|
|
Celtica's Computer Club > Webscape >
About Internet Ports
About
Internet Ports
Ports
and their Vulnerabilities
When your computer
connects to the Internet, it's given a unique identifying number: its 'IP
address' (IP stands for Internet Protocol). This address is used by other
computers to route the data destined to your computer over the network.
It has nothing to do with the phone number you use to connect your modem
to your ISP (Internet Service Provider). An IP address is a 32-bit binary
number, usually written as four decimal numbers from 0 to 255, like this:
192.168.19.34.
If you connect through dial-up, an IP address will be assigned to you when
you connect; and when you disconnect, that IP address will be made available
to someone else; this is dynamic IP. If you have a permanent Internet connection,
you will probably have a permanent IP address assigned to you i.e. a static
IP.
Data is sent over the Internet in small chunks called 'packets'. Large
amounts of data will be broken into many packets for transmission. Each
packet independently contains all the information needed to route that
packet over the network, including its destination IP address and its source
IP address. Every very packet has a 'return address' identifying its sender.
Your computer may be talking to several other computers at the same time.
(Maybe you're browsing web pages while collecting your email and downloading
a file.) Since all this data arrives at your computer at your single IP
address, how does it know where to go? This is what ports are for. Your
computer can have up to 65,536 ports on its single IP address. You can
think of these like telephone extension numbers at a large company. When
your computer needs to talk to another computer, it tells that other computer
what 'extension number' to use when the other computer replies.
So how do computers that are talking for the first time find out each other's
port numbers? Well, when you telephone a strange company and get an automated
switchboard, you can be pretty sure that '0' will get you the operator,
and the operator can give you anyone else's extension number. Computers
work in a similar fashion. Certain port numbers have been universally agreed
to provide certain services. For example, port 80 is always used for the
web server, so when your computer wants a web page from another computer,
that's where it sends the request.
If someone sends your computer a request on port 80, your computer
can do three things. If you have a web server running on your machine (many
Linux computers do), it can honour the request and send a reply. If you
don't have a web server, it can send a reply saying 'no'. Or your computer
can simply ignore the request and not even acknowledge it. Your port 80
would be called 'open,' 'closed', or 'stealthed', respectively.
An 'open' port means that a programme, running on your computer is willing
to accept packets received for that port. Usually this program will be
part of the operating system. For example, port 139 is used by Microsoft
computers to share files on the hard disk. When you enable file sharing
on your local area network, you instruct the operating system to honour
requests sent to port 139 (and also 138 and 137).
This is an example of a major vulnerability. Many Windows machines
(and even some Linux systems) do not distinguish between the local network
(your Ethernet) and the outside world (your modem). So if you have enabled
file sharing carelessly, and you are dialed into your ISP, any computer
in the world can read and write files on your hard disk. It's been
estimated that millions of Windows computers are wide open in this way.
To be safe:-
1.
Don't enable file sharing unless you need it.
2. Don't ever
enable sharing for your drive C:\. Instead, enable just selected folders
(and never any of the system folders).
3. Enable
file sharing 'read only' so that even if strangers can read your files
at least they can't change them or write new ones.
4. Establish
passwords for your shared folders.
5. Put a firewall
between you and the outside world. A firewall can distinguish between
requests on your local area network, and requests from the modem; and it
can block the latter.
So we deny all
packets from the outside world, unless they're replies to a request made
by our computers. This is because so many ports are now being opened by
viruses.
It's possible for a virus, like any other program on your computer, to
tell the operating system that it will accept requests sent to some arbitrary
port number ... thereby opening that port. Viruses may do this to accept
new programming from the outside world; for example, the MyDoom virus opens
port 3127 on an infected computer. To find those vulnerable computers,
'hostile' outside computers will send requests to random computers using
that port number, to see if they're honoured, refused, or ignored. If such
a request is honoured, an infected computer has been found.
So even though we're not infected, we get constantly bombarded with these
'probes' on our port 3127 and many
other ports looking for an opening. We used to send a reply saying
the port is closed but that consumes bandwidth, and also lets the hostile
computer know that there is a computer at this IP address ... and
even if it's not infected with MyDoom it might be vulnerable to some other
attack. Now we simply ignore all such requests and don't reply, denying
invaders knowledge of our very existence. A good firewall program will
do just that.
TCP and
UDP - these are known as protocols - ports are not like the ports on your
computer into which you would plug a device. These ports allow specific
communications between computers, applications and programmes. A port is
how a programme, computer, application communicate using TCP (Transmission
Control Protocol) and UDP (User Datagram Protocol). For further information
in more detail please visit Microsoft
Ports Assignments and Protocol Numbers. Each port on each protocol
is assigned a 'service name' and an 'alias'; e.g. TCP port 531's service
name is 'conference', its alias is 'chat' and it is the port designated
for IRC Chat.
In IP networking,
port numbers can theoretically range from 0 to 65535. Most popular network
applications, though, use port numbers at the low end of the range (such
as 80 for HTTP). The port number is included as a field within the header
of each IP packet. These 65535 ports are broken down into 3 catagories.
Well Known Ports: These range
from 0 through 1023 and are assigned by the IANA
(Internet
Assigned Number Authority). These are the most commonly used ports.
For example, port 80, which is the 'http' port, is used to connect to other
web servers on the Internet and port 110 is 'POP3' which handles your incoming
e-mail.
Registered Ports: These range
from 1024 through 49151 are listed by the IANA. On most computer systems
these ports can be used through normal user processes or executable programs
by the computer user.
Dynamic and/or Private Ports:
These range from 49152 through 65535.
A port number
represents an endpoint or channel for network communications. Port numbers
allow different applications on the same computer to utilize network resources
without interfering with each other. Port numbers most commonly appear
in network programming, particularly socket programming. Sometimes, though,
port numbers are made visible to the casual user. For example, some websites
a person visits on the Internet use a URL like the following:
http://www.celticsurf.net:8080/.
In this example, the number 8080 refers to the port number used by the
web browser to connect to the web server. Normally, a website uses port
80 and this number need not be included with the URL (although it can be)
as it is the default. For a complete list of all the TCP/UDP ports please
visit Iana Port
numbers or Network
Ice Port Knowledgebase.
Localhost
Localhost (IP 127.0.0.1) is the default
name describing the local computer address, also known as the 'loopback'
address of the computer. For example, typing 'ping localhost' would ping
the local IP address of 127.0.0.1 (the loopback address) or, effectively,
127.0.0.1:80 as the default port is 80.
Ports
used by Trojans
Trojans can be used on any port,
however there are common ports recognized as ports used by Trojans. If
you have an open port that is infected by a Trojan, use the list below
to identify the possible Trojan. This is taken this updated list from Sans
Institute
| port
2 |
Death |
| port
20 |
Senna Spy FTP server |
| port
21 |
Back Construction, Blade Runner,
Doly Trojan, Fore, Invisible FTP, Juggernaut 42 , Larva, MotIv FTP, Net
Administrator, Senna Spy FTP server, Traitor 21, WebEx, WinCrash |
| port
22 |
Shaft |
| port
23 |
Fire HacKer, Tiny Telnet Server
- TTS, Truva Atl |
| port
25 |
Ajan, Antigen, Email Password Sender
- EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic
Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm,
ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy |
| port
31 |
Agent 31, Hackers Paradise, Masters
Paradise |
| port
41 |
Deep Throat, Foreplay or Reduced
Foreplay |
| port
48 |
DRAT |
| port
50 |
DRAT |
| port
59 |
DMSetup |
| port
79 |
CDK, Firehotcker |
| port
80 |
AckCmd, Back End, CGI Backdoor,
Executor, Hooker, RingZero |
| port
81 |
RemoConChubo |
| port
99 |
Hidden Port |
| port
110 |
ProMail trojan |
| port
113 |
Invisible Identd Deamon, Kazimas |
| port
119 |
Happy99 |
| port
121 |
JammerKillah |
| port
123 |
Net Controller |
| port
133 |
Farnaz |
| port
142 |
NetTaxi |
| port
146 |
Infector |
| port
146 |
(UDP) - Infector |
| port
170 |
A-trojan |
| port
334 |
Backage |
| port
420 |
Breach |
| port
421 |
TCP Wrappers trojan |
| port
456 |
Hackers Paradise |
| port
513 |
Grlogin |
| port
514 |
RPC Backdoor |
| port
531 |
Rasmin |
| port
555 |
Ini-Killer , Net Administrator,
Phase Zero, Phase-0, Stealth Spy |
| port
605 |
Secret Service |
| port
666 |
Attack FTP, Back Construction, Cain
& Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre |
| port
667 |
SniperNet |
| port
669 |
DP trojan |
| port
692 |
GayOL |
| port
777 |
AimSpy, Undetected |
| port
808 |
WinHole |
| port
911 |
Dark Shadow |
| port
999 |
Deep Throat, Foreplay or Reduced
Foreplay, WinSatan |
| port
1000 |
Der Späher / Der Spaeher |
| port
1001 |
Der Späher / Der Spaeher, Le
Guardien, Silencer, WebEx |
| port
1010 |
Doly Trojan |
| port
1011 |
Doly Trojan |
| port
1012 |
Doly Trojan |
| port
1015 |
Doly Trojan |
| port
1016 |
Doly Trojan |
| port
1020 |
Vampire |
| port
1024 |
NetSpy |
| port
1042 |
BLA trojan |
| port
1045 |
Rasmin |
| port
1049 |
/sbin/initd |
| port
1050 |
MiniCommand |
| port
1054 |
AckCmd |
| port
1080 |
WinHole |
| port
1081 |
WinHole |
| port
1082 |
WinHole |
| port
1083 |
WinHole |
| port
1090 |
Xtreme |
| port
1095 |
Remote Administration Tool - RAT |
| port
1097 |
Remote Administration Tool - RAT |
| port
1098 |
Remote Administration Tool - RAT |
| port
1099 |
Blood Fest Evolution, Remote Administration
Tool - RAT |
| port
1170 |
Psyber Stream Server - PSS, Streaming
Audio Server, Voice |
| port
1200 |
(UDP) - NoBackO |
| port
1201 |
(UDP) - NoBackO |
| port
1207 |
SoftWAR |
| port
1212 |
Kaos |
| port
1234 |
Ultors Trojan |
| port
1243 |
BackDoor-G, SubSeven , SubSeven
Apocalypse, Tiles |
| port
1245 |
VooDoo Doll |
| port
1255 |
Scarab |
| port
1256 |
Project nEXT |
| port
1269 |
Matrix |
| port
1313 |
NETrojan |
| port
1338 |
Millenium Worm |
| port
1349 |
Bo dll |
| port
1492 |
FTP99CMP |
| port
1524 |
Trinoo |
| port
1600 |
Shivka-Burka |
| port
1777 |
Scarab |
| port
1807 |
SpySender |
| port
1966 |
Fake FTP |
| port
1969 |
OpC BO |
| port
1981 |
Bowl, Shockrave |
| port
1999 |
Back Door, TransScout |
| port
2000 |
Der Späher / Der Spaeher, Insane
Network |
| port
2001 |
Der Späher / Der Spaeher, Trojan
Cow |
| port
2023 |
Ripper Pro |
| port
2080 |
WinHole |
| port
2115 |
Bugs |
| port
2140 |
The Invasor |
| port
2140 |
(UDP) - Deep Throat, Foreplay or
Reduced Foreplay |
| port
2155 |
Illusion Mailer |
| port
2255 |
Nirvana |
| port
2283 |
Hvl RAT |
| port
2300 |
Xplorer |
| port
2339 |
Voice Spy - OBS!!! namnen har bytt
plats |
| port
2339 |
(UDP) - Voice Spy - OBS!!! namnen
har bytt plats |
| port
2345 |
Doly Trojan |
| port
2565 |
Striker trojan |
| port
2583 |
WinCrash |
| port
2600 |
Digital RootBeer |
| port
2716 |
The Prayer |
| port
2773 |
SubSeven , SubSeven 2.1 Gold |
| port
2801 |
Phineas Phucker |
| port
2989 |
(UDP) - Remote Administration Tool
- RAT |
| port
3000 |
Remote Shut |
| port
3024 |
WinCrash |
| port
3128 |
RingZero |
| port
3129 |
Masters Paradise |
| port
3150 |
The Invasor |
| port
3150 |
(UDP) - Deep Throat, Foreplay or
Reduced Foreplay |
| port
3456 |
Terror trojan |
| port
3459 |
Eclipse 2000, Sanctuary |
| port
3700 |
Portal of Doom - POD |
| port
3791 |
Total Solar Eclypse |
| port
3801 |
Total Solar Eclypse |
| port
4000 |
Skydance |
| port
4092 |
WinCrash |
| port
4242 |
Virtual Hacking Machine - VHM |
| port
4321 |
BoBo |
| port
4444 |
Prosiak, Swift Remote |
| port
4567 |
File Nail |
| port
4590 |
ICQ Trojan |
| port
4950 |
ICQ Trogen (Lm) |
| port
5000 |
Back Door Setup, Blazer5, Bubbel,
ICKiller, Sockets des Troie |
| port
5001 |
Back Door Setup, Sockets des Troie |
| port
5002 |
cd00r, Shaft |
| port
5010 |
Solo |
| port
5011 |
One of the Last Trojans - OOTLT,
One of the Last Trojans - OOTLT, modified |
| port
5025 |
WM Remote KeyLogger |
| port
5031 |
Net Metropolitan |
| port
5032 |
Net Metropolitan |
| port
5321 |
Firehotcker |
| port
5343 |
wCrat - WC Remote Administration
Tool |
| port
5400 |
Back Construction, Blade Runner |
| port
5401 |
Back Construction, Blade Runner |
| port
5402 |
Back Construction, Blade Runner |
| port
5512 |
Illusion Mailer |
| port
5550 |
Xtcp |
| port
5555 |
ServeMe |
| port
5556 |
BO Facil |
| port
5557 |
BO Facil |
| port
5569 |
Robo-Hack |
| port
5637 |
PC Crasher |
| port
5638 |
PC Crasher |
| port
5742 |
WinCrash |
| port
5760 |
Portmap Remote Root Linux Exploit |
| port
5882 |
(UDP) - Y3K RAT |
| port
5888 |
Y3K RAT |
| port
6000 |
The Thing |
| port
6006 |
Bad Blood |
| port
6272 |
Secret Service |
| port
6400 |
The Thing |
| port
6666 |
Dark Connection Inside, NetBus worm |
| port
6667 |
ScheduleAgent, Trinity, WinSatan |
| port
6669 |
Host Control, Vampire |
| port
6670 |
BackWeb Server, Deep Throat, Foreplay
or Reduced Foreplay, WinNuke eXtreame |
| port
6711 |
BackDoor-G, SubSeven , VP Killer |
| port
6712 |
Funny trojan, SubSeven |
| port
6713 |
SubSeven |
| port
6723 |
Mstream |
| port
6771 |
Deep Throat, Foreplay or Reduced
Foreplay |
| port
6776 |
2000 Cracks, BackDoor-G, SubSeven
, VP Killer |
| port
6838 |
(UDP) - Mstream |
| port
6883 |
Delta Source DarkStar (??) |
| port
6912 |
Shit Heep |
| port
6939 |
Indoctrination |
| port
6969 |
GateCrasher, IRC 3, Net Controller,
Priority |
| port
6970 |
GateCrasher |
| port
7000 |
Exploit Translation Server, Kazimas,
Remote Grab, SubSeven 2.1 Gold |
| port
7001 |
Freak88 |
| port
7215 |
SubSeven , SubSeven 2.1 Gold |
| port
7300 |
NetMonitor |
| port
7301 |
NetMonitor |
| port
7306 |
NetMonitor |
| port
7307 |
NetMonitor |
| port
7308 |
NetMonitor |
| port
7424 |
Host Control |
| port
7424 |
(UDP) - Host Control |
| port
7597 |
Qaz |
| port
7777 |
Tini |
| port
7789 |
Back Door Setup, ICKiller |
| port
7983 |
Mstream |
| port
8080 |
Brown Orifice , RemoConChubo, RingZero |
| port
8787 |
Back Orifice 2000 |
| port
8988 |
BacHack |
| port
8989 |
Rcon, Recon, Xcon |
| port
9000 |
Netministrator |
| port
9325 |
(UDP) - Mstream |
| port
9400 |
InCommand |
| port
9872 |
Portal of Doom - POD |
| port
9873 |
Portal of Doom - POD |
| port
9874 |
Portal of Doom - POD |
| port
9875 |
Portal of Doom - POD |
| port
9876 |
Cyber Attacker, Rux |
| port
9878 |
TransScout |
| port
9989 |
Ini-Killer |
| port
9999 |
The Prayer |
| port
10067 |
(UDP) - Portal of Doom - POD |
| port
10085 |
Syphillis |
| port
10086 |
Syphillis |
| port
10101 |
BrainSpy |
| port
10167 |
(UDP) - Portal of Doom - POD |
| port
10520 |
Acid Shivers |
| port
10528 |
Host Control |
| port
10607 |
Coma |
| port
10666 |
(UDP) - Ambush |
| port
11000 |
Senna Spy Trojan Generator |
| port
11050 |
Host Control |
| port
11051 |
Host Control |
| port
11223 |
Progenic trojan, Secret Agent |
| port
12076 |
Gjamer |
| port
12223 |
Hack´99 KeyLogger |
| port
12345 |
cron / crontab, Fat Bitch trojan,
GabanBus, icmp_pipe.c, Mypic , NetBus , NetBus Toy, NetBus worm, Pie Bill
Gates, Whack Job, X-bill |
| port
12346 |
Fat Bitch trojan, GabanBus, NetBus
, X-bill |
| port
12349 |
BioNet |
| port
12361 |
Whack-a-mole |
| port
12362 |
Whack-a-mole |
| port
12623 |
(UDP) - DUN Control |
| port
12624 |
ButtMan |
| port
12631 |
Whack Job |
| port
12754 |
Mstream |
| port
13000 |
Senna Spy Trojan Generator |
| port
13010 |
Hacker Brasil - HBR |
| port
14500 |
PC Invader |
| port
15092 |
Host Control |
| port
15104 |
Mstream |
| port
15858 |
CDK |
| port
16484 |
Mosucker |
| port
16660 |
Stacheldraht |
| port
16772 |
ICQ Revenge |
| port
16969 |
Priority |
| port
17166 |
Mosaic |
| port
17300 |
Kuang2 the virus |
| port
17449 |
Kid Terror |
| port
17499 |
CrazzyNet |
| port
17777 |
Nephron |
| port
18753 |
(UDP) - Shaft |
| port
19864 |
ICQ Revenge |
| port
20000 |
Millenium |
| port
20001 |
Millenium, Millenium (Lm) |
| port
20002 |
AcidkoR |
| port
20023 |
VP Killer |
| port
20034 |
NetBus 2.0 Pro, NetRex, Whack Job |
| port
20203 |
Chupacabra |
| port
20331 |
BLA trojan |
| port
20432 |
Shaft |
| port
20433 |
(UDP) - Shaft |
| port
21544 |
GirlFriend, Kid Terror |
| port
21554 |
Exploiter, Kid Terror, Schwindler,
Winsp00fer |
| port
22222 |
Donald Dick, Prosiak |
| port
23005 |
NetTrash |
| port
23023 |
Logged |
| port
23032 |
Amanda |
| port
23432 |
Asylum |
| port
23456 |
Evil FTP, Ugly FTP, Whack Job |
| port
23476 |
Donald Dick |
| port
23476 |
(UDP) - Donald Dick |
| port
23477 |
Donald Dick |
| port
26274 |
(UDP) - Delta Source |
| port
26681 |
Voice Spy - OBS!!! namnen har bytt
plats |
| port
27374 |
Bad Blood, SubSeven , SubSeven 2.1
Gold, Subseven 2.1.4 DefCon 8 |
| port
27444 |
(UDP) - Trinoo |
| port
27573 |
SubSeven |
| port
27665 |
Trinoo |
| port
29104 |
NetTrojan |
| port
29891 |
The Unexplained |
| port
30001 |
ErrOr32 |
| port
30003 |
Lamers Death |
| port
30029 |
AOL trojan |
| port
30100 |
NetSphere |
| port
30101 |
NetSphere |
| port
30102 |
NetSphere |
| port
30103 |
NetSphere |
| port
30103 |
(UDP) - NetSphere |
| port
30133 |
NetSphere |
| port
30303 |
Sockets des Troie |
| port
30947 |
Intruse |
| port
30999 |
Kuang2 |
| port
31335 |
Trinoo |
| port
31336 |
Bo Whack , Butt Funnel |
| port
31337 |
Back Fire, Back Orifice (Lm), Back
Orifice russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2,
cron / crontab, Freak88, icmp_pipe.c, Sockdmini |
| port
31337 |
(UDP) - Back Orifice, Deep BO |
| port
31338 |
Back Orifice, Butt Funnel, NetSpy
(DK) |
| port
31338 |
(UDP) - Deep BO |
| port
31339 |
NetSpy (DK) |
| port
31666 |
BOWhack |
| port
31785 |
Hack´a´Tack |
| port
31788 |
Hack´a´Tack |
| port
31789 |
(UDP) - Hack´a´Tack |
| port
31790 |
Hack´a´Tack |
| port
31791 |
(UDP) - Hack´a´Tack |
| port
31792 |
Hack´a´Tack |
| port
32001 |
Donald Dick |
| port
32100 |
Peanut Brittle, Project nEXT |
| port
32418 |
Acid Battery |
| port
33270 |
Trinity |
| port
33333 |
Blakharaz, Prosiak |
| port
33577 |
PsychWard |
| port
33777 |
PsychWard |
| port
33911 |
Spirit 2000, Spirit 2001 |
| port
34324 |
Big Gluck, TN |
| port
34444 |
Donald Dick |
| port
34555 |
(UDP) - Trinoo (for Windows) |
| port
35555 |
(UDP) - Trinoo (for Windows) |
| port
37651 |
Yet Another Trojan - YAT |
| port
40412 |
The Spy |
| port
40421 |
Agent 40421, Masters Paradise |
| port
40422 |
Masters Paradise |
| port
40423 |
Masters Paradise |
| port
40426 |
Masters Paradise |
| port
41666 |
Remote Boot Tool - RBT, Remote Boot
Tool - RBT |
| port
44444 |
Prosiak |
| port
47262 |
(UDP) - Delta Source |
| port
50505 |
Sockets des Troie |
| port
50766 |
Fore, Schwindler |
| port
51966 |
Cafeini |
| port
52317 |
Acid Battery 2000 |
| port
53001 |
Remote Windows Shutdown - RWS |
| port
54283 |
SubSeven , SubSeven 2.1 Gold |
| port
54320 |
Back Orifice 2000 |
| port
54321 |
Back Orifice 2000, School Bus |
| port
57341 |
NetRaider |
| port
58339 |
Butt Funnel |
| port
60000 |
Deep Throat, Foreplay or Reduced
Foreplay, Sockets des Troie |
| port
60068 |
Xzip 6000068 |
| port
60411 |
Connection |
| port
61348 |
Bunker-Hill |
| port
61466 |
TeleCommando |
| port
61603 |
Bunker-Hill |
| port
63485 |
Bunker-Hill |
| port
64101 |
Taskman / Task Manager |
| port
65000 |
Devil, Sockets des Troie, Stacheldraht |
| port
65432 |
The Traitor (= th3tr41t0r) |
| port
65432 |
(UDP) - The Traitor (= th3tr41t0r) |
| port
65534 |
/sbin/initd |
| port
65535 |
RC1 trojan |
|