Common TCP and UDP port scans that people see against their firewalls.
Since March of 2020 the amounts of Port Scanning and Probes have gone up by the googols – (Googol, Googolplex – & Google. A googol equals 1 followed by 100 zeros. Googol is a mathematical term to describe a huge quantity).
To help people seeing these scans which lead to full on hacking attacks here is a list of Common incoming TCP/UDP hacker scans against your firewall, we hope this helps.
Click the image to visit Adept Secure ®
| 0 |
Commonly used to help determine the operating system. This works because on some systems, port 0 is “invalid” and will generate a different response when you connect to it vs. a normal closed port. One typical scan uses a destination IP address of 0.0.0.0 and sets the ACK bit, with broadcast at the Ethernet layer. |
|
| 1 | tcpmux |
Indicates someone searching for SGI Irix machines. Irix is the only major vendor that has implemented tcpmux, and it is enabled by default on Irix machines. Irix machines ship with several default passwordless accounts, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to close these accounts after installation. Therefore, hackers scan the Internet looking first for tcpmux, then these accounts. [ CA-1995-15 RFC 1078 ] |
| 7 | Echo |
You will see lots of these from people looking for fraggle amplifiers sent to addresses of x.x.x.0 and x.x.x.255. A common DoS attack is an echo-loop, where the Another common thing seen is TCP connections to this port by DoubleClick. They Harvest/squid caches will send tbese UDP echoes from port 3130. To quote their document: |
| 11 | sysstat |
This is a UNIX service that will list all the running processes on a machine and who started them. This gives an intruder a huge amount of information that might be used to compromise the machine, such as indicating programs with known vulnerabilities or user accounts. It is similar the contents that can be displayed with the UNIX “ps” command. This service is usually disabled, scans for this don’t expect to actually succeed most of the time. Some people come here looking for ICMP port 11. To repeat: firewall logs are confusing, ICMP doesn’t have |
| 19 | chargen |
This is a service that simply spits out characters for testing purposes. The UDP version will respond with a packet containing garbage characters whenever a UDP packet is received. On a TCP connection, it spits out a stream of garbage characters until the connection is closed. Hackers can take advantage of IP spoofing for denial of service attacks. Forging UDP packets between two chargen servers, or a chargen and echo can overload links as the two servers attempt to infinitely bounce the traffic back and forth. Likewise, the fraggle DoS attack broadcasts a packet destined to this port with a forged victim address, and the victim gets overloaded with all the responses. [CA-96.01] |
| 21 | FTP |
The most common attack you will see are hackers/crackers looking for “open anonymous” FTP servers. These are servers with directories that can be written to and read from. Hackers/crackers use these machines as way-points for transferring warez (pirated programs) and pr0n (intentionally misspelled word to avoid search engines classifying this document). In early 2003, I occasionally see people trying to exploit the FTP server using *2020 – We have seen numerous port scans including Decoy Scans |
| 22 | ssh pcAnywhere |
SSH is a popular way to remotely run a command-prompt on systems, primarily UNIX systems. It provides secure authentication and encryption, so it is especially popular among security professionals. There is a commercial version by the company that originally created it, a popular open-source OpenSSH alternative, and many other compatible versions. In 2002, numerous vulnerabilities in most all versions were discovered, exploited, and routinely scanned for. Also note that the ssh package comes with a program called UDP (rather than TCP) packets directed at this port along with [CA-2002-36] |
| 23 | Telnet |
Telnet is the most popular protocol for getting a remote command line.
The most common use by scanners is to get the banner As of 2002, most attackers are interested in finding network equipment such as switches and routers, especially Historically (and still common as of 2002), hackers look for Unix systems with default |
| 25 | SMTP |
SMTP (Simple Mail Transfer Protocol) is the protocol that transfers virtuall all the world’s e-mail.
Scans against this port are almost certain coming from spammers (and occasionally anti-spammers) Note that there continue to be vulnerabilities in mail servers themselves. |
| 53 | DNS |
DNS (Domain Name Service) is a core Internet protocol; it translates names into Internet addresses (like a phonebook translates names into phone numbers). It is so important that when DNS servers go down, users usually think the Internet itself has gone down. Ways of breaking into DNS servers are frequently discovered, such as the BIND exploit in 2002. DNS information tells the hacker a lot of about the intended victim. Rejected TCP attempts probably Since DNS is such an important protocol to the Internet, firewall administrators often allow |
| 67 and 68 | bootp DHCP |
DHCP (and the older version, BOOTP) are the protocols that assign your desktop computer an IP address. Firewalls will see (and reject) a lot of DHCP requests from your local network. You rarely see attackers from remote parts of the Internet trying to exploit DHCP vulnerabilities. As of 2003, an important exploit has been found in a DHCP service, so remote hackers may |
| 69 | TFTP | (over UDP). Many servers support this protocol in conjunction with BOOTP in order to download boot code to the system. However, they are frequently misconfigured to provide any file from the system, such as password files. They can also be used to write files to the system. |
| 79 | finger |
Hackers are trying to:
|
| 80 | HTTP |
Prior to 2003, I did not include an entry for this port. Presumably, you would know what port 80 meant without this guide having to tell you. However, a enormous number of worms infecting Windows and Unix systems are now using this port, so I am including it for worm discussion. *2020 – We have seen numerous port scans including Decoy Scans |
| 98 | linuxconf |
The utility linuxconf provide easy administration of Linux boxen. It includes a web-enabled interface at port 98 through an integrated HTTP server. It has had a number of security issues. Some versions are setuid root, trust the local network, create world-accessible files in /tmp, and a buffer overflow in the LANG environment variable. Also, because it contains an integrated web server, it may be vulnerable to many of the typical HTTP exploits (buffer overruns, directory traversal using ../.., etc.). |
| 109 | POP2 |
POP2 is not nearly as popular as POP3 (see below), but many servers support both (for backwards compatibility). Many of the holes that can be exploited on POP3 can also be exploited via the POP2 port on the same server. |
| 110 | POP3 |
POP3 is used by clients accessing e-mail on their servers. POP3 services have many well-known vulnerabilities. At least 20 implementations are vulnerable to a buffer overflow in the username or password exchange (meaning that hackers can break in at this stage before really logging in). There are other buffer overflows that can be executed after successfully logging in. *2020 – We have seen numerous port scans including Decoy Scans |
| 111 | sunrpc portmap rpcbind |
Sun RPC PortMapper/RPCBIND. Access to portmapper is the first step in scanning a system looking for all the RPC services enabled, such as rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. If the intruder finds the appropriate service enabled, s/he will then run an exploit against the port where the service is running. Note that by putting a logging daemon, IDS, or sniffer on the wire, |
| 113 | identd auth |
This is a protocol that runs on many machines that identifies the user of a TCP connection. In standard usage this reveals a LOT of information about a machine that hackers can exploit. However, it used by a lot of services by loggers, especially FTP, POP, IMAP, SMTP, and IRC servers. In general, if you have any clients accessing these services through a firewall, you will see incoming connection attempts on this port. Note that if you block this port, clients will perceive slow connections to e-mail servers on the other side of the firewall. Many firewalls support sending back a RST on the TCP connection as part of the blocking procedure, which will stop these slow connections. |
| 119 | NNTP news |
Network News Transfer Protocol, carries USENET traffic. Attempts on this port are usually by people hunting for open USENET servers. Most ISPs restrict access to their news servers to only their customers. Open news servers allow posting and reading from anybody, and are used to access newsgroups blocked by someone’s ISP, to post anonymously, or to post spam. |
| 135 | loc-serv MS RPC end-point mapper |
As of 2003, the most common reason you see port 135/udp is because of WinPopup/Messenger spam. This is a feature in Windows that allows system administrators to notify employees of unusual events, such as the network or file servers about to be rebooted. However, spammers have found a way to subvert this and use this mechanism to send popup messages on the victim’s desktop. Microsoft runs its DCE RPC end-point mapper for its DCOM services at this port. This port is often hit in order to scan for services (for example, using No RPC service except the endpoint mapper runs on this port, except that “broadcast” |
| 137 | NetBIOS name service nbtstat |
(UDP) This is the most common item seen by firewall administrators and is perfectly normal. |
| 139 | NetBIOS File and Print Sharing |
Incoming connections to this port are trying to reach NetBIOS/SMB, the protocols used for Windows “File and Print Sharing” as well as SAMBA. People sharing their hard disks on this port are probably the most common vulnerability on the Internet.
|
| 143 | IMAP4 |
Same security idea as POP3 above, numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when RedHat enabled the service by default on its distributions. In fact, this may have been the first widely scanned for exploit since the Morris Worm. This port is also used for IMAP2, Several people have noted attacks from port 0 to port 143, which appears |
| 161 | SNMP |
(UDP) A very common port that intruders probe for. SNMP allows for remote management of devices. All the configuration and performance information is stored in a database that can be retrieved or set via SNMP. Many managers mistakeningly leave this available on the Internet. Crackers will first attempt to use the default passwords “public” and “private” to access the system; they may then attempt to “crack” the password by trying all combinations. SNMP packets may be mistakenly directed at your network. Windows machines running In early 2002, a university in Finland released its “PROTOS” tool that demonstrated many |
| 162 | SNMP trap | Probably a misconfiguration. |
| 177 | xdmcp |
Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed. |
| 443 | HTTPS/SSL |
See port 80 for more information.
This port is used for secure web browser communication. Data transferred across such connections are highly resistant to eavesdropping and interception. Moreover, the identity of the remotely connected server can be verified with significant confidence. Web servers offering to accept and establish secure connections listen on this port for connections from web browsers desiring strong communication security. Once established, web browsers inform their users of these secured connections by displaying an icon — a padlock, an unbroken key, etc. — in the status region of their window * 2020 We have seen numerous port scans including Decoy Scans |
| 445 | NetBIOS File and Print Sharing |
See port 139 for more information.
In Windows 2000, Windows XP, Windows 7, Windows 8, and Windows 10 port 445 is essentially a duplicate of port 139. These ports Whereas many ISPs now filter port 139, many do not filter port 445. As of mid-2002, we are |
| 513 | rwho |
Probably from UNIX machines on your DSL/cable-modem segment broadcasting who is logged into their servers. These people are kindly giving you really interesting information that you can use to hack into their systems. |
| 515 | lp printer |
This is the standard protocol for remote printing on UNIX systems. Virtually every UNIX system from Sun Solaris to Linux will listen on this port. In addition, most laster printers support this protocol as well. There are widespread vulnerabilities on this port, due either to vulnerabilities in the protocol itself, or vulnerabilities in printer-specific drivers behind this port. The RedHat 7 LPRng bug was exploited by the Ramen worm in early 2001. As of late 2002, this is one of the more common ports probed, both because of Linux |
| 535 | CORBA IIOP |
(UDP) If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA is an object-oriented remote procedure call (RPC) system. It is highly likely that when you see these broadcasts, you can use the information to hack back into the systems generating these broadcasts. There are many exploits possible against this port. |
| 600 | pcserver backdoor |
See port 1524 for more info.
Some script kiddies feel they’re contributing substantially |
| 635 | mountd |
Linux mountd bug. This is a popular bug that people are scanning for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it’s just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049. |
| 1024 | —– |
Many people ask the question what this port is used for. The answer is that this is the first port number in the dynamic range of ports. Many applications don’t care what port they use for a network connection, so they ask the operating system to assign the “next freely available port”. In point of fact, they as for port 0, but are assigned one starting with port 1024. This means the first application on your system that requests a dynamic port will be assigned port 1024. You can test this fact by booting your computer, then in one window open a Telnet session, and in another window run “netstat -a”. You will see that the Telnet application has been assigned port 1024 for its end of the connection. As more applications request more and more dynamic ports, the operating system will assign increasingly higher port numbers. Again, you can watch this effect with ‘netstat’ as your browse the Internet with your web browser, as each web-page requires a new connection. |
| 1025 | —– | See port 1024. |
| 1026 | —– | See port 1024. |
| 1027 | —– | See port 1024. |
| 1080 | SOCKS |
This protocol tunnels traffic through firewalls, allowing many people behind the firewall access to the Internet through a single IP address. In theory, it should only tunnel inside traffic out towards the Internet. However, it is frequently misconfigured and allows hackers/crackers to tunnel their attacks inwards, or simply bounce through the system to other Internet machines, masking their attacks as if they were coming from you. WinGate, a popular Windows personal firewall, is frequently misconfigured this way. In the year 2000, much activity on this port was for the purpose of connecting to In the year 2003, most of this activity is now by spammers. They are looking for SOCKS There are several websites that maintain lists of open SOCKS servers. In 2002, most of the scans |
| 1114 | SQL | This is rarely probed by itself, but is almost always seen as part of the sscan script. *We have seen numerous port scans including Decoy Scans |
| 1243 | Sub-7 | Trojan Horse(TCP). |
| 1433 | MS SQL |
Microsoft runs its SQL database server on this port.
In the year 2002, several worms started exploiting this port. 2020 *We have seen numerous port scans including Decoy Scans |
| 1434 | MS SQL Service Discovery Protocol worm |
Microsoft’s SQL server uses this port for discovery of SQL services on the local LAN.
On January 26, 2003, the SQLslammer worm took down parts of the Internet in the early hours of the morning. It took advantage of a buffer overflow on this service. Administrators |
| 1524 | ingreslock backdoor |
Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). If you’ve just installed your firewall and are seeing connection attempts on this port, then this may be the cause. Try telnetting to the attempted machine in order to see if it indeed comes up with a shell. Connections to port 600/pcserver also have this problem. IN-99-04 |
| 2049 | NFS |
The NFS program usually runs at this port. Normally, access to portmapper is needed to find which port this service runs on, but since most installations run NFS on this port, hackers/crackers can bypass portmapper and try this port directly. |
| 2766 | listen npls |
Used by Sun Solaris boxes as a printer service, alternative to the standard printer on port 515. Exploit scripts against Solaris machines will frequently bind a shell to this port, similar to the ingreslock port. In particular, a well-known exploit against the snmpXdmid vulnerability left behind a shell on this port. |
| 3128 | squid |
This is the default port for the “squid” HTTP proxy. An attacker scanning for this port is likely searching for a proxy server they can use to surf the Internet anonymously. You may see scans for other proxies at the same time, such as at port 8000/8001/8080/8888. Another cause of scans at this port, for a similar reason, is when users enter chatrooms. Others users (or the servers themselves) will attempt to check this port to see if the user’s machines supports proxying. |
| 5632 | pcAnywhere | You may see lots of these, depending on the sort of segment you are on. When a user opens pcAnywhere, it scans the local Class C range looking for potential agents. Hackers/crackers also scan looking for open machines, so look at the source address to see which it is. Some scans for pcAnywhere frequently also include a UDP packet to port 22. . |
| 6776 | Sub7 artifact |
This port is used separately from the SubSeven main port to transfer data. One example where you might see this is when a master is controling a slave on a dialup line, then the slave machine hangs up. Therefore, when someone else dials-in at that IP address, they will see a continuous stream of connection attempts at this port. |
| 6970 | RealAudio |
Clients receive incoming audio streams from servers on UDP ports in the range 6970-7170. This is setup by the outgoing control connection on TCP port 7070. |
| 13223 | PowWow | The “PowWow” chat program from Tribal Voice. It allows users to open up private chat connections with each other on this port. The program is very aggressive at trying to establish the connection and will “camp” on the TCP port waiting for a response. This causes a connection attempt at regular intervals like a heartbeat. This can be seen by dial-up users who inherit IP addresses from somebody who was chatting with other people: it will appear as if many different people are probing that port. The protocol uses the letters “OPNG” as the first four bytes of its connection attempt. |
| 17027 | Conducent |
Outbound: This is seen on outbound connections. It is caused by users inside the corporation who have installed shareware programs using the Conducent “adbot” wrapper. This wrapper shows advertisements to users of the shareware. A popular shareware program that uses this is PKware. Bill Royds mentions that in his experience, you can block this outbound connection with no problem, but if you block the IP addresses themselves, then the adbots can overload the link trying to reach the servers by continually connecting many times per second. |
| 27374 | Sub-7 | Trojan Horse (TCP).
Also used as a backdoor port left behind by exploit scripts, such as those |
| 30100 | NetSphere | Trojan Horse (TCP). This is a commonly seen scan looking for systems compromised by this trojan. |
| 31337 | Back Orifice “elite” |
This number means “elite” in hacker/cracker spelling (3=E, 1=L, 7=T). Lots of hacker/cracker backdoors run at this port, but the most important is Back Orifice. At one time, this was by far the most popular scan on the Internet. These days, it’s popularity is waning and other remote access trojans are becoming popular. |
| 31789 | Hack-a-tack |
UDP traffic on this port is currently being seen due to the “Hack-a-tack” RAT (Remote Access Trojan). This trojan includes a built-in scanner that scans from port 31790, so any packets FROM 31789 TO 317890 indicate a possible intrusion. (Port 31789 is the control connection; port 31790 is the file transfer connection). |
| 32770 ~ 32900 | RPC services |
Sun Solaris puts most of its RPC services in this range. In particular, older versions of Solaris (pre-2.5.1) put a portmapper in this range, allowing hackers access to this even when low ports are blocked by a firewall. Probes in this range might either be for this portmapper, or for known RPC services that can be exploited. |
| 33434 – 33600 | traceroute |
If you see a series of UDP packets within this port range (and only within thisrange), then it is probably indicative of traceroute. |
| 41508 | Inoculan |
Inoculan on UDP. Older versions of Inoculan apparently generate huge quantities of UDP traffic directed at subnets in order to discover each other. |
Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.
