Ports
There are thousands of ports. It's important to know some of them by heart. You will need to recognize them quickly. For others, if you are looking in your logs and see an odd-request, for say port 6667, then you might have a SubSeven or Trinity Trojan on your system. Beware!
Note
Well-known ports are those in the range of 0—1023.
The Registered Ports are those from 1024 through 49151.
The Dynamic and/or Private Ports are those from 49152 through 65535.
WELL-KNOWN PORT NUMBERS
The Well-Known Ports are assigned by the IANA, and on most systems can only be used by system (or root) processes or by programs executed by privileged users.
Ports are used in the TCP [RFC793] to name the ends of logical connections that carry long-term conversations. For the purpose of providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port. The contact port is sometimes called the "well-known port".
To the extent possible, these same port assignments are used with the
UDP [RFC768].
These ports (of great interest) are not officially assigned to the applications listed, but are what they use. If you have any of these open, I strongly suggest you to close them. If you have issues with your server acting strangely, then check for rootkits and this.
Ports used by Backdoor Tools
(Source: garykessler.net/library/bad_ports.html)
|
31/tcp |
Agent 31, Hackers Paradise, Masters Paradise |
|
1170/tcp |
Psyber Stream |
|
1234/tcp |
Ultors Trojan |
|
1243/tcp |
SubSeven server |
|
1981/tcp |
ShockRave |
|
2001/tcp |
Trojan Cow |
|
2023/tcp |
Ripper Pro |
|
2140/udp |
Deep Throat, Invasor |
|
2989/tcp |
Rat backdoor |
|
3024/tcp |
WinCrash |
|
3150/tcp |
Deep Throat, Invasor |
|
3700/tcp |
Portal of Doom |
|
4950/tcp |
ICQ Trojan |
|
6346/tcp |
Gnutella |
|
6400/tcp |
The Thing |
|
6667/tcp |
Trinity intruder-to-master and master-to-daemon and SubSeven server (default for V2.1 Icqfix and beyond) |
|
6670/tcp |
Deep Throat |
|
12345/tcp |
NetBus 1.x, GabanBus, Pie Bill Gates, X-Bill |
|
12346/tcp |
NetBus 1.x |
|
16660/tcp |
Stacheldraht intruder-to-master |
|
18753/udp |
Shaft master-to-daemon |
|
20034/tcp |
NetBus 2 Pro |
|
20432/tcp |
Shaft intruder-to-master |
|
20433/udp |
Shaft daemon-to-master |
|
27374/tcp |
SubSeven server (default for V2.1-Defcon) |
|
27444/udp |
Trinoo master-to-daemon |
|
27665/tcp |
Trinoo intruder-to-master |
|
30100/tcp |
NetSphere |
|
31335/udp |
Trinoo daemon-to-master |
|
31337/tcp |
Back Orifice, Baron Night, Bo Facil |
|
33270/tcp |
Trinity master-to-daemon |
|
33567/tcp |
Backdoor rootshell via inetd (from Lion worm) |
|
33568/tcp |
Trojaned version of SSH (from Lion worm) |
|
40421/tcp |
Masters Paradise Trojan horse |
|
60008/tcp |
Backdoor rootshell via inetd (from Lion worm) |
|
65000/tcp |
Stacheldraht master-to-daemon |
If you find these ports open during a scan or by other means, it is a very good indication that your system could have been compromised.
Depending on your configuration you can run one of several tools to attempt detection. Sometimes it may be necessary to start clean on the server.
At the end of this chapter you will find a list of well-known and registered ports and their protocols along with their purpose.
