| Quick Links | ||
| Security @eHugin | Port Scan List | RFCs (Network Standards) |
| Useful Links | Trojan Zoo | |
| Quick Links | ||
One of the biggest problems when you log the odd connection to a port is simply figuring out what in the world someone hoped to find there. Here's a compilation of various ports that might come up in scan logs, along with services, trojans, etc that someone might have been hoping to find.
In some cases the sources I used reported a port, but did not specify whether it was TCP or UDP. In these cases I've put a "?" in the Protocol column.
A "Yes" in the Trojan column indicates that the program(s) listed in the "What Uses This Port" are trojan horses, generally (heck, at this point exclusively) targeted at Windows users. Scans for these ports should always be considered hostile.
In some cases, a port might be used by both traditional services (mail, http, etc) and by various trojans. In these cases I've made a second entry for the trojans, rather than lumping them in with the traditional services. Connections to these ports *might* be the result of curiosity rather than malice: i.e., someone connecting to TCP port 80 might just be wondering if you have a neat web server running, rather than searching for the Executor trojan.
For a full list of these traditional services, please refer to RFC 1700, Assigned Numbers. This is the official list of which services have been assigned which ports. (This is a local copy maintained on Hugin for your convenience. It's a tad large, so if you're going to be using it a lot, I'd appreciate it if you simply downloaded it to your own machine. :-)
Another nice page for finding information on the "well-known" (i.e., established, legitimate services) is at Wesleyan University. This has links for many of the services providing additional information, such as relevant RFCs.
Comments, suggestions, etc can be sent to webmaster-at-ehugin-dot-com.
Port Protocol Trojan What Uses This Port?
----- -------- ------ ---------------------------------------------------
7 TCP/UDP echo
20 TCP ftp
21 TCP ftp
21 TCP YES Blade Runner, Doly, Fore, Invisible FTP,
WebEx, WinCrash
22 TCP ssh
22 UDP pcAnywhere
23 TCP telnet
23 TCP YES Tiny Telnet Server
25 TCP smtp
25 TCP YES Antigen, Email Password Sender, Haebu Coceda,
Shrilitz Stealth, Terminator, WinPC, WinSpy,
Kuang2
31 TCP Hackers Paradise
49 TCP/UDP TACACS (Cisco access control system)
53 TCP/UDP dns
69 UDP tftp
80 TCP http
80 TCP YES Executor
109 TCP pop2
110 TCP pop3
111 TCP/UDP portmapper
113 TCP identd/AUTH
119 TCP nntp/news
137 TCP/UDP NetBIOS Name Service (Windows)
138 TCP/UDP NetBIOS Datagram Service (Windows)
139 TCP NetBIOS Session Service (Windows), Gnomba (Unix)
143 TCP imap
161 UDP snmp
256 TCP SecuRemote VPN
257 TCP SecuRemote VPN
258 TCP SecuRemote VPN
321 TCP Presence Information Protocol
370 UDP McAfee SecureCast (outgoing)
371 UDP McAfee SecureCast (incoming)
456 TCP YES Hackers Paradise
465 TCP SMTP over SSL
555 TCP YES Stealth Spy, Phase0, iNi-Killer
631 TCP Internet Printing Protocol
635 TCP/UDP mountd (Linux)
639 TCP YES Backdoor-G-1
666 TCP YES Attack FTP, Satanz Backdoor
808 TCP Wingate configuration port
901 TCP SAMBA Web Administration Tool (SWAT)
1001 TCP YES Silencer, WebEx
1002 TCP LDAP
1011 TCP YES Doly
1033 ? YES Netspy
1042 ? YES Bla
1080 TCP YES SOCKS (proxy server)
1095 ? YES Rat
1097 ? YES Rat
1098 ? YES Rat
1099 ? Java RMI Server
1099 ? YES Rat
1170 TCP YES Streaming Audio Trojan, Voice
1234 TCP YES Ultors
1243 TCP YES SubSeven
1245 TCP YES Voodoo Doll
1349 UDP YES Back Orifice DLL
1492 TCP YES FTP99CMP
1505 UDP FunkProxy
1509 ? YES Psyber Streaming Server
1600 TCP YES Shiva-Burka
1807 TCP YES SpySender
1975 ? GoZilla, CuteFTP, MP3Friend (d/l ads from aureate.com?)
1981 TCP YES ShockRave
1999 TCP YES Backdoor
2001 TCP YES TrojanCow
2023 TCP YES Pass Ripper
2115 TCP YES Bugs
2140 TCP/UDP YES Deep Throat
2140 TCP YES Invasor
2155 ? YES Bugs
2283 ? YES HVL Rat5
2565 ? YES Striker
2583 ? YES WinCrash2
2801 TCP YES Phineas Phucker
3024 TCP YES WinCrash
3129 TCP YES Master's Paradise
3150 TCP/UDP YES Deep Throat
3150 TCP YES Invasor
3389 TCP Microsoft TSAC (Terminal Server Advanced Client)
3700 TCP YES Portal Of Doom
4092 TCP YES WinCrash
4567 TCP YES FileNail
4590 TCP YES ICQTrojan
4950 ? YES ICQTrojan
5000 TCP YES Sockets de Troie, Bubbel
5001 TCP YES Sockets de Troie
5190 TCP AOL Instant Messenger
5321 TCP YES Firehotcker
5400 ? YES BackConstruction
5400 TCP YES BladeRunner
5401 TCP YES BladeRunner
5402 TCP YES BladeRunner
5500 TCP YES HotLine Server
5550 ? YES Xtcp
5569 TCP YES RoboHack
5631 TCP pcAnywhere
5632 UDP pcAnywhere
5742 TCP YES WinCrash
5882 UDP YES Y3K RAT
6000 TCP XWindows (display #0)
6001 TCP XWindows (display #1)
6002 TCP XWindows (display #2)
6400 ? YES The tHing
6080 ? BridgeChannel, BridgeStation
6670 TCP/UDP YES Deep Throat
6711 TCP YES SubSeven
6771 TCP/UDP YES Deep Throat
6776 TCP YES SubSeven
6883 ? YES DeltaSource
6939 ? YES Indoctrination
6969 TCP YES GateCrasher, Priority
6970 UDP RealAudio (potentially any UDP port in 6970-7170)
7000 TCP YES RemoteGrab
7070 UDP RealAudio (potentially any UDP port in 6970-7170)
7170 UDP RealAudio (potentially any UDP port in 6970-7170)
7300 TCP YES NetMonitor
7301 TCP YES NetMonitor
7306 TCP YES NetMonitor
7307 TCP YES NetMonitor
7308 TCP YES NetMonitor
7777 UDP Unreal (game) Server, Klingon Honor Guard (game) Server
7789 TCP YES ICQKiller
8000 TCP Proxy server
8080 TCP Proxy server
8875 TCP Napster
8888 TCP Napster
9704 TCP rpc.statd buffer overflow exploit (Unix)
9872 TCP YES Portal Of Doom
9873 TCP YES Portal Of Doom
9874 TCP YES Portal Of Doom
9875 TCP YES Portal Of Doom
9989 TCP YES iNi-Killer
10067 TCP YES Portal Of Doom
10167 TCP YES Portal Of Doom
10607 TCP YES Coma
11000 TCP YES Senna Spy
11223 TCP YES Progenic
12223 TCP YES Hack'99 Keylogger
12076 TCP YES Gjamer
12345 TCP YES Netbus, GabanBus
12346 TCP YES Netbus, GabanBus
12361 TCP YES Whack-A-Mole
12362 TCP YES Whack-A-Mole
13223 TCP PowWow Chat
14237 TCP PalmPilot Network Hotsync
14328 UDP PalmPilot Network Hotsync
16969 TCP YES Priority
17300 ? YES Kuang2
20000 TCP YES Millenium
20001 TCP YES Millenium
20034 TCP YES Netbus Pro
20331 ? YES Bla
21554 TCP YES Girlfriend
22222 TCP YES Prosiak
22450 UDP Sin (game) Server
23456 ? YES WhackJob
23456 TCP YES Ugly FTP, Evil FTP
26000 UDP Quake (game) Server
26274 TCP YES Delta
26900 UDP Hexen 2 (game) Server
26950 UDP Hexen World (game) Server
27015 UDP Half Life (game) Server
27374 TCP Sub7 (v2.1)
27500 UDP Quake World (game) Server
27910 UDP Quake 2 (game) Server
28431 UDP YES Hack Attack 2000
28910 UDP Heretic 2 (game) Server
29891 ? YES The Unexplained
30029 ? YES AOLTrojan
30100 TCP YES NetSphere
30101 TCP YES NetSphere
30102 TCP YES NetSphere
30103 TCP/UDP YES NetSphere
30303 ? YES Socket23
30999 ? YES Kuang
31335 UDP YES Trin00 (broadcast, registration daemon)
31337 UDP YES BackOrifice (aka "BO")
31337 TCP YES NetPatch
31338 UDP YES BackOrifice, Deep BO
31339 TCP YES NetSpy
31666 UDP YES BOWhack
31785 TCP YES Hack'A'Tack
31787 TCP YES Hack'A'Tack
31789 TCP/UDP YES Hack'A'Tack
31791 TCP/UDP YES Hack'A'Tack
33333 TCP YES Prosiak
34324 ? YES Tiny Telnet Server
34324 TCP YES BigGluck
40412 TCP YES TheSpy
40421 TCP YES Master's Paradise
40422 TCP YES Master's Paradise
40423 TCP YES Master's Paradise
40425 TCP YES Master's Paradise
40426 TCP YES Master's Paradise
47262 TCP YES Delta
47624 UDP Microsoft DirectPlay
50505 TCP YES Sockets de Troie
50766 TCP YES Fore
53001 TCP YES Remote Windows Shutdown
54321 TCP YES SchoolBus
61466 TCP YES Telecommando
65000 TCP YES Devil
65301 TCP pcAnywhere
69123* TCP YES ShitHeep
* This one is on several lists, but I'm not sure it's legit since
the highest TCP port number is 65535.
Although some of the sources are from Usenet postings, other are from web sites that other people and businesses have compiled. Here are links to these sites:
Extra thanks to David Bryant, who's been passing along info on a several of the less-documented services (Pilot netsync, swat, Quake, and assorted Unix utils), as well as several excellent links (Ohio State RFC repository, XForce, and others). Someday I will add links for those odd-ball ports, honest! :-)