| 21 |
FTP |
Activity on port 21/TCP is often related to searching of anonymous FTP servers (File Transfer Protocol). Such servers often allow to read and write files by anonymous users, which can then be used to store warez. Furthermore, there have been many serious vulnerabilities found in various implementations of FTP servers, which allowed an attacker to overflow stack buffers and get super-user privileges. Scanning on this port may therefore aim to identify and compromise a vulnerable FTP server implementation. |
| 22 |
SSH |
Port 22/TCP is assigned to the Secure Shell(SSH) service. SSH encrypts data transmission thus making possible safe remote working. The service is very popular especially on Unix systems. In the past, bugs were found that allow root privileges in many SSH implementations. Due to this issue and because of the fact that SSH is often the only listening service, 22/TCP port became one of the most popular target of attacks, including brute force password guessing attempts. |
| 23 |
TELNET |
23/TCP port is assigned to telnet. Telnet is a protocol for remote working. Unlike SSH, telnet sends commands in clear-text. Even though this is considered insecure, it's quite often by default enabled on some Unix distributions. Telnet is also often used to manage routers and switches. Most operating systems have characteristic banners which are printed when a user connects to a telnet server. Because of this scanning 23/TCP port may signify attempts at identifying a system. Also, in the past serious bugs were discovered in many telnet servers. |
| 25 |
SMTP |
25/TCP port is very often scanned by spammers, who look for open relay mail servers that can be used to send spam. Mail servers are also known for having many bugs allowing for root privileges(especially sendmail). Currently bugs are still discovered but not as often or as serious as in the past. SMTP protocol may be used also to identify users of the system (due to vrfy and expn commands). This user enumaration allows for simple dictionary attacks on passwords (via telnet for example). Electronic mail is also heavily used to propagate worms and viruses. |
| 42 |
WINS |
Scanning 42/TCP port is probably mostly due to a bug in the WINS service(Microsoft Windows). Method of exploitation of this bug was published on the Internet. WINS service isn't installed on Microsoft Windows by default. |
| 53 |
DNS |
DNS (Domain Name System) is used to translate hostnames to IP addresses and is one of the fundamental Internet protocols. Scanning 53/TCP port may be an attempt to find out a DNS server version (there were many bugs found in older DNS server implementations, especially in ISC BIND). Requests to 53/TCP port may signify attempts to transer DNS zone files. |
| 79 |
FINGER |
The port is used by the finger deamon. Finger provides information about operating system and about users on the system. The finger service is also often used as a proxy for finger requests to another systems. The finger service has had security issues in the past, the most well known was exploited by the famous Morris Internet Worm in 1988. |
| 80 |
HTTP |
80/TCP port is used by WWW servers, that listen for requests via the HTTP protocol. WWW servers are popular targets of attacks. Vulnerabilities allowing remote code execution are discovered quite often. These vulnerabilities are due to implementation bugs at the server level (now a rarity) or bugs in scripting languages (CGI, PHP level bugs). Since WWW servers and the HTTP protocol can be found virtually everywhere they are an attractive |
| 110 |
POP3 |
POP3 is a protocol used for remote access to mailboxs. Many bugs in POP3 servers have been found allowing access to system with different privileges. Exploiting some of the bugs is possible without prior authentication. However, scanning for POP3 bugs is rare. It is possible that if new serious vulnerabilities are found, port 110 will again become popular target of attacks. |
| 111 |
portmap |
Requests to port 111 may be attempts to acquire lists of available RPC services, like rpc.mountd, NFS, rpc.statd etc. If an intruder knows the port number on which a service is running, he will probably try to attack the service directly. RPC services have many documented vulnerabilities and port 111 should be blocked on firewalls. |
| 113 |
identd |
Ident serves to remotely identify the owner of a process that initiated a connection. Ident is mostly checked by IRC servers (but sometimes FTP, SMTP or POP servers also use it). Requests to this port are usually sent in reply to a connection initiated on the inside. Scanning port 113 is rare. Packets blocked to port 113 by a firewall usually signify that someone from our network has connected to a service that subsequently queried the initiating host for ident information for logging or access control purposes. |
| 119 |
NNTP |
Port 119/TCP is associated with NNTP servers, which can be part of a global network called USENET (discussion lists). Scanning this port is rare and aims to find open servers, which allow anonymous sending messages or spam. |
| 135 |
loc-srv/epmap |
Port 135/TCP is used by Microsoft RPC Endpoint Mapper. In general, this service has a similar role as portmap daemon on Unix. In 2003 there were serious vulnerabilities found in Microsoft RPC, which allowed for remote code execution with SYSTEM privileges. Microsoft RPC vulnerabilities are exploited by famous worms, like Blaster or Nachi/Welchia and trojan Agobot/Phatbot. Scanning this port also used to be popular because it was possible to enumerate Windows services that were running at the moment. Furthermore, port 135/UDP is used to send winpopup messages via Windows Messenger Service (WMS), what makes it attractive target for spammers. Because port 135/UDP is often blocked by internet providers, spam is often sent to ports 1025-1028, which are usually assigned the WMS service. |
| 137 |
NetBIOS name service (nbtstat) |
nbtstat translates IP addresses to NetBIOS names. Windows workstations send packets to 137/UDP port for mapping purposes. Request to this port may also be sent by worms searching for open Windows shares or collecting information. |
| 139 |
NetBIOS file sharing |
SMB protocol (Server Message Block) allows for sharing Windows resources. Although this is a powerful and useful feature of Windows, improper configuration may provide mechanisms for intruders to take full control of the host. Because windows resources are a very attractive target, port 139 is often scanned. Many Windows bugs allowing for remote code execution have been accessible via this port 139/TCP. There is also a non-Windows SMB protocol implementation called samba. Bugs discovered in samba's implementation would lead to heap corruption and execution of arbitrary commands on the system with root privileges or possibly cause a denial or service. |
| 143 |
IMAP |
IMAP4 protocol is used for remote access to mailboxs. IMAP4 server usually works on port 143/TCP. There were many vulnerabilities found in IMAP4 servers, including these allowing remote code execution with root privileges. Due to this issue port 143/TCP became a target of worm attacks. The well known admw0rm attacked Linux systems exploiting IMAP4 vulnerabilities. |
| 161 |
SNMP |
Simple Network Management Protocol(SNMP) is an application layer protocol designed to facilitate the exchange of management information between network devices. SNMP agents listen on port 161/UDP. This port is scanned because SNMP passwords(community names) that allow for reading and changing configuration of devices are usually easy to guess. Moreover, there are many vulnerabilities documented in SNMP implementations and scanning port 161/UDP is usually an attempt to exploit them. |
| 443 |
https |
This port is used by HTTP servers for encrypted traffic. Although encryption the traffic ensures resilience to eavesdropping, bugs in server implementation are the same regardless of the listening port (80 or 443). Additionally there are many vulnerabilities in encryption libraries (like SSL). In 2002 the Slapper worm attacked Linux servers exploiting buffer overflow vulnerabilities in OpenSSL implementations. |
| 445 |
microsoft-ds |
Starting with Windows 2000, Microsoft made the SMB (Server Message Block) protocol work directly on TCP. The service runs on port 445/TCP. Due to this issue port 445 is often scanned to find open Windows resources. Worms used to run dictionary attacks on port 445 to get passwords and get access to the system. The well known Deloder could be an example. Dictionary attacks can also be launched by distributed botnets. Another well known worm attacking port 445 is Sasser. Sasser exploits vulnerability called MS LSASS allowing remote code execution. This and subsequent bugs associated with this port make it one of the most popular targets of bots. |
| 515 |
lp printer |
515/TCP is the port on which the line printer daemon listens. This service is known to have had vulnerabilities in the past. The Ramen worm used one of them to propagate on Linux systems. |
| 554 |
RTSP |
Port 554/TCP is assigned to Real Time Streaming Protocol. In 2003 there were published bugs in RealNetworks Helix Universal RTSP Server (this software is available for Windows as well as for Linux/Unix). Exploiting these bugs allowed for remote code execution with privileges of user running server. |
| 901 |
Samba-SWAT |
Port 901/TCP is used by Samba Web Administration Tool and RealSecure sensors. This port was heavily scanned in 2003. |
| 1023 |
|
Scanning port 1023 may be an attempt to find (vulnerable) FTP servers launched by the W32.Sasser.E worm. |
| 1025 |
|
Port 1025 is often assigned to a client applications. Furthermore, this port is used to compromise system using Windows RPC vulnerabilities(for example Spybot worm). |
| 1026 |
|
Port 1026 is often dynamically assigned to client applications. Port 1027/TCP is often scanned to find computers infected by trojan horses: Backdoor.Padonock, PWSteal.ABCHlp. Scanning 1026/UDP is often due to Windows Messenger Service that listens on this port (attacked for spamming purposes). |
| 1027 |
|
This port is often scanned to find computers infected by trojan horses: Backdoor.Padonock,PWSteal.ABCHlp. Scanning 1026/UDP is due to Windows Messenger Service that listens on this port and is used to send spam. WMS works on ports 135 and 1026 by default but these ports are often blocked by internet providers. If ports 135 and 1026 are unavailable Windows Messenger will choose next available UDP port. This is why scanning for WMS is observed also on ports 1027 and even 1028. |
| 1028 |
WMS |
See description for port 1027. |
| 1080 |
SOCKS |
SOCKS is a service that allows client-server applications to transparently use the services of a network firewall. Improper configuration of a SOCKS proxy may result in unauthenticated connections from outside our network. Thus a proxy may be used to mask the real source of a connection. IRC servers often check whether proxy SOCKS is enabled on a connecting host, to avoid abuse from such connections. |
| 1433 |
MS SQL |
Microsoft SQL Server listens on port 1433. Many bugs have been discovered in this software. Exploiting them may allow read and write permissions to the database or even access to the underlying operating system. MS SQLsnake uses this port to propagate to installations of SQL Server with default password (which is blank). |
| 1434 |
MS SQL Service Discovery |
MS SQL server uses port 1434/UDP to discover SQL services in a local network. MS SQL server is known to have had many bugs in the past. The famous worm SQL Slammer worm exploits a buffer overflow on this port. Most requests destined to port 1434/UDP are still generated by Slammer. |
| 1243 |
SubSeven |
Port 1243 (and also 27374) is associated with a famous trojan called SubSeven. This trojan allows full remote control of an infected machine. Scanning this port is probably an attempt to find infected computers. |
| 1524 |
|
Scanning this port may be an attempt to find computers infected by Trinoo trojan horse. |
| 2049 |
NFS |
NFS server often listens on port 2049. Although there aren't any known exploits using this port, improper configuration of NFS server may open holes in the system. |
| 2100 |
ORACLE FTP |
Scanning port 2100/TCP may be an attempt to exploit Oracle FTP server vulnerabilities. |
| 2967 |
ssc-agent |
Port 2967/TCP is opened by Symantec Anrivirus 10.x and Symantec Client Security 3.x remote management interface. Although traffic on this port is typically SSL-encrypted, managed systems will also accept clear-text requests. Implementation of an unencrypted command COM_FORWARD_LOG (id 0x24) contains an improper use of strncat function. It allows the stack buffer to be overflowed which could be exploited by an anonymous attacker to execute arbitrary code with SYSTEM privileges on an affected system. Worms that use this vulnerability: W32.Rinbot.BF, W32.Sagevo, W32.Sbybot.ANOO. The basic workaround against automated exploitation is to change the management interface TCP port via Windows registry value: "HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPPort". |
| 2968 |
|
Connections on port 2968/TCP may signify attemps of exploiting vulnerability in Symantec Antivirus 10.x and Symantec Client Security 3.x remote management interface. Remote management interface listens on port 2968 on NetWare Servers (see port 2967). |
| 3127 |
|
Port 3127 is opened as a back-door by MyDoom virus. Many worms try to use this port to propagate to computers infected by MyDoom. MyDoom is an encrypted, mass-mailing worm that arrives as an attachment with either a .pif, .scr, .exe, .cmd, .bat or .zip extension. Some worms that attack computers infected by MyDoom include: W32.Mockbot.A.Worm, W32.Welchia.D.Worm and W32.Welchia.K. |
| 3128 |
squid |
Default port used by squid software (HTTP proxy). Scanning this port is usually an attempt to find open proxy servers in order to hide an attackers origin. HTTP proxy may also work on ports 8000, 8001, 8080 and 8888. IRC servers often connect to these ports to limit abuses caused via proxies. W32.Mydoom.B@mm(see port 3127) opens this port as a backdoor. |
| 3306 |
mysql |
Default mysql server port. Worm W32.Spybot.IVQ scans this port to find MySQL. When W32.Spybot.IVQ finds the MySQL service, it will try a brute-force attack using a simple dictionary to get access to the database. Port 3306 is also used for emule and edonkey clones. |
| 3389 |
ms-term-services |
Port 3389 is associated with Microsoft Terminal Services. This service has been prone to a remote security-restriction bypass vulnerability because the server software fails to properly enforce encryption requirements. This allows an attacker to eavesdrop on RDP sessions and perform man-in-the-middle attacks. |
| 3410 |
backdoor optix |
This is a default port opened by the trojan horse Backdoor.Optix.Pro. The trojan is a Delphi application and allows for full remote access to infected machine. Scanning this port may be an attempt to find an infected computer. |
| 4000 |
|
Scanning port 4000 may signify attempts to find computers infected by trojans or wrong configuration of remote management applications. Trojan.Peacomm opens and listens on 4000/UDP port (also ports 7871 and 11271), which are used for encrypted communication channels with other peers. |
| 4128 |
|
Trojan horse Backdoor.RCServ opens port 4128. This trojan allows remote control on infected host. It also opens an FTP server and performs Denial of Service attacks. |
| 4444 |
|
Port 4444 is assigned to Kerberos service. Higher rate of connection attempts may be due to memory-corruption vulnerability in HLINK.DLL library. The library fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attacker to execute arbitrary machine code in the context of applications that use the affected library. The vulnerability is exploited by trojan horse called Trojan.Hlinic. Trojan.Hlinic opens back door on TCP port 4444 on compromised systems. On port 4444 back doors are also opened by various worms such as Reidana(see port 139 description) and Blaster(see port 135). |
| 4899 |
radmin |
This port is associated with remote management application. Scanning this port may be an attempt to attack this application. W32.Rahack is a worm that spreads to computers running Radmin software by exploiting weak passwords set on the Radmin server. |
| 5554 |
|
W32.Sasser (and clones) start an ftp server on TCP port 5554. This server is used to spread the worm to other hosts. Worm W32.Dabber scans this port to find FTP servers that W32.Sasser had opened. The server has a vulnerability that allows for access to the infected computer. |
| 6101 |
|
Scanning this port is due to a vulnerabilty in Veritas Backup Exec 8.x/9.x. The vulnerability is exploited by W32.Spybot.ANOO worm. This malware opens a back door and logs keystrokes whenever the user accesses sites from a list (for example PayPal, Ebay). |
| 6129 |
dameware |
This port is associated with a remote management application - Windows DameWare Mini Remote Control. Scanning this port is probably due to a published buffer overflow vulnerability and was first registered in December 2003. W32.Mockbot.A.Worm exploits this vulnerability. After compromising system W32.Mockbot connects to a predetermined list of IRC servers and joins a channel to listen for commands from attacker. |
| 6662 |
radmind |
radmind is a suite of Unix command-line tools and a server designed to remotely administer the file systems of multiple Unix machines. Scanning this port may signify attempts to find holes in the service. |
| 8555 |
Cisco Tomcat |
Port 8555/TCP is used by Cisco's call manager. Cisco Unified CallManager is susceptible to multiple remote vulnerabilities: local privilege-escalation(Cisco bug CSCse11005), local file-overwrite (Cisco bug CSCse31704) and remote buffer-overflow vulnerability(CSCsd96542). It allows local attackers to completely compromise affected devices and remote attackers to execute arbitrary machine code. Currently there are no exploits known for the remote issue. High rate of traffic destined to 8555 port may signalize new exploitation. |
| 9898 |
|
Dabber worm opens port 9898/TCP and then installs a backdoor that can be used to remotely run an application. Trojan horse Backdoor.Crashcool also uses port 9898 to listen for remote commands from the author. |
| 10000 |
|
Scanning this port may be due to a search for vulnerable versions of Veritas Backup Exec. Port is also used by W32.Dumaru worm to open a backdoor. |
| 15118 |
|
Dipnet worm scans this port to check if computer has already been infected. Before an attack, Dipnet makes a connection on port 11768 or 15118 and sends the string "__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123". If the host has already been infected by Dipnet it would answer with string "__1asdfasdFasdfhjsdf_fsd1092381-029348723-1AAA3" and finish the connection. This "handshake" prevents a double infection of one host. |
| 27374 |
SubSeven |
Port 27374 (and also 1243) is associated with a famous trojan called SubSeven. This trojan allows for full remote control of an infected machine. Scanning this port is an attempt to find infected computers. |
| 41523 |
|
Scanning this port may be an attempt to exploit a vulnerability in CA BrightStor Agent for Microsoft SQL Server. |
2007 (Last update: 2012-02-07 00:05:00 CET)