| Telecom and Logistics Associates |
|
| Save Time and Money
TLAnews: Security NEWs Service |
| Telecom and Logistics Associates |
|
| Save Time and Money
TLAnews: Security NEWs Service |
|
En français: Scan
de ports sur les "firewalls" |
|
|
|
| port definition tool | IP ports numbers | Trojans list of default ports | Microsoft specific ports | Microsoft Exchange ports |
| Port probing |
Author information.
|
||||
| Port | prot | Comments | |||
| ICMP | Not a port but ICMP as a protocol. Certain DOS attack use
ICMP
TFN2K tool for DDOS uses for Communication between clients, handlers and agents does not use any specific port (it may be supplied on run time or it will be chosen randomly by a program) but is a combination of UDP, ICMP and TCP packets.
|
||||
| 0 | udp | Port 0 is a perfectly legitimate source port for UDP. It is not a legitimate destination port. For example, it is specified as one of the two source ports which may be used by IKE (the other is port 500). |
|||
| 7 | Traffic generated from geographical latency
analyzing software, used for www page distribution
Global Dispatch is a WAN-based scheduler that makes it easy to place content
close to geographically dispersed users and and intelligently directs
requests to the best-suited Point of Presence (POP). |
||||
| 21 | CA-99-13,
Multiple Vulnerabilities in WU-FTPD CA-97.27, FTP Bounce |
||||
| 22 | Installations of PCAnywhere before Version 7.52 and v8 with patches applied use port 22.
SSH is also possible on this port look for CA-99-15, Buffer Overflows in SSH Daemon and RSAREF2 Library |
||||
| 43 | Whois looks for an identification, can be used to identify domain owners | ||||
| 53 domain | tcp udp |
UDP port 53 is used for name queries TCP port 53 is used for zone transfers Name queries can also come in on TCP port 53. IN-2000-04,
Denial of Service Attacks using Nameservers |
|||
| 79 | tcp | Finger 79/tcp Can obtain computer information | |||
| 81 | "I've seen some web servers running on port 81, usually a second
instance for load distribution, or the web server administration instance.Interesting that until few month ago, www.oracle.com had a second OracleWeb Server running on port 81." |
||||
| 98 | Port 98 is in most cases used by Linuxconf. I don't recall if there is a
new exploit for it, but usually when you do a new installation of the Linux
OS (especially RedHat), it will start the service by default, and I guess that is what they are looking for. I guess someone wrote a small program that scans machines for this port, and scriptkiddies will of course start using it themselves. This could explain why so many people are being probed. |
||||
| 109/tcp | ipop2d buffer overflow | ||||
| 110/tcp | Qpopper
buffer overflow CA-97.09.imap_pop, Vulnerability in IMAP and POP |
||||
| 111/32771 | Remote Procedure Call(SUN RPC).
Very Dangerous. Don't run unless necessary
CA-99-16,
Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind |
||||
| 113 | Anyone have an idea as to why there is sometimes a connection from Port 113 on an external FTP server back to the FTP Client (on a high port). This seems to occur for some anonymous FTP's ident. |
||||
| 135 | I have users who want to access outlook from the internet and this I was able to do by opening up port 135 and then using static ports and TCP for DCOM. | ||||
| 137 | I've also seen a number of scans to port 137 that hit every IP
address in my pool. As a matter of security I block it at the firewall from going in or out. I also block ports 138 and 139.
There is this stupid entity that sweeps through the whole net looking for open NetBIOS/SMB hosts, among other things. A colleague noticed a bunch of scans sweeping over one of his networks back in June, looked up the IP's, and discovered it's related to MP3 and/or other multimedia trading and was supposed to be a "service" for people trying to find where they could get such files. Scour.Net is a multimedia search engine that indexes files from three protocols -- HTTP, FTP, and SMB. The connection you saw was one of the SMB crawlers. If you do not have any SMB shares, the crawler will disconnect. If you do have public shares, it will index multimedia files located there. IN-2000-03,
911 Worm |
||||
| 143 | port 143 is used for IMAP server. IMAP is client mail program and stands for Internet Message Access Program. If you want to know more details, please go to the web sites belows. http://www.imap.org http://www.washington.edu/imap/ CA-98.09, Buffer Overflow in Some Implementations of IMAP Servers CA-97.09.imap_pop, Vulnerability in IMAP and POP |
||||
| 161 | SNMP over UDP Used for network
mapping, can get information from SNMP agent
1 packets: 203.97.101.36(20480) ->202.218.93.62(161), : Oct 16 09:40:23 1. Someone is hoping you've got SNMP configured in a way that will
allow them to take control of your network. This would not be good. |
||||
| 256,257,258 | Q. I recently installed Checkpoint Firewall-1 on an NT Server, and I found
something odd when I was checking it with a series of port scans. What are open tcp ports 256, 257 and
258.
A. These are the control ports used by FW-1. You enable/disable them via the Properties settings. |
||||
| 256 | This is Checkpoint FW1_topo service for version previous to 4.1 (2000) | ||||
| 264 | Checkpoint SecuRemote Clients download site information through SecuRemote port Server 264. Starting with VPN-1/Firewall-1 version 2000 (4.1). This is FW1_topo service | ||||
| 321 | It's *supposed* to be used for the "Presence Information Protocol"... which
is used by services like Ding! to sense if someone is actively online. See
http://sunsite.cnlab-switch.ch/ftp/mirror/internet-drafts/draft-aggarwal-pip-reqts-00.txt for more specifics. In all likelihood, the scans you're seeing aren't malicious in intent. |
||||
| 507 | tcp udp |
Does anyone know what risks are associated with opening tcp and udp port 507
through a firewall? I've got a web developer that wants to use Site Server (supposedly using port 507) to push web site updates from an internal developement web server to production web servers on a secured firewall segment |
|||
| 512 | Remote process execution authentication performed using passwords and login names. | ||||
| 513 | Remote login. Don't need it = Don't run it | ||||
| 514 | Remote Command | ||||
| 543 | tcp | 543/tcp klogind refered in CA-2000-06, Multiple Buffer Overflows in Kerberos Authenticated Services | |||
| 635 | Mountd for linux. There is an extremely popular exploit tool for this vulnerability called ADMmountd.c. Black-hats can gain remote root access with this tool. For more info, check out http://www.enteract.com/~lspitz/enemy3.html |
||||
| 1036 to IP 169.254.75.160 | Link Local is a new TCP/IP autoconfiguration standard in development. It should not be routed externally. It is supported by Win98. See http://www.performancecomputing.com/columns/daemons/9907.shtml for a good article on the subject. |
||||
| 1038 | NT TPSVCS CPU Exploit | ||||
| 1080 | tcp udp |
Q. Anyone know if there's anything in particular that scans at port 1080tcp? I guess 1080 is supposed to be used for this: socks 1080/tcp Socks socks 1080/udp Socks A. Sounds like someone is looking to see if you have a SOCKS compliant proxy server. Most likely they are looking for a bounce site (i.e. compromise your site in order to attack other networks). look at CA-98.03, WinGate IP Laundering |
|||
| 1098 | tcp | rmiactivation 1098/tcp RMI Activation | |||
| 1494 | Citrix's remote control protocol is ICA which runs on TCP/1494 (not UDP).
Punching a hole through your firewall for this port will allow basic Citrix
connectivity. Since the Citrix client is freely available from Citrix's website, this would allow anyone on the internet access to your Citrix servers login prompt. A little more probing and patience could easily give any remote user full access to an NT desktop (MetaFrame) on you network. |
||||
| 1502 | On this one I ended up going to Shiva's site which gives the clue to what port 1502 is used for - so I'll answer my own question: Managing a LanRover Through a Firewall (678188-SN96) Product: LanRover Access Switch /E/T vGeneral LanRover and NetModem vGeneral Component: Shiva Net Manager v5.0 3rd Party Product(s): Release Date: Pending To be able to manage a LanRover through a firewall, the firewall must be configured to pass traffic directed to TCP port 115 (sftp) and UDP port 161 (and possibly UDP port 1502) |
||||
| 1524 | used for DDoS Distributed Denial of Service Attacks by program Trinoo | ||||
| 1975 | Our site had begun getting these port 1975 jewels several months back. When I tracked it down to the originating IPs (several workstations had it..), I found that the users had downloaded and installed the GoZilla! app. We're fortunate here in that we have the latitude to deny usage of 'non-approved' software within our WAN, so the short-term fix was simply to block the port at the firewall system's inner router (keeps it out of your firewall's logs), and to notify the users of their 'dead' app. Don't know of other programs that may use the port, but DO know that it's usage isn't currently validated at this location. Makes life a *bit* simpler for sysadmins when the organization is willing to stand behind a documented security policy, too <smile>. |
||||
| 1975, 1976 | Ports 1975 and 1976 are used by the CISCO implementation of Bridging and IBM Networking (SNA variations)
See document at: (use entire URL that wraps to more than one line) http://www.pluscom.ru/univercd/cc/td/doc/product/software/ios120/12cgcr/ibm_c/bcovervw.htm The documentation at this URL does not refer to ports 1975/1976, but they are documented elsewhere in the command reference and guide for Bridging. Also refer to: (use entire URL that wraps to more than one line) http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12supdoc/12cmdsum/12csibm/csstun.htm Search the document for the Port 1976 and 1977 command references. |
||||
| 2049 | to allow NFS While testing NFS between a UNIX server and NT client, it looks like NFS is opening up different ports each time I test.100005 - mountd 2049 - nfsd 100003 - nfsprog 150001 - pcnfsd 100021 - nlockmgr |
||||
| 2140 | Q. Has anyone else seen anything like this? They has been happening for
well over two weeks and I was wondering if it was a targeted attack or a general scan. All packets have originated from the same city's dialup
pool with the same src/dst ports and the same 5 minute span that the scan takes (20:24 -> 20:29, 17:27 -> 17-32), with the last trace showing
two distinct 5-minute scans from 11:45 -> 11:50 and 11:56 -> 13:01. What tool uses source port 60000 and 5-minute timings? If this is a plain UDP service scan, why is there 2 bytes of data in the packet? (vs NULL) 20:24:36.271610 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 > A.B.C.D.2140: udp 2 20:25:19.174056 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 > A.B.C.D.2140: udp 2 20:26:43.613437 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 > A.B.C.D.2140: udp 2 20:29:48.675551 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 > A.B.C.D.2140: udp 2 A. Someone is scanning your network for the "Deep Throat" trojan. |
||||
| 2301 | If I'm not mistaken, it has something to do with Compaq Insight
Manager--the hardware management s/w that gets bundled with Compaq servers. There's a web interface (try connecting via http to a Compaq server on that port, assuming you've got one), and there's an SNMP component, so maybe that's the explanation of the UDP. It's a dangerous thing to have lying around, with a default configuration, and it's easy to forget it's there. |
||||
| 3128 | Squid proxy www.rusftpsearch.net
Was searching and trying to exploit this service Our network have been scanned for devices on port 3128. You are correct about the potential for proxy-relay |
||||
| 4000 | ICQ Chat programs. Can be dangerous. Don't need it = Don't run it. | ||||
| 5030 | I'm currently observing a lot of traffic to port '5030' from 209.58.12.34 (which maps to Teleglobe.net?) A. ? |
||||
| 5135 | SGI objectserver 20000303-01-PX, Vulnerability in IRIX 5.3 and 6.2 objectserver | ||||
| 5632 | Our new installs of PCAnywhere v8 with patches applied use port 22 also | ||||
| 6000+ | udp | X-Windows | |||
| 6665 - 6669 | Internet Relay Chat. Very dangerous. Don't need it = Don't run it | ||||
| 6667 | tcp | Pretty Park virus:
I have one host on my internal network that constantly (meaning 7 times every minute) tries to send tcp out over port 6667
to the following addresses: The list of IRC channels the trojan attempts to connect to includes: You've probably been infected by the Pretty Park virus. |
|||
| 6723 | Mstream
a DDOS tool Attacker to handler(s): 6723/tcp (in published source) 15104/tcp ("in the wild") 12754/tcp (in recovered source) Agent to Handler(s): 9325/udp (in published source) 6838/udp ("in the wild") Handler to agent(s): 7983/udp (in published source) 10498/udp ("in the wild") Remote control of the mstream handler is accomplished via a TCP connection to port 6723/tcp (or 15104/tcp, or 12754/tcp, or...). |
||||
| 6838 | udp | Mstream 6838/udp | |||
| 6970 | Q. I have seen thousands of packets with a destination port 6970 UDP, and
sometimes 6971 (UDP) coming to us. The sources are such as: ra4.netradio.net, lomotil-4.real.com, nr-g2-2.paix.cef.net, etc. A. Real Audio uses UDP ports 6970 through 7170 as well as TCP 7070 |
||||
| 7983 | udp | Mstream 7983/udp | |||
| 8080 | Q. Many of the scans that hit my network, especially on the
weekends, are of the port 8080 variety, sometimes including port 3128.
A. They are for HTTP Proxy services. |
||||
| 9137 | We had to open port 9137 register for a video conference the other day because I had the outbound. |
||||
| 9325 | udp | Mstream 9325/udp | |||
| 10498 | udp | Mstream 10498/udp | |||
| 12343 | I have recently seen traffic in my log on Port 12343 with Destination www.hitbox.com (or one of their servers). Port 12343 is a tad too close to port 12345, which is a default port for the Netbus trojan... |
||||
| 12345 | tcp | NetBus1.0: 12345 tcp | |||
| 12631 | tcp | NetBus1.7: 12631 tcp | |||
| 12754 | Mstream a DDOS tool | ||||
| 15104 | 15104/tcp
Mstream a DDOS
tool |
||||
| 16660 | tcp | Stacheldraht ddos, Communication between clients, handlers and agents | |||
| 17027 | Port 17027 is an Ad Server for Pkware and other programs see: http://www.pkware.com/sponsors.html http://www.conducent.com http://x29.deja.com/getdoc.xp?AN=400761669&CONTEXT=926694699.1768161413& hitnum=1 I just reject this port with no logging. |
||||
| 20034 | tcp | NetBus2.0: 20034 tcp | |||
| 26602 | each 2 minutes we receive an attempt of connection from a device on port 26602 (tcp). A. ? |
||||
| 27444 | udp | UDP Used for DDoS Distributed Denial of Service Attacks by program Trinoo | |||
| 27665 | tcp | TCP Used for DDoS Distributed Denial of Service Attacks by program Trinoo | |||
| 31337 | That´s a Backdoor named BackOrifice. I get Scans with this port nearly every day too. 31338 can also be a variant. |
||||
| 31785 31787 31788 31789 (UDP) 31791 (UDP) 31782 |
This looks like someone is scanning for trojan horses. In this case you were being probed for the trojan "Hack'a'Tack". So all they have to do is do a udp port probe in order to find out if you have Hack'A'Tack running. The reason everyone's probably seeing a big increase in hits is that it has a really nice GUI whereby you can scan an entire network. It does all the usual Trojan type things - steal passwords, run commands on the remote machine, take screen dumps, etc. etc. |
||||
| 31335 | UDP Used for DDoS Distributed Denial of Service Attacks by program Trinoo | ||||
| 33434, 65535 | Recently I've seen an increase of inbound activity on ports 65535 and 33434.
I know that 65535 is the last port possible and if memory serves me 33434 is
the port UNIX uses for traceroute (PORT_UNREACHABLE). All this activity is
directed at one of our NATed addresses and I don't see any activity going out to these sites.
It is a timing scan from one of the large news organizations. Gannett comes to mind since one of the addresses resolves to their domain. http://www.sans.org/y2k/031000.htm I have confirmation from Exodus Communications and USAToday that the 33434 packets are USATodays new software for load-balancing using traceroute to determine latency. |
||||
| 33434-33523 | Q. What I found in the logs was a series of connections rising from source port 1024 and destination port 33434 to source port 1113 and destination port 33523. These connections were from our router to our firewall. A. Those are exactly the UDP ports used by the Van Jacobsen-implementation of |
||||
| 41508 | Port 41508 is used by InocuLAN client looking for updates. (InocuLAN is antivirus software.) Maybe someone has misconfigured their NT or '95 boxes. | ||||
| 54320 / 54321 | Back Orifice 2K | ||||
| 65000 | tcp | Stacheldraht ddos, Communication between clients, handlers and agents |
IP protocols can also bring some trouble. below you will find some explanation
| IP Protocol | comment | |
| 54 | The IP protocol 54 is NBMA Next Hop Resolution Protocol, this protocol
is used to find out the shortest way between two points and is used by some
routing protocol, I am not sure, maybe the OSPF or something similar.
I've noticed some intersperced with some address scans originating from from the RFC: December 1994 |
|
Author information.
|
All information provided is of a general nature and is not
intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future. No one should act upon such
information without appropriate professional advice after a thorough examination
of the facts of the particular situation.
26.6.2000
Security: