What is the port of the computer?

Ports are divided into 3 major categories

1) Well Known Ports: from 0 to 1023, they are tightly bound to some services. Usually communication on these ports clearly indicates the protocol of a certain service. For example: Port 80 is actually always h++p communication.

2) Registered Ports: from 1024 to 49151. They are loosely tied to some services. This means that there are many services bound to these ports, and these ports are also used for many other purposes. For example: Many systems handle dynamic ports starting around 1024.

3) Dynamic and/or Private Ports: from 49152 to 65535. In theory, these ports should not be assigned to services. In practice, machines are usually assigned dynamic ports starting at 1024. But there are exceptions: SUN's RPC port starts at 32768.

This section describes the information typically found in firewall records for TCP/UDP port scans.

Remember: there is no such thing as an ICMP port. If you are interested in interpreting ICMP data, please see the rest of this article.

0 Usually used to analyze * operating systems. This ** works because "0" is an invalid port on some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan: use IP address 0.0.0.0, set the ACK bit and broadcast at the Ethernet layer.

1 tcpmux This shows that someone is looking for the SGIIrix machine. Irix is ??the main provider of tcpmux implementation, which is turned on by default in such systems. Iris machines are shipped with several default passwordless accounts, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox,

and 4Dgifts. Many administrators forget to delete these accounts after installation. So hackers search the Internet for tcpmux and exploit these accounts.

7Echo You can see a lot of messages sent to x.x.x.0 and x.x.x.255 when people search for Fraggle amplifiers. A common DoS attack is the echo loop (echo-loop), where the attacker forges UDP packets sent from one machine to another, and the two machines respond to these packets in their fastest way. (See Chargen) Another thing is the TCP connection established by DoubleClick on the word port. There is a product called Resonate Global Dispatch" that connects to this port of the DNS to determine the nearest route. The Harvest/Squid cache will send a UDP Echo from port 3130: "If the source_ping on option of the cache is turned on, it will The UDP echo port responds with a HIT reply. "This will generate many such packets.

11 sysstat This is a UNIX service that lists all running processes on the machine and what started them. This provides an intruder with Provides a lot of information that threatens the security of the machine, such as exposing programs with known vulnerabilities or accounts. This is similar to the results of the "ps" command in UNIX systems. Again: ICMP has no port, and ICMP port 11 is usually ICMPtype=1119 chargen. This is a service that only sends characters. The UDP version will respond to packets containing garbage characters after receiving UDP packets. When connecting to TCP, a data stream containing garbage characters will be sent until the connection is closed. Hackers can use IP spoofing to launch DoS attacks by forging UDP between two chargen servers. A chargen and echo will cause the server to be overloaded as the server attempts to respond to unlimited round-trip data communications between the two servers.

Similarly, a fraggle DoS attack broadcasts a packet with a fake victim IP to this port of the target address, and the victim is overloaded in response to this data.

21 ftp is most commonly used by attackers looking for ways to open "anonymous" ftp servers*. These servers have directories that are readable and writable. Hackers or tackers use these servers as nodes for delivering warez (private programs) and pr0n (intentional misspellings to avoid being classified by search engines).

22 sshPcAnywhere may establish a connection between TCP and this port to find ssh. This service has many weaknesses. Many versions using the RSAREF library have vulnerabilities if configured in a specific mode. (It is recommended to run ssh on a different port.) It should also be noted that the ssh toolkit comes with a program called ake-ssh-known-hosts. It scans the entire domain for ssh hosts. You may sometimes be accidentally scanned by someone using this program. The UDP (rather than TCP) connection to port 5632 on the other end means there is a scan searching for pcAnywhere. 5632 (hex 0x1600) is 0x0016 (hex 22) after bit swapping.

23 Telnet intruders are searching for remote login services to UNIX. In most cases, intruders scan this port to find the operating system the machine is running. Additionally using other techniques, the intruder will find the password.

25 smtp attackers (spammers) look for SMTP servers in order to deliver their spam. The intruder's account is always closed, and they need to dial up a high-bandwidth e-mail server to pass simple messages to different addresses. SMTP servers (especially sendmail) are one of the most common ways to enter a system* because they must be fully exposed to the Internet and the routing of mail is complex (exposure + complexity = vulnerability).

53 DNSHackers or crackers may be attempting to perform zone transfer (TCP), spoof DNS (UDP), or hide other communications. Therefore firewalls often filter or log port 53. It should be noted that you will often see port 53 as the UDP source port. Unstable firewalls often allow this communication and assume it is a reply to a DNS query. Hackers often use this method to penetrate firewalls.

Bootp/DHCP over 67 and 68 Bootp and DHCPUDP: Firewalls through DSL and cable-modem often see large amounts of data sent to the broadcast address 255.255.255.255. These machines are requesting an address assignment from the DHCP server. Hackers often enter them to allocate an address and use themselves as local routers to launch a large number of "man-in-middle" attacks. The client broadcasts a configuration request to port 68 (bootps), and the server broadcasts a response request to port 67 (bootpc). This response uses a broadcast because the client does not yet know the IP address to which it can send. 69 TFTP (UDP) Many servers provide this service together with bootp to facilitate downloading startup code from the system. But they are often misconfigured and serve any files from the system, such as password files. They can also be used to write files to the system.

79 finger hackers are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from their own machine to other machines.

98 linuxconf This program provides simple management of linuxboxen. A web-based interface is provided via the integrated h++p server on port 98. It has been found to have numerous security issues. Some versions of setuidroot, trust the LAN, create Internet-accessible files under /tmp, and have buffer overflows in the LANG environment variable.

In addition, because it contains an integrated server, many typical h++p vulnerabilities may exist (buffer overflow, directory traversal, etc.) 109 POP2 is not as famous as POP3, but many servers also provide Both services (backwards compatible). The vulnerability of POP3 also exists in POP2 on the same server.

110 POP3 is used by clients to access server-side email services. POP3 services have many recognized weaknesses. There are at least 20 vulnerabilities related to username and password exchange buffer overflows (meaning that a hacker can enter the system before actually logging in). There are other buffer overflow errors after successful login.

111 sunrpc portmap rpcbind Sun RPCPortMapper/RPCBIND. Accessing the portmapper is the earliest step in scanning the system to see which RPC services are allowed. Common RPC services include: pc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. The intruder discovered a vulnerability that allowed RPC services to be redirected to a specific port to provide the service. Remember to log the

daemon, IDS, or sniffer in the line. You can find out what program the intruder is using to access and find out what happened.

113 Ident auth. This is a protocol running on many machines and is used to authenticate users of TCP connections. Using this standard service, information about many machines can be obtained (which can be exploited by hackers). But it can be used as a logger for many services, especially services such as FTP, POP, IMAP, SMTP and IRC. Typically if there are many clients accessing these services through a firewall, you will see many connection requests for this port. Keep in mind that if you block this port the client will experience a slow connection to the e-mail server on the other side of the firewall. Many firewalls support sending a T back during the blocking process of a TCP connection, which will stop the slow connection.

119 NNTP news newsgroup transmission protocol, carrying USENET communications. This port is usually used when you link to an address such as: news:p.security.firewalls/. Connection attempts on this port are usually where people are looking for USENET servers. Most ISPs restrict access to their newsgroup servers to only their customers. Opening a newsgroup server will allow anyone to post/read messages, access restricted newsgroup servers, post anonymously, or send spam.

135 oc-serv MS RPC end-point mapper Microsoft runs the DCE RPC end-point mapper on this port for its DCOM service. This is very similar to the function of UNIX port 111. Services using DCOM and/or RPC register their location with the end-point mapper on the machine. When remote clients connect to a machine, they query the end-point mapper to find the location of the service. Similarly, Hacker scans the port of the machine to find out questions such as: Is Exchange Server running on this machine? What version is it? In addition to being used to query services (such as using epdump), this port can also be used for direct attacks. There are some DoS attacks that directly target this port.

137 NetBIOS name service nbtstat (UDP) This is the most common information for firewall administrators. Please read the NetBIOS section at the end of the article carefully. 139 NetBIOS File and Print Sharing

Through this port The incoming connection attempted to obtain NetBIOS/SMB services. This protocol is used in Windows "File and Printer Sharing" and SAMBA. Sharing your hard drive on the Internet is probably the most common problem.

A large number of attacks on this port began in 1999, and then gradually became less frequent. It picked up again in 2000. Some VBS (IE5 VisualBasicScripting) started copying themselves to this port in an attempt to reproduce in this port.

143 IMAP has the same security issues as POP3 above. Many IMAP servers have buffer overflow vulnerabilities that can be entered during the login process. Remember: a Linux worm (admw0rm) breeds through this port, so many scans of this port come from unsuspecting infected users. These vulnerabilities became popular when RadHat allowed IMAP by default in their Linux distributions. This is the first widely spread worm since the Morris worm. This port is also used for IMAP2, but is not very popular. There have been some reports that some attacks on ports 0 to 143 originated from scripts.

161 SNMP (UDP) port often detected by intruders. SNMP allows remote management of devices. All configuration and operational information is stored in the database and is available through the SNMP client. Many administrators misconfigure them exposing them to the Internet. Crackers will attempt to access the system using the default passwords "public" and "private". They may experiment with all possible combinations. SNMP packets may be incorrectly directed to your network. Windows machines are often misconfigured to use SNMP with the HP JetDirect remote management software. HP OBJECT IDENTIFIER will receive SNMP packets. The new version of Win98 uses SNMP to resolve domain names. You will see this kind of packet broadcasting (cable modem, DSL) in the subnet to query sysName and other information.

162 SNMP trap may be due to misconfiguration

177 xdmcp. Many Hackers access the X-Windows console through it, and it also needs to open port 6000.

513 rwho may be broadcast from a UNIX machine on the subnet logged in using a cable modem or DSL. These people provide interesting information for hackers to gain access to their systems

553 CORBA IIOP (UDP) If you use a cable modem or DSL VLAN, you will see broadcasts on this port. CORBA is an object-oriented RPC (remote procedure call) system. Hackers will use this information to enter the system. 600 Pcserver backdoor Please check port 1524. Some kids playing script think they have completely broken into the system by modifying the ingreslock and pcserver files - Alan J. Rosenthal.

635 mountd Linux's mountd Bug. This is a popular bug that people scan. Most scans of this port are UDP-based, but there is an increase in TCP-based mountd (mountd runs on both ports simultaneously). Remember, mountd can run on any port (which port you need to do a portmap query on port 111), but Linux defaults to port 635, just like NFS usually runs on 2049

1024 Many people ask this What is the port for? It was the beginning of dynamic ports. Many programs don't care which port is used to connect to the network. They request the operating system to allocate the "next idle port" to them. Based on this allocation starts at port 1024. This means that the first program that requests a dynamic port from the system will be assigned port 1024. In order to verify this, you can restart the machine, open Telnet, then open a window and run "natstat -a", you will see that Telnet is assigned port 1024. The more programs that request, the more dynamic ports there are. *The port allocated by the operating system will gradually become larger.

Again, when you browse web pages and check with "netstat", each web page requires a new port. ?ersion 0.4.1, June 20, 2000 h++p://www.robertgraham.com/ pubs/firewall-seen.html Copyright 1998-2000 by Robert Graham

(mailto:firewall-seen1 @robertgraham.com.

contain this copyright notice and must not be altered, except by

permission of the author.

1025 See 1024

1026 See 1024

1080 SOCKS This protocol is based on The pipe method passes through the firewall, allowing many people behind the firewall to access the Internet through a single IP address. In theory it should only allow internal communication to reach the Internet, but due to incorrect configuration, it will allow Hackers. /Cracker attacks from outside the firewall

or simply respond to computers on the Internet, thereby masking their direct attack on you

WinGate is a type of attack. The above misconfiguration often occurs in common Windows personal firewalls. This situation is often seen when joining IRC chat rooms.

1114 The SQL system itself rarely scans this port, but it is often part of the sscan script. .

1243 Sub-7 Trojan (TCP) See Subseven section.

1524 ingreslock backdoor Many attack scripts will install a backdoor Sh*ll on this port (especially those targeting Sun systems. Scripts that are vulnerable to Sendmail and RPC services, such as statd, ttdbserver and cmsd). If you have just installed your firewall and are seeing connection attempts on this port, it is most likely due to the above reasons. You can try Telnet to yours. This port on the machine and see if it gives you a Sh*ll. This problem also exists when connecting to 600/pcserver.

2049 NFS NFS programs often run on this port. Usually you need to access portmapper to check which port the service is running on, but in most cases, after installation, NFS acker/Cracker can be opened and portmapper is turned off to test the port directly.

3128 squid This is the default port of the Squid h++p proxy server. The attacker scans this port to search for a proxy server to access the Internet anonymously. You will also see the ports to search for other proxy servers:

000/8001/8080/8888. Another reason to scan this port is if the user is entering a chat room. Other users (or the server itself) will also check this port to determine whether the user's machine supports the proxy. Please see section 5.3.

5632 pcAnywere You will see a lot of scans for this port, depending on where you are. When the user opens pcAnywere, it will automatically scan the LAN Class C network to find possible agents (Translator: refers to agent rather than proxy).

Hacker/cracker will also look for machines with this service open, so you should check the source address of this scan. Some scans searching for pcAnywere often include UDP packets on port 22. See Dial Scan.

6776 Sub-7 artifact This port is a port used to transmit data separated from the Sub-7 main port. You would see this happen, for example, when a controller is controlling another machine over a phone line and the controlled machine hangs up. So when another person dials in from this IP, they will see continued connection attempts on this port. (Translator: When you see a firewall reporting a connection attempt on this port, it does not mean that you have been controlled by Sub-7.)

6970 RealAudio clients will receive from the server's UDP ports 6970-7170 Audio data stream. This is controlled by the TCP port 7070 outbound connection setting 13223 PowWow PowWow is the chat program of Tribal Voice. It allows users to open private chat connections on this port. This program is very "aggressive" in establishing connections. It will "camp" on this TCP port waiting for a response. This results in a heartbeat-like interval of connection attempts. This happens if you are a dial-up user and "inherit" an IP address from another chatter: it seems like many different people are testing the port. This protocol uses "OPG" as the first four bytes of its connection attempt.

17027 Conducent This is an outgoing connection. This is due to someone within the company installing free software with Conductent "adbot".

Conducent "adbot" serves to display advertisements for *shared software. One popular software that uses this kind of service is Pkware. Someone has tested: Blocking this outgoing connection will not cause any problems, but blocking the IP address itself will cause adbots to continue to try to connect multiple times per second, causing connection overload:

The machine will continue to try Resolve the DNS name—ads.conducent.com, which is the IP address 216.33.210.40;

216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I wonder if Radiate used by NetAnts also has this phenomenon)

27374 Sub-7 Trojan (TCP) See the Subseven section.

30100 NetSphere Trojan (TCP) This port is usually scanned to find NetSphere Trojans.

31337 Back Orifice "31337 in eliteHacker is pronounced as "elite"/ei'li:t/ (Translator: * language, translated as backbone, essence. That is, 3=E, 1=L, 7 =T). Therefore, many backdoor programs are running on this port. The most famous one is Back Orifice, which was the most common scan on the Internet for a while. Now it is becoming less and less popular, and other Trojans are becoming more and more popular. More and more popular.

31789 Hack-a-tack UDP communication on this port is usually caused by the "Hack-a-tack" remote access Trojan (RAT, Remote Access Trojan). This Trojan contains built-in 31790. Port scanner, so any connection from port 31789 to port 317890 means there has been such an intrusion (port 31789 is the control connection, port 317890 is the file transfer connection)

32770~32900 RPC Service Sun Solaris. RPC services are in this range. In detail: early versions of Solaris (before 2.5.1) put portmapper in this range, allowing Hackers/crackers to access this port even if the low port is blocked by the firewall.

Ports in this range are scanned either for portmappers or for known RPC services that can be attacked.

33434~33600 traceroute If you see UDP packets in this port range (and only within this range) it may be due to traceroute. See traceroute points.

41508 Inoculan Early versions of Inoculan will generate a large number of UDP communications within the subnet to identify each other. See

h++p://www.circlemud.org/~jelson/software/udpsend.html

h++p://www.ccd.bnl.gov /nss/tips/inoculan/index.htmlPorts 1~1024 are reserved ports, so they are almost never source ports. There are some exceptions, such as connections from NAT machines. We often see ports immediately following 1024. They are "dynamic ports" assigned by the system to applications that do not care which port is used to connect. Server Client Service Description

1-5/tcp Dynamic FTP 1-5 port means sscan script

20/tcp Dynamic FTP FTP server port for transferring files

53 Dynamic FTP DNS sends UDP responses from this port. You may also see the source/destination ports of the TCP connection.

123 Dynamic S/NTP The port on which the Simple Network Time Protocol (S/NTP) server runs. They will also send broadcasts to this port.

27910~27961/udp Dynamic Quake Quake or Quake engine-driven games run their servers on this port. So UDP packets coming from this port range or sent to this port range are usually games.

Dynamic FTP above 61000 Ports above 61000 may come from Linux NAT server

Port Directory (Chinese)

1 tcpmux TCP Port Service Multiplexer Transmission Control Protocol Port Service Multiplexer selector

2 compressnet Management Utility compressnet management utility

3 compressnet Compression Process compression process

5 rje Remote Job Entry remote job login

7 echo Echo echo

9 discard Discard discard

11 systat Active Users online users

13 daytime Daytime time

< p>17 qotd Quote of the Day Daily Quote

18 msp Message Send Protocol Message Send Protocol