Common Internet Ports & Description
Port 0 - Commonly used to help determine the operating system. This works because on some systems, port 0 is "invalid" and will generate a different response when you connect to it vs. a normal closed port.
Port 1 (tcpmux) - Indicates someone searching for SGI Irix machines. Irix is the only major vendor that has implemented tcpmux, and it is enabled by default on Irix machines.
Port 7 (echo) - You will see lots of these from people looking for fraggle amplifiers sent to addresses of x.x.x.0 and x.x.x.255. A common DoS attack is an echo-loop, where the attacker forges a UDP from one machine and sends it to the other, then both machines bounce packets off each other as fast as they can.
Port 11 (sysstat) - This is a UNIX service that will list all the running processes on a machine and who started them. This gives an intruder a huge amount of information that might be used to compromise the machine, such as indicating programs with known vulnerabilities or user accounts. It is similar the contents that can be displayed with the UNIX "ps" command. ICMP doesn't have ports; if you see something that says "ICMP port 11", you probably want.
Port 19 (chargen) - This is a service that simply spits out characters. The UDP version will respond with a packet containing garbage characters whenever a UDP packet is received. On a TCP connection, it spits out a stream of garbage characters until the connection is closed. Hackers can take advantage of IP spoofing for denial of service attacks.
Port 21 (FTP) - The most common attack you will see are hackers/crackers looking for "open anonymous" FTP servers. These are servers with directories that can be written to and read from.
Port 22 (ssh PC Anywhere) - Used by PC Anywhere. You will sometimes be scanned from innocent people running this utility.
Port 23 (telnet) - The intruder is looking for a remote login to UNIX. Most of the time intruders scan for this port simply to find out more about what operating system is being used.
Port 25 (smtp) - Spammers are looking for SMTP servers that allow them to "relay" spam. Since spammers keep getting their accounts shut down, they use dial-ups to connect to high bandwidth e-mail servers, and then send a single message to the relay with multiple addresses.
Port 53 (DNS) - DNS. Hackers/crackers may be attempting to do zone transfers (TCP), to spoof DNS (UDP), or even hide other traffic since port 53 is frequently neither filtered nor logged by firewalls.
Port 67, 68 (bootp DHCP) - Bootp/DHCP over UDP. Firewalls hooked to DSL and cable-modem lines see a ton of these sent to the broadcast address 255.255.255.255. These machines are asking to for an address assignment from a DHCP server.
Port 69 (TFTP) - (over UDP). Many servers support this protocol in conjunction with BOOTP in order to download boot code to the system. However, they are sometimes misconfigured to provide any file from the system, such as password files. They can also be used to write files to the system.
Port 79 (finger) - I know the name sounds shocking, but it is rather dangerous. On this port, hackers are using this port to discover user information, fingerprint the OS, exploit known buffer-overflow bugs, and bounce finger scans through your machine to other machines.
Port 98 (linuxconf) - The utility "linuxconf" provide easy administration of Linux boxen. It includes a web-enabled interface at port 98 through an integrated HTTP server. It has had a number of security issues.
Port 109 (pop2) - POP2 is not nearly as popular as POP3 (see below), but many servers support both (for backwards compatibility). Many of the holes that can be exploited on POP3 can also be exploited via the POP2 port on the same server.
Port 110 (pop3) - POP3 is used by clients accessing e-mail on their servers. POP3 services have many well-known vulnerabilities.
Port 111 - Sun RPC PortMapper/RPCBIND.
Port 113 (identd auth) - This is a protocol that runs on many machines that identifies the user of a TCP connection. In standard usage this reveals a LOT of information about a machine that hackers can exploit. However, it used by a lot of services by loggers, especially FTP, POP, IMAP, SMTP, and IRC servers.
Port 119 (NNTP news) - Network News Transfer Protocol, carries USENET traffic. This is the port used when you have a URL like news://comp.security.firewalls.
Port 135 (local serv MS RPC end point mapper) - Microsoft runs its DCE RPC end-point mapper for its DCOM services at this port.
Port 137 (netbios name server) - (UDP) This is the most common item seen by firewall administrators and is perfectly normal.
Port 139 (netbios file and print sharing) - Incoming connections to this port are trying to reach NetBIOS/SMB, the protocols used for Windows "File and Print Sharing" as well as SAMBA. People sharing their hard disks on this port are in danger.
Port 161 (SNMP) - (UDP) A very common port that intruders probe for. SNMP allows for remote management of devices.
Port 177 (xdmcp) - Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well.
Port 535 (cobra IIOP) - (UDP) If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port.
Port 1024-1027 - Many people ask the question what this port is used for. The answer is that this is the first port number in the dynamic range of ports. Many applications don't care what port they use for a network connection, so they ask the operating system to assign the "next freely available port".
Port 1080 (Socks) - This protocol tunnels traffic through firewalls, allowing many people behind the firewall access to the Internet through a single IP address. In theory, it should only tunnel inside traffic out towards the Internet.
Port 1243 (Sub-7) - Trojan Horse (TCP).
Port 1524 (ingreslock backdoor) - Many attack scripts install a backdoor shell at this port.
Port 3128 (squid) - This is the default port for the "squid" HTTP proxy. An attacker scanning for this port is likely searching for a proxy server they can use to surf the Internet anonymously. You may see scans for other proxies at the same time, such as at port 8000/8001/8080/8888.
Port 5632 (pcpanywhere) - You may see lots of these, depending on the sort of segment you are on. When a user opens pcAnywhere, it scans the local Class C range looking for potential agents. Hackers/crackers also scan looking for open machines, so look at the source address to see which it is.
Port 6776 (sub-7 artifact) - This port is used separately from the SubSeven main port to transfer data.
Port 6970 (real audio) - Clients receive incoming audio streams from servers on UDP ports in the range 6970-7170.
Port 13223 (pow wow) - The "PowWow" chat program from Tribal Voice. It allows users to open up private chat connections with each other on this port. The program is very aggressive at trying to establish the connection and will "camp" on the TCP port waiting for a response. This causes a connection attempt at regular intervals like a heartbeat.
Port 17027 (conducent) - Outbound: This is seen on outbound connections. It is caused by users inside the corporation who have installed shareware programs using the Conducent "adbot" wrapper. This wrapper shows advertisements to users of the shareware.
Port 27374 (sub-7) - Trojan Horse (TCP).
Port 30100 (net sphere) - Trojan Horse (TCP).
Port 31337 (back orifice) - This number means "elite" in hacker/cracker spelling. Lots of hacker/cracker backdoors run at this port, but the most important is Back Orifice. At one time, this was by far the most popular scan on the Internet.
Port 31789 (hack-a-track) - This trojan includes a built-in scanner that scans from port 31790, so any packets FROM 31789 TO 317890 indicate a possible intrusion.
Port 33434 - 33600 (traceroute) - Used for tracing IP addresses from one endpoint to another. If you see this, then someone is probably tracing your IP to see how the routing is to your connection from his/her's.