are a dial-up user, get it from another chatterbox.

This happens when you "inherit" an IP address: it seems that many different people are testing this port. This protocol uses "OPNG" as the first four digits of its connection attempt.

Bytes

16969 = priority

17027 conductor

This is an outgoing connection. This is because someone inside the company has installed * * * enjoyment software that helps "adbot". Help "advertising robot" is * * * software.

Display advertising service. A popular software that uses this service is Pkware. Someone tried to block this outgoing connection without any problems, but blocked IP.

The address itself will cause adbots to keep trying to connect many times per second, which will lead to connection overload: the machine will keep trying to resolve the DNS name-ads.conductant.com,

The IP address is 216.33.210.40; 2 16.33. 199.77 ; 2 16.33. 199.80 ; 2 16.33. 199.8 1; 2 16.33.2 10.4 1。 I don't know Ambassador Netanz.

Whether the radiator used also has this phenomenon)

17300 = quanti2

20000 = millennial generation (girlfriend)

2000 1 = GrilFriend

20034 = Network Bus Professional Edition

2033 1=Bla

2 1554 = girlfriend

2 1554 = Shi Windler 1.82

22222 = Prosia grams

23456 = evil FTP

23456=UglyFtp

23456 = crazy work

27374 child 7 Trojan (TCP)

See section.

inexplainable

30029=AOLTrojan

30 100 network world Trojan (TCP)

This port is usually scanned for network Trojans.

30303 = Socket 23

30999 = Kuang

3 1337 "elite" of back orifice plate

In Hacker, 3 1337 is pronounced as "elite" /ei 'li: t/ (translator: French, translated as backbone, essence. That is, 3=E, 1=L, 7=T). So many backdoor programs operate.

Line up at this port. One of the most famous is the back hole. At one time, this was the most common scan on the Internet. Now its popularity is getting lower and lower,

Other Trojan horse programs are becoming more and more popular.

3 1339=NetSpy

3 1666 = Bad luck.

3 1787 = hacker attack

3 1789 black nail

UDP communication on this port is usually caused by "hacking" remote access Trojan (RAT). This Trojan has a built-in 3 1790.

Port scanner, so any connection from 3 1789 port to 3 17890 port means that there has been such an intrusion. (Port 3 1789 is the control connection, and port 3 17890 is the text.

Transmission connection)

32770~32900 RPC service

Sun Solaris's RPC service is in this range. In detail: the earlier version of Solaris (before 2.5. 1) put the port mapper in this range, even if

The low-end port is blocked by a firewall, but hackers are still allowed to access this port. Scan ports in this range for portmapper or.

Look for known RPC services that may be attacked.

33333 = Prosia grams

33434~33600 traceroute

If you see UDP packets within this port range (and only within this range), it may be due to traceroute. See the traceroute section.

339 1 1 = Trojan Spirit 200 1 a

34324=TN

34324 = Micro Telnet Server

404 12=TheSpy