Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 0 |
tcp,udp |
|
not scanned |
This port is technically illegal, but possible. It is often used to fingerprint machines, because different operating systems respond to this port in different ways. |
| 1 |
udp |
tcpmux |
not scanned |
IANA assigned to TCP Port Service Multiplexer.
Sockets des Troie remote access trojan uses this port (a.k.a. Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan, TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000. |
| 1 |
tcp |
tcpmux |
Premium scan |
Scans against this port are commonly used to test if a machine runs SGI Irix (as SGI is the only system that typically has this enabled). This service is almost never used in practice.
CERT: CA-95.15.SGI.lp.vul
RFC1078 -TCPMUX acts much like Sun's $/Exploits/Ports/111$portmapper$ or Microsoft's $/Exploits/Ports/135$end-point mapper$ in that it allows services to run on abitrary ports. In the case of TCPMUX, however, after the "lookup" phase, all further communication continues to run over that port.
Trojans that use this port: Breach.2001, SocketsDeTroie |
| 2 |
tcp |
compressnet |
Premium scan |
trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg
America's Army, Operation Flashpoint also use this port.
Port 2 is also registered with IANA for compressnet management utility. |
| 3 |
tcp,udp |
compressnet |
not scanned |
SynDrop trojan uses this port.
Delta Force also uses port 3 (TCP).
IANA assigned for: Compression Process
Port also used by: Midnight Commander |
| 4 |
tcp |
sfs |
Basic scan |
Self-Certifying File System(SFS) sfssd acceps connections on TCP port 4 and passes them to the appropriate SFS daemon. SFS is a secure, global file system with completely decentralized control. SFS uses NFS 3 as the underlying protocol for file access.
America's Army also uses this port.
Midnight Commander sometimes uses port 4/tcp as well. |
| 5 |
tcp |
trojans |
Premium scan |
Incoming Routing Redirect Bomb, yoyo |
| 7 |
tcp |
Echo |
Members scan |
Echo Service, somewhat outdated by ICMP echo. Port just echoes whatever is sent to it. This feature can be used in many attacks, such as fraggle.
See also: [RFC862]
ICP - Internet Caching Protocol - This protocol is used by HTTP caching proxies in order to coordinate working together in a cluster. Part of this implementation includes bouncing packets off the echo port in order to test if the peers are alive. |
| 8 |
tcp |
trojan |
Premium scan |
Ping Attack |
| 9 |
tcp,udp,sctp |
Discard |
Members scan |
Discard server - this protocol is only installed on machines for test purposes. The service listening at this port (both TCP and UDP) simply discards any input.
Railroad Tycoon 3 also uses this port (TCP).
See also: [RFC863], CVE-1999-0060
Intrusions: Ascend kill
This exploit kills Ascend routers by sending them a specially formatted malformed TCP packet. On certain versions of the Ascend operating system, the router can be forced to cause an internal error, resulting in the router rebooting. |
| 10 |
tcp |
games |
not scanned |
Dark Ages of Camelot |
| 11 |
tcp,udp |
systat |
Premium scan |
system / active users information.
On some UNIX machines, creating a TCP connection to this port will dump the active processes and who launched them. The original intent for this was to make remote management of UNIX easier. However, intruders will query the systat information in order to map out the system.
This service is rarely available anymore because of these security concerns.
On UNIX, there are also local commands that show this information, such as systat or ps.
Skun trojan also uses this port.
See also: [RFC866] |
| 12 |
tcp |
games |
not scanned |
Dark Ages of Camelot |
| 13 |
tcp,udp |
Daytime |
Members scan |
Daytime service [RFC 867] - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.
Dark and Light also uses thi port. |
| 15 |
tcp,udp |
netstat |
Premium scan |
Port used by netstat (a variant of systat, see port 11). Rarely available because of security concerns. It can be used to list active processes and who launched them on some UNIX machines.
Port also used by B2 trojan. |
| 16 |
tcp |
trojan |
Premium scan |
Skun |
| 17 |
tcp,udp |
qotd |
not scanned |
Responds with Quote of the Day. See [RFC 865]
Skun trojan also uses this port. |
| 18 |
tcp,udp |
msp |
not scanned |
Message Send Protocol
Also: Remote Write Protocol (RWP)
Related RFCs: [RFC 1159] [RFC 1312] [RFC 1756]
Skun trojan also uses this port. |
| 19 |
tcp,udp |
Chargen |
Members scan |
Generates and replies with a stream of characters (TCP) or a packet containing characters (UDP). Should be disabled if there is no specific need for it, source for potential attacks. [RFC 864]
Skun trojan also uses this port. |
| 20 |
tcp,udp,sctp |
FTP - data |
Basic scan |
File Transfer Protocol - Data
Some trojans also use this port: Amanda, Senna Spy FTP server. |
| 21 |
tcp |
FTP |
Basic scan |
File Transfer Protocol.
List of some trojan horses/backdoors that also use this port: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm, W32.Sober.N@mm.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C (01.11.2006) |
| 21 |
udp |
FSP |
Basic scan |
FSP/FTP |
| 22 |
udp |
PC-Anywhere |
Basic scan |
Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22. |
| 22 |
tcp,sctp |
SSH |
Basic scan |
Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service.
Some trojans also use this port: InCommand, Shaft, Skun |
| 23 |
tcp |
telnet |
Basic scan |
Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities.
Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (109.26.2005) |
| 23 |
udp |
games |
not scanned |
Dungeon Siege II |
| 24 |
tcp |
priv-mail |
not scanned |
Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port |
| 25 |
tcp |
SMTP |
Basic scan |
SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.
List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock (01.12.2006) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries. |
| 25 |
udp |
games |
not scanned |
Final Fantasy XI |
| 26 |
tcp |
rsftp |
Members scan |
Port used by RSFTP - a simple FTP-like protocol.
Sometimes also used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). |
| 26 |
udp |
games |
not scanned |
Dungeon Siege II |
| 27 |
tcp |
trojan |
Premium scan |
Assasin |
| 28 |
tcp |
|
Premium scan |
AltaVista Firewall97 accepts connections on ports 26,27,28 and 29, this can be used to fingerprint the type of firewall in use.
Amanda trojan uses port 28/tcp. |
| 30 |
tcp |
trojans |
Premium scan |
Agent 40421 trojan. Also uses port 40421/tcp
ATC Battlefield 1942 (TCP/UDP), ATC Ghost Recon 2 (TCP/UDP), ATC Splinter Cell Chaos Theory (TCP/UDP), developer: Foolish Entertainment |
| 31 |
tcp |
msg-auth |
Members scan |
MSG Authentication
Delta Force also uses this port.
The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun |
| 34 |
tcp,udp |
remote |
not scanned |
Remote File (RF) - used for file transfer between machines |
| 35 |
udp |
games |
not scanned |
Delta Force |
| 37 |
tcp |
worm |
Basic scan |
Officially assigned for use by TIME protocol [RFC 868] [RFC 956]
TIME (port 37/tcp) can pose a DOS subnet threat because it has embedded functions used for the identification of critical processing time intervals and the ability to re-issue its output to port 7.
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
W32.Sober.J@mm (01.30.2005)
W32.Sober.O@mm (05.02.2005)
W32.Sober.X@mm (12.12.2005) |
| 39 |
tcp |
trojan |
Premium scan |
SubSARI |
| 41 |
tcp |
trojans |
Members scan |
Some trojans use this port: Deep Throat , Foreplay |
| 42 |
tcp,udp |
WINS |
Members scan |
Port used by WINS (Windows Internet Naming Service).
Worms can exploit a recently announced buffer overflow vulnerability within WINS using this port.
See:
Microsoft - How to help protect against a WINS security issue
Technical Analysis by Steve Frield
W32.Dasher.D (12.19.2005) - a worm that exploits the following MS vulnerabilities: MS05-051 (on port 53/tcp) and MS04-045 (on port 42/tcp).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp.
City of Heroes also uses this port (TCP).
Port was originally assigned to the obsolete ARPA Host name server protocol (pre-DNS). |
| 43 |
tcp,udp |
whois |
not scanned |
WHOIS protocol |
| 44 |
tcp |
trojan |
Premium scan |
Arctic |
| 48 |
tcp |
auditd |
Premium scan |
DRAT remote access trojan (11-1999) uses ports 48,50.
Port is also IANA assigned for: Digital Audit Daemon |
| 49 |
tcp,udp |
TACACS |
Members scan |
Login Host Protocol (TACACS)
Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. |
| 50 |
tcp |
re-mail-ck |
Members scan |
Some trojans that also use this port: DRAT remote access trojan (11-1999). Uses ports 48,50.
Dark Ages of Camelot uses this port. |
| 51 |
tcp |
vpn |
Premium scan |
F**k Lamers Backdoor uses this port. |
| 52 |
tcp |
trojan |
Premium scan |
MuSka52, Skun |
| 53 |
tcp,udp |
DNS |
Basic scan |
DNS (Domain Name Service) is used for domain name resolution.
Apple MacDNS, FaceTime also use this port.
There are some attacks that target vulnerabilities within DNS servers. Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52, Trojan.Esteem.C (05.12.2005), W32.Spybot.ABDO (12.12.2005).
W32.Dasher.B (12.16.2005) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin MS05-051).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp.
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.
Bonk (DoS) trojan horse also uses port 53 (TCP). |
| 54 |
tcp,udp |
xns-ch |
Premium scan |
Port is officially assigned to XNS (Xerox Network Services) Clearinghouse.
Port is also used by the MuSka52 trojan. |
| 57 |
tcp,udp |
applications |
not scanned |
AudioReQuest |
| 58 |
tcp |
trojan |
Premium scan |
DMSetup trojan |
| 59 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AJ (01.10.2005) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 59/tcp.
DMSetup trojan also uses port 59. |
| 66 |
tcp |
trojan |
Premium scan |
AL-Bareki |
| 67 |
udp |
bootp server |
Basic scan |
Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients.
Apple NetBoot also uses this port. |
| 67 |
tcp |
applications |
not scanned |
Falco LX-4PRO |
| 68 |
udp |
bootp client |
Basic scan |
Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.
Apple NetBoot also uses this port. |
| 68 |
tcp |
trojan |
Premium scan |
Backdoor.SubSeven
Falco LX-4PRO also uses this port. |
| 69 |
udp |
TFTP |
Basic scan |
Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a bacdoor on remote compromised computers on port 8594/tcp. Port 69/udp also used by the W32.Zotob.H variant of the worm.
W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70. |
| 70 |
tcp |
trojans |
Members scan |
W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef
Note: port 69/udp is used by TFTP. |
| 73 |
udp |
games |
not scanned |
Dungeon Siege II |
| 77 |
tcp,udp |
priv-rje |
not scanned |
IANA assigned for any private RJE service, netjrs.
The error message "TK_SPACE undeclared" is common to this port. This occurs when installed ports keep bombing out on sqlite3. |
| 79 |
tcp,udp |
Finger |
Members scan |
Finger
Finger Security Concerns: Provides key host info to attacker - Fingered host can be DOSd if hit with a recursive finger script till its memory and swap space fill. - Fingering clients can be DOSd if they finger a maliciously configured host (returns data overload - causing client to beep continually - etc.). - If fingering clients allow programmable keys - a maliciously configured host can return a finger response that maps a key to rm -rf /-. Disable on all host unless finger service is stubbed to only provide scripted data response (eg: system admin contact info - etc.).
Trojans that also use this port: ADM worm, Back Orifice 2000 (BO2K), CDK trojan (ports 79, 15858), Firehotcker (ports 79, 5321) |
| 80 |
udp |
trojans |
Members scan |
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
Port 80 udp is also used by some games, like Alien vs Predator (Activision). |
| 80 |
tcp,sctp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - port used for web traffic. See also TCP ports 81, 8080, 8081.
Some broadband routers (Linksys, etc.) run a web server on port 80 or 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.
If you're not running web services, keep in mind that Code Red and Nimda worms also propagate via TCP port 80 (HTTP). Also, a number of trojans/backdoors use these ports: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
Trojan.Webus.C
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S (01.30.2005) - runs proxy on port 80.
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
Backdoor.Darkmoon.B (10.21.2005) - a backdoor trojan with keylogger capabilities. Opens a backdoor and listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Trojan.Lodear.F (12.18.2005) - trojan that attempts to download remote files.
W32.Feebs (01.07.2006)
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.
Some Apple applications also use port 80 (TCP): MobileMe, Sherlock, QuickTime Installer, iTunes Store and Radio, Software Update, RAID Admin, Backup, iCal calendar publishing, iWeb, MobileMe Web Gallery Publishing, WebDAV (iDisk), Final Cut Server. |
| 81 |
udp |
trojans |
Premium scan |
W32.Beagle.AR@mm (9.29.2004) - mass mailing worm with backdoor functionality on port 81/tcp & udp. Affects all current Windows versions. |
| 81 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See also TCP ports 80, 8080, 8081.
Some common uses for port 81/tcp include web administration (cobalt cube), web proxy servers, etc.
If you're not running web services on this port, keep in mind it is also used by some trojans:
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default.
W32.Beagle.AR@mm (09.29.2004) - port 81.
RemoConChubo trojan also uses this port. |
| 82 |
tcp |
trojans |
Members scan |
W32.Netsky.X@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 82/tcp to receive and execute a file from an attacker.
The W32.Netsky.Y@mm variant also opens port 82/tcp.
ET TROJAN LD Pinch Checkin uses port 82/udp. |
| 85 |
tcp |
trojan |
Premium scan |
Common Port for phishing scam sites |
| 87 |
tcp |
terminal link |
Members scan |
terminal link - a talk/chat style protocol. Port commonly used by intruders |
| 88 |
udp |
Kerberos |
Premium scan |
KDC (Kerberos key distribution center) server.
Related ports: 464,543,544,749,751
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp. |
| 88 |
tcp |
trojan |
Premium scan |
Pwsteal.likmet.a, BackDoor-AXC |
| 90 |
tcp |
trojan |
Premium scan |
Hidden Port 2.0 |
| 96 |
tcp,udp |
applications |
not scanned |
Express Invoice |
| 97 |
tcp,udp |
applications |
not scanned |
Inventoria Stock Manager |
| 99 |
udp |
metagram |
Members scan |
Metagram Relay, gnutella |
| 99 |
tcp |
trojans |
Premium scan |
Hidden Port, Mandragore, NCX trojans |
| 101 |
tcp,udp |
hostname |
not scanned |
Hostnames NIC Host Name Server. [RFC953] [RFC811]
Skun trojan also uses this port (TCP). |
| 102 |
tcp,udp |
iso-tsap |
Members scan |
Port used by X.400, X.500, ITOT, ISO-TSAP (Transport Service Access Point) protocol.
Microsoft Exchange uses this port for X.400 mail messaging traffic. No known vulnerabilities, but similar to data-driven attacks common to smtp plus possible direct attacks, such as with sendmail. Always static route inbound mail to a protected/hardened email server.
X.500 Directory Service - Used to distribute user names, user info and public keys.
Security Concerns: Depending on vendor implementation probes can reveal valuable user info for follow-on attacks. On poorly configured servers attackers can replace public keys for data capture or DOS purposes.
[RFC1006] [RFC2126]
Delf, Skun trojans also use this port (TCP). |
| 103 |
tcp,udp |
gppitnp |
not scanned |
Port IANA registered for Genesis Point-to-Point Trans Net
Also sometimes used with MS Exchange X.400 mail messaging traffic.
Known trojans that use this port: Skun |
| 105 |
tcp,udp |
ccso |
not scanned |
IANA assigned to CCSO name server protocol (mailbox name nameserver). [RFC2378]
Backdoor.Nerte also uses this port (TCP). |
| 106 |
tcp |
poppassd |
not scanned |
(TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:
S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite
Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash.
Apple Mac OS X Password Server and City of Heroes also use this port. |
| 107 |
tcp |
trojan |
Premium scan |
Backdoor.Skun |
| 109 |
tcp,udp |
pop2 |
not scanned |
Post Office Protocol 2 (obsolete). While POP2 has largely been replaced by POP3, hackers still scan for this port because many older POP servers have vulnerabilities associated with them. [RFC937]
ADM trojan also uses this port (TCP). |
| 110 |
udp |
pop-or-not |
Basic scan |
POP3 server traffic (should be TCP only?)
Final Fantasy XI also uses this port. |
| 110 |
tcp |
POP3 |
Basic scan |
POP3 (Post Office Protocol - Version 3)
Security Concerns: Re-usable cleartext password, no auditing of connections & attempts thus subject to grinding. Some POP3 server versions have had buffer overflow problems. CERT Advisories: CA-97.09
ADM, ProMail trojans also use port 110 (TCP). |
| 111 |
tcp,udp |
SunRPC |
Basic scan |
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Port 111 was designed by the Sun Microsystems as a component of their Network File System. It is also known as Open Network Computing Remote Procedure Call (ONC RPC). Port 111 is a port mapper with similar functions to Microsoft's port 135 or DCOM DCE.
Security Concerns: Provides rpc port map without auth, has no filtering or logging, rpcinfo probes can quickly find your Unix hosts. Shut down portmapper on any hosts not requiring rpcs, ensure it is blocked at net perimeters.
Trojans that use this port: ADM worm, MscanWorm, Sadmind/IIS Worm |
| 113 |
tcp,udp |
IDENT |
Basic scan |
Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman,W32.Korgo.F
W32.Bofra.C@mm (11.11.2004) - It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Linkbot.A (11.05.2004) - worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability. It also creates an IRC backdoor and attempts to install adware on the infected machine. It can affect all current Windows versions. Listens on port 113/tcp for remote commands.
W32.Spybot.LZI (04.06.2005) - worm that attempts to exploit the MS DCOM RPC vulnerability on ports 135, 445 & 1025. Opens a backdoor on port 113.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp. |
| 118 |
udp |
trojan |
not scanned |
Infector 1.4.2 trojan horse |
| 119 |
udp |
NNTP |
Basic scan |
NNTP (Network News Transfer Protocol) control messages. |
| 119 |
tcp |
trojan |
Premium scan |
Happy99/Ska trojan |
| 120 |
tcp |
trojan |
Premium scan |
Backdoor.Skun |
| 121 |
tcp |
erpc |
Premium scan |
trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)
Port is also IANA registered for: Encore Expedited Remote Pro.Call |
| 123 |
udp |
NTP |
Basic scan |
Network Time Protocol (NTP) - used for time synchronization
Security Concerns:
It provides both information and possible avenue of attack for intruders. Info gathered can include system uptime, time since reset, time server pkt, I/O & memory statistics and ntp peer list. If a host is susceptible to time altering via ntp an attacker can possibly:
1) Run replay attacks using captured OTP and Kerberos tickets before they expire.
2) Stop security-related cron jobs from running or cause them to run at incorrect times.
3) Make system and audit logs unreliable since time is alterable. |
| 123 |
tcp |
trojan |
Premium scan |
Net Controller trojan |
| 125 |
tcp |
misc |
not scanned |
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25. |
| 127 |
udp |
games |
not scanned |
Command and Conquer Generals |
| 133 |
tcp |
trojan |
Premium scan |
Farnaz |
| 135 |
tcp,udp |
loc-srv |
Basic scan |
Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.
There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is a patch downloadable from Microsoft), or you can close port 135.
Port 135 is used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
MS Security Bulletin MS03-026 outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin MS03-026). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 137 |
tcp,udp |
netbios-ns |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin MS03-026
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin MS03-026) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.
Windows Internet Naming Service (WINS) also uses this port (UDP). |
Vulnerabilities listed: 100 (some use multiple ports)
|
