The strongest in history? From 0 to 33600 Logical Port Details (5)

  

Common Network Ports (Complete)

553 CORBA IIOP (UDP) If you use cable modem or DSL VLAN, you will see Broadcast to this port. CORBA is an object-oriented RPC (remote procedure call) system. Hacker will use this information to enter the system.

600 Pcserver backdoor Please see port 1524.
Some children who play script think they have completely compromised the system by modifying the ingreslock and pcserver files -- Alan J. Rosenthal.

635 mountd Linux mountd Bug. This is a popular bug that people scan. Most scans of this port are based on UDP, but TCP-based mountd has increased (mountd runs on both ports simultaneously). Remember, mountd can run on any port (on which port it is, you need to do portmap query on port 111), but Linux defaults to port 635, just as NFS usually runs on port 2049.

1024 Many people ask what this port does. It is the beginning of a dynamic port. Many programs don't care which port to use to connect to the network, they ask the operating system to assign them the "next idle port." Based on this allocation, starting at port 1024. This means that the first program that requests a dynamic port to the system will be assigned port 1024. To verify this, you can reboot the machine, open Telnet, open a window and run "natstat -a", and you will see that Telnet is assigned 1024 ports. The more programs you request, the more dynamic ports there are. The port assigned by the operating system will gradually become larger. Again, when you browse the web page, look at "netstat" and each web page needs a new port.

1025,1026 See 1024

1080 SOCKS This protocol tunnels through the firewall, allowing many people behind the firewall to access the Internet through an IP address. In theory it should only allow internal communication to reach the Internet. But due to the wrong configuration, it will allow Hacker/Cracker's attacks outside the firewall to pass through the firewall. Or simply respond to computers on the Internet to cover up their direct attacks on you. WinGate is a common Windows personal firewall, and the above misconfigurations often occur. This is often the case when joining an IRC chat room.

1114 The SQL system itself rarely scans this port, but it is often part of the sscan script.


1243 Sub-7 Trojan (TCP)

1524 ingreslock Backdoor Many attack scripts will install a backdoor shell on this port (especially those for sendmail and RPC service vulnerabilities in Sun systems) Scripts such as statd, ttdbserver and cmsd). If you just installed your firewall and you see a connection attempt on this port, it is probably the reason above. You can try Telnet to this port on your machine and see if it will give you a shell. This problem also exists when connecting to 600/pcserver.

2049 NFS NFS programs often run on this port. Usually you need to access the portmapper to query which port the service is running on, but in most cases, after the installation, NFS runs on this port, and Hacker/Cracker can close the portmapper and test the port directly.

3128 squid This is the default port for the Squid HTTP proxy server. The attacker scanned this port to access the Internet anonymously in order to search for a proxy server. You will also see the port for searching other proxy servers: 8000/8001/8080/8888. Another reason to scan this port is that the user is entering the chat room. Other users (or the server itself) will also verify this port to determine if the user's machine supports the proxy.

5632 pcAnywere You will see a lot of scans of this port, depending on where you are. When the user opens pcAnywere, it automatically scans the LAN Class C network for possible agents (translator: refers to the agent instead of the proxy). Hacker/cracker will also look for machines that open this service, so you should look at the source address of this scan. Some scans that search for pcAnywere often contain UDP packets for port 22.

6776 Sub-7 artifact This port is a port for transferring data from the Sub-7 master port. For example, when the controller controls another machine through the telephone line, and the controlled machine hangs up, you will see this. So when another person dials in with this IP, they will see a persistent connection attempt at this port. (Translator: When you see the firewall report this port connection attempt, it does not mean that you have been controlled by Sub-7.)

6970 RealAudio RealAudio customers will receive from the server's 6970-7170 UDP port Audio data stream. This is set by the TCP7070 port outgoing control connection.

13223 PowWow PowWow is a chat program for Tribal Voice. It allows users to open private chat connections on this port. This procedure is very "offensive" for establishing a connection. It will "stay" on this TCP port and wait for a response. This creates a connection attempt similar to the heartbeat interval. If you are a dial-up user, "inheriting" the IP address from another chatter will happen: it seems that many different people are testing this port. This protocol uses "OPNG" as the first four bytes of its connection attempt.

17027 Conducent This is an outgoing connection. This is due to the fact that someone has installed shareware with Conducent "adbot" inside the company. Conducent "adbot" is a display service for sharing software. One popular software for using this service is Pkware. Someone experimented: blocking this outbound connection wouldn't be a problem, but blocking the IP address itself would cause the adbots to continue to connect multiple times per second and cause the connection to be overloaded:
The machine will constantly try to resolve the DNS name— Ads.conducent.com, ie IP address 216.33.1210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translator: I don't know if Radient used by NetAnts also has this phenomenon)

27374 Sub-7 Trojan (TCP)

30100 NetSphere Trojan (TCP) Usually this port is scanned to find In the NetSphere Trojan.

31337 Back Orifice "elite" Hacker 31337 read "elite" /ei'li: t /(Translator: French, translated as the backbone, essence. That is 3=E, 1=L, 7 =T). So many backdoor programs run on this port. The most famous of these is Back Orifice. This was the most common scan on the Internet for a while. Now it's getting less and less popular, and other Trojans are getting more and more popular.

31789 Hack-a-tack This port's UDP communication is usually due to the "Hack-a-tack" remote access Trojan (RAT, Remote Access Trojan). This Trojan contains a built-in 31790 port scanner, so any connection from port 31789 to port 317890 means that there is already such an intrusion. (31789 port is the control connection, 317890 port is the file transfer connection)

32770~32900 RPC service Sun Solaris RPC service is in this range. In detail: Earlier versions of Solaris (before 2.5.1) put portmapper in this range, allowing Hacker/cracker to access this port even if the low port is blocked by a firewall. Scanning ports in this range is not for finding a portmapper, or for finding a known RPC service that can be attacked.

33434~33600 traceroute If you see UDP packets in this port range (and only within this range) it may be due to traceroute.

Copyright © Windows knowledge All Rights Reserved