[ Home | Contact Me ]



This page is a companion to my main TCP/IP Ports table. That page lists ports that you might want to open or be aware of in order to use various Internet services.

This page documents DANGEROUS TCP/IP ports, that are used by trojan horse and backdoor programs or that expose system vulnerabilities, that hackers use to break into your network. These are ports that you definitely want closed, possibly with firewall alarms set on them to detect any external probes or internal compromise.

Please note that unfortunately, trojans can use the same port number as legitimate services; therefore, just because a port shows up, it doesn't necessarily mean that it has been trojanized.

I have found many much better resources for trojan and insecure ports, so instead of trying to list every port here, I am just going to provide links to some sites with good lists, as well as a variety of other security resources. I have placed a particular emphasis on home broadband network security.

Please contact me with any suggestions, corrections, or comments. See below if you have Questions.


FAQ on Port Probes

Firewalls: What am I seeing? is an excellent must-read FAQ on what kind of probes you may be seeing on different ports.

Trojan Port Lists

Additional Resources

Although not specific to trojan ports, you may find the port search resources from my TCP/IP Ports page to be useful.

Trojans in the News and Commonly Probed

As of 2004-07-25, based on news reports and probes I see on my network.

Port Trojans Notes
1080 MyDoom.B, MyDoom.F, MyDoom.G, MyDoom.H registered port for SOCKS
2283 Dumaru.Y registered port for Lotus Notes LNVSTATUS
2535 Beagle.W, Beagle.X, other Beagle/Bagle variants registered for MADCAP
2745 Beagle.C through Beagle.K registered port for URBISNET
3127 MyDoom.A registered port for EMC CTX-Bridge
3128 MyDoom.B This port is commonly used by the squid proxy.
3410 Backdoor.OptixPro.13 and variants This port is registered for NetworkLens SSL Event.
5554 Sasser through Sasser.C, Sasser.F This port is commonly used by SGI ESP HTTP.
8866 Beagle.B not a registered port. within a range 8800-8900 used by Ultima Online Messenger.
9898 Dabber.A and Dabber.B This port is registered for MonkeyCom.
10000 Dumaru.Y This is the registered port for the NDMP network storage backup protocol.
10080 MyDoom.B This is the registered port for the Amanda backup software.
12345 NetBus This is the registered port for the Italk Chat System. TrendMicro OfficeScan antivirus also uses this port.
17300 Kuang2 not a registered port.
27374 SubSeven not a registered port.
65506 various names: PhatBot, Agobot, Gaobot in the dynamic/private ports range. More info at TCP port 65506 proxy scan and New Worms scanning on 1025 and others

MyDoom.A actually may choose in a range from port 3127 to 3198. Some of these trojans may also use port 80 (registered HTTP port) and 8080 (common HTTP port).

Information mostly from Symantec Security Response (used to be called SARC).

Other Dangerous Ports

Please note, the port numbers listed below are not trojans. They are for services that have security vulnerabilities. I have listed these particular ones because you might not recognize them.

These are ports you may want to BLOCK, at least at the edge of your network. (Of course, the best security of all is "default deny", where you block EVERYTHING and then only allow a small number of required services.) An asterisk * in the Notes field indicates that the ports are IANA registered. There is no way I can keep up with all of these, but this is a selection of ones I have noticed. Note that some of these vulnerabilities may be platform-specific.

Service TCP UDP Notes
SWAT, RealSecure 901 901 Samba Web Administration Tool. Also port that RealSecure IDS listens on for console communications. IANA registered for SMP NAME RES (Simple Messaging Protocol name resolution?). Also used by a Trojan.
possible Messenger Service or others 1026-1029 1026-1029 this low range in the ephemeral ports is a usual place for services to be communicating, however see MS Messenger 1026 info
MS SQL Server 1433, 1434 1433, 1434 * CERT Advisories CA-2002-22, CA-2003-04
MS Universal Plug and Play (UPnP) 1900, 5000, 2869? 1900, 5000, 2869? Port 1900 is IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol). Port 5000 is also registered, but not by Microsoft, and not for this service I don't think. Microsoft Security Bulletins: MS01-054, MS01-059. NIPC Advisory 01-030.2, SecurityFocus. Also see the Remote Access Trojan FAQ about port 5000. About 2869 (which is IANA registered as MS ICSLAP), Microsoft says starting with Windows XP SP2, SSDP event notification service will rely on TCP port 2869. Currently this is only a speculative risk.
Remote Desktop Protocol 3389 3389 potential for unauthorized use of XP Pro Remote Desktop or XP Remote Assistance
radmin 4899 4899 remote administration of your computer, essentially remote control. See Radmin Default Installation Security Vulnerabilities.
DameWare 6129 6129 CERT Vulnerability Note VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets

NET SEND on Windows

There has been a recent (2002-10-11) upsurge in NET SEND spam. This will pop up a window on a Windows machine, using the Messenger Service (note this is different from Windows or MSN Messenger, it's a low-level service built-in to the Windows operating system).

The NET SEND messages are making it past the usual NetBIOS filters (ports 137-139, port 445) because in Windows 2000 and XP, the Messenger Service now works using RPC. A lookup is done on port 135 (epmap, DCE [RPC] endpoint resolution). That tells what high-numbered port the Messenger Service is listening on. The best way to stop this is to permanently disable the Messenger Service. You may also want to block port 135. I have also included information about Microsoft Distributed COM (DCOM), which uses port 135.

You may also want to block port 1026, based on Windows Messenger Popup Spam on UDP Port 1026.

For more information on the NET SEND issue and how to handle it, read:

DCOM info:

Blaster Worm on Windows

The W32 Blaster Worm has gotten a lot of attention recently (2003-08-13). It uses a vulnerability in MS RPC port 135 to compromise a Windows system. For more information, see my page Microsoft RPC and Blaster Worm.

For more information about some of the ports that Windows uses (for legitimate purposes) see the Windows Resources section of my TCP/IP Ports page.

Protecting Yourself

Note that this is not an endorsement or recommendation of any software or services listed.

Security Sites and Guidelines

As a starting point I suggest CERT's Home Network Security. It explains a lot of terminology and technology and gives a comprehensive guide to steps you can take to secure your home network. Their Home Computer Security guide is also good.

I recommend the video Warriors of the Net which gives a good general overview of networking and firewall concepts. It's quite entertaining, really. It is a free download, in MPEG format.

The SANS/FBI list of the Twenty Most Critical Internet Security Vulnerabilities has some useful information, including Appendix A - Common Vulnerable Ports. However be aware that this is quite a technical, detailed report - it's really more targeted at enterprises and organizations rather than home users. As well, in many cases the ports that they list are also the most commonly used ports for normal services, so blocking them may not be practical.

Windows

Microsoft's Protect Your PC site lists the steps you should follow to improve the security of your Windows installation. However note there is more software available than they list, including free versions. See the list in the Windows Security Software section below.

Microsoft's main site for home user security is http://www.microsoft.com/security/home/. The most relevant item for this page is Checklist: Install a Firewall.

I liked the Q&A format in Securing your [Windows] Computer by Marcus Jansson.

The Windows 2000 - Home User Self-Defence guide from UK Security Online is pretty good.

Karl Levinson has a very comprehensive page on microsoft.public.*.security Frequently Asked Questions.

Some relevant USENET groups:

Advanced:

Macintosh

To keep up-to-date with security patches, you should run Software Update and also regularly update your anti-virus signatures (although virii are in general a fairly minor problem on the Mac platform).

Linux

A good starting point is the comp.os.linux.security FAQ.

Some relevant USENET newsgroups:

Scanning Services

Software to List Open Ports

You may find that you have ports open (e.g. by using the scanning services above) but that doesn't tell you exactly what's going on. It may be a legitimate service is using that port. That's where local software to view what ports are open can come in handy, particularly when it can show what application or process is using each port.

Windows Port Viewer Software

Viewing the process attached to a port is for the most part only supported using NT/2000/XP.

Microsoft Port Reporter (PortRptr.exe). Port Reporter logs TCP and UDP port activity on a local Windows system. Port Reporter is a small application that runs as a service on Windows 2000, Windows XP, and Windows Server 2003. It can only report what app is using the port under XP and 2003.

Macintosh Port Viewer Software

For more advanced network monitoring (more than just viewing ports) some other handy tools are:

Port Viewing on Other Operating Systems

You can also use the netstat -an command on many different operating systems, UNIX/Linux/BSD based in particular (including MacOS X), but also some versions of Windows.

The rather obscurely named lsof -i (LiSt Open Files) command with the -i option will list what program opened a particular port. The command has quite a powerful syntax. It comes with some UNIX and BSD distributions (including MacOS X), and can be downloaded and/or compiled for other distributions. Here are some resources:

I also found an article that said you can get similar information from the Solaris pfiles program and from AIX's pstat, but in both cases, lsof offers more functionality and ease of use.

If you want to capture TCP sessions, you can use tcpflow, which runs on various BSD flavours, including OS X.

Software

Windows Security Software

You may not have the bandwidth to download Microsoft's hundreds of megs worth of patches. Fortunately, they provide many patches and tools on CD.

NOTE: It is always wise to backup your computer before any major new software installation. In Windows XP, you can take a snapshot of the machine's current state by making a Restore Point using the System Restore Wizard. From the MS Help and Support Center:

To access the System Restore Wizard, click Start, and then click Help and Support. Click Performance and Maintenance, click Using System Restore to undo changes, and then click Run the System Restore Wizard. Click Create a restore point, and then click Next.

You can get Windows XP Service Pack 2 free on CD.

In North America, Office Service Packs can be obtained free of charge on CD. Order Office Service Packs on CD-ROMs.


Internet Service Providers - Free Software

Your Internet Service Provider/ISP (the company you get your Internet connection from) may provide free software to protect your Windows computer. Check with your provider. I won't list them all, but here are a few Canadian examples:


More Software

There are many Windows security applications available for download, and often the basic versions are free.

Windows Web Browsers

Web browsers are frequent vectors for attack. No browser is perfect, and you should always keep up-to-date with the latest patches. That being said, Internet Explorer is the most popular browser target for various types of malware, mostly due to its popularity but also partly due to its support for ActiveX.

The Firefox web browser is an alternative.

Microsoft

Microsoft provides some software to add more layers of protection to your computer. Currently (December 2005) these offerings are free and many are in beta. The final business model remains to be seen.

Windows OneCare Live Firewall

Microsoft describes the OneCare Live Firewall as two-way. That means that unlike the built-in Windows XP firewall, which only watches incoming traffic, OneCare looks at both incoming and outgoing traffic.

For more information see:

Built-in Windows Firewalls

There are also some built-in firewall features in recent versions of Windows. In particular, Windows XP Service Pack 2 (XP SP2) has replaced the rather basic Internet Connection Firewall (ICF) with a more advanced one now just called Windows Firewall.

The XP SP2 Windows Firewall is a stateful host firewall that provides protection for computers against incoming traffic. Note that it DOES NOT provide outbound filtering, unlike many of the firewalls in the list above. You can configure it to allow a particular application, or specific ports.

Information about firewalls in previous versions of Windows.

In addition to the free built-in firewall software listed, Microsoft now offers the two-way OneCare Live Firewall.

Mac Security Software

Microsoft updates for Mac software can be found at Mactopia: Downloads. Also see Mactopia: Making sure your version of Office is up to date.

If you're using MacOS X 10.2 Jaguar, you should of course check with the vendor to ensure their application is fully compatible.

The Open Door "Who's There?" Firewall Advisor is a neat product. It takes firewall logs in a number of formats and analyzes them further to give you some more informative reports. The MacOS X version reports directly from the built-in firewall logs.

OS X 10.2

Mac OS X has some built-in firewall features (it uses the BSD ipfw utility) and OS X 10.2 now includes a limited interface to the firewall. The firewall is OFF by default. Logging is also OFF by default, and the interface provides no way to turn it on.

The interface is rather obscurely hidden in System Preferences... Internet and Network: Sharing, the middle tab "Firewall". Unless you have some particularly important reason not to, I recommend you turn it on. If it causes problems, you can always turn it off later. For example, I had a problem doing an FTP upload using SiteMill 2 from Classic - so I just turned the firewall off for the duration of the transfer, and then turned it back on. It does have some really stupid behavior, like interfering with sending email (the email will be sent once you turn the firewall back off).

You can see an image of the OS X 10.2 firewall preferences interface here (image from the Ars Technica review of MacOS X 10.2).

There is some more information in the article Configuring Jaguar's Firewall.

Currently for full control you would either have to write the firewall setup yourself in a text editor, or use one of the configuration utilities.

OS X Firewall Config Utilities

OS X Manual Firewall Configuration

Advanced Users Only

Since MacOS X is based on BSD, it includes the BSD ipfw firewall. To access its full functionality, you will need to use a command line (e.g. the Terminal).

Section 10.7 Firewalls from the FreeBSD Handbook gives a good overview of firewalls and ipfw specifically.

You don't have to worry about any kernel configuration stuff, all the needed features have already been compiled in by Apple (thank goodness:)

Writing your own setup in a text file is for advanced users only.

Some basic commands (note that since most of these commands require root access, you will have to preface them with sudo and enter your password to run them):

You can find all of the parameters for ipfw by doing the standard UNIX command
man ipfw

In order to activate logging, you will need to use the command
sysctl -w net.inet.ip.fw.verbose=1
This would normally be done as part of a script at startup.

REMINDER If you configure the firewall incorrectly, you can completely screw up your Internet and network connections. Please only try this if you know what you are doing.

Here is a report from Macintouch on scanning a default (firewall off) OS X 10.2 install:

For example, here's a scan of an un-firewalled Jaguar box:
[rei:~] rmohns% sudo nmap -v -O -F [hostname]
[...]
The SYN Stealth Scan took 20 seconds to scan 1149 ports.
[...]
Interesting ports on rei.ncipherusa.com (172.24.2.36):
(The 1144 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
427/tcp open svrloc
548/tcp open afpovertcp
Remote OS guesses: FreeBSD 4.4-5 or Mac OS X 10.0.4 (Darwin V. 1.3-1.3.7 or 4P13), FreeBSD 4.4 for i386 (IA-32)
Uptime 5.999 days (since Thu Aug 29 10:58:40 2002)

OS X 10.1 and earlier

Here's some information on firewall configuration for previous versions of Mac OS X. Much of it still applies to Jaguar.

Linux Security Software

Linux has extensive firewall and security features built-in.

Other Security Software

Security Hardware

This page currently lists mostly host-based, software security solutions. As part of a strategy of defence-in-depth, you may also want to add security hardware devices that sit in between your "internal" home network and your connection to the Internet. For the home user, this usually consists of firewall features built-in to a broadband router.

Note that the term "firewall" is bandied about quite freely. Most of the inexpensive boxes only provide NAT (Network Address Translation) and port filtering. This is not the same as a full Stateful Packet Inspection (SPI) firewall.

For this topic in general you should look to other sites on the web for reviews and information, and to the vendor and your ISP for support on how to configure the firewall features of your broadband router.

Some good starting points are:

Another possibility, for advanced users, is to built your own firewall using commodity hardware and free software. There are too many software possibilities for me to list here. I will mention just one that was recommended.

Astaro Security Linux is free for home use. You will still have to register it in order to get a license key. You will of course have to also supply your own hardware to run it on.

Wireless Security

Wireless is becoming a popular technology. Please be aware that there are many security concerns with current wireless implementations. This page does not deal with wireless security, but there are many other good ones that do.

Some starting points:

Free Wi-Fi Security Chapter 8: Unauthorized Access and Privacy (PDF).

Articles on Security

Brian Livingston Window Manager

Brian Livingston's Window Manager columns from InfoWorld on security for "always on" (cable/xDSL) Internet connections.

US National Strategy to Secure Cyberspace

The final version has been released at http://www.securecyberspace.gov/

A lot of the material in the draft has been removed.

For the purposes of this page, the most relevant section is "Level 1: The Home User and Small Business". (Used to be on page 15 of the draft document.) They suggest 5 steps, of which I think 4 are important:

  1. Use a tough password
  2. Maintain an updated anti-virus program
  3. Update patches

And of course, the most relevant one for this page

  1. Use a firewall

As well, the strategy points to many other (US) network resources on security, including:

The resources they indicate do give useful basic guidelines, but nothing really in the way of detailed technical information. This page tries to provide some of that technical info. Plus I use the term "cyber" a lot less.

Contributing Your Logs For Analysis

Although it may not help you in the short term, one way you can participate in improving Internet security is by contributing your logs for analysis by a third party. Of course, you will have to decide for yourself whether you have any privacy or security concerns about this.

Help I'm Being Hacked

I sometimes get questions from people who are seeing unusual Internet traffic or experiencing other Internet security problems. Unfortunately, the resources available (that I know of) are mainly targetted at helping companies recover from security breaches, rather than individuals. My main advice is: remain calm. Try to determine if it is a serious (i.e. criminal) problem, or just some unusual network traffic. A good place to start is the FAQ way at the top of this document, it has lots of information that will help you identify most common types of port probes. Here are some other resources:

Network Ice has an article Oh my gosh, I'm being HACKED!!! What do I do now?

SANS has a report on Incident Handling Step by Step but it is mainly targetted at corporate networks dealing with Unix Trojans and related Denial of Service issues. Network Magazine also has an article on Incident Handling that discusses planning, the law and who to contact, and incident response steps.

Reporting Serious Computer Crime

If the nature of the problem is cyberstalking or other related personally directed attacks, you can try Wired Patrol.

Other resources you can try are your ISP (Information Service Provider - the company that provides your Internet service), the attacker's ISP, and local law enforcement.

United States

Canada

European Union

You may also be interested in the EU's Internet Action Plan (IAP), of which Safer Internet is a part.

United Kingdom

Australia

I am told contact your local police - they will then refer it on to your states computer crimes unit.

Everywhere Else

Sorry, I don't know. I would assume local or national policing authorities.

Spam Scams (including Phishing)

United States

In the US, forward all spam (junk email) to the Federal Trade Commission's collection address for Unsolicited Commercial Email: uce@ftc.gov

Canada

In Canada, the main organization set up to deal with phone / snailmail / email fraud is PhoneBusters.

You can forward "Nigerian scams" (advanced fee fraud) to them at the West African Fraud Letter address: wafl@phonebusters.com. For anything else, content them at info@phonebusters.com.

You can read more in the e-mail section of the Scams FAQ from the RCMP.

More Resources

Google has an overwhelming list of resources for dealing with Internet abuse in its directory Computers > Internet > Abuse


Firewall Books

If you want to understand more advanced concepts and detail about firewalls, there are lots of resources available.

The first edition of the classic Cheswick and Bellovin book Firewalls and Internet Security: Repelling the Wily Hacker is available in its entirety for free online.

Some sample chapters from the second edition are available:

Free chapters from other books:

For a good general overview of computer and network security, I highly recommend the book Secrets and Lies by Bruce Schneier. Go to the library (note for Internet users: large quiet building filled with books - most towns have one) and borrow it. Or even buy it. The book webpage has some excerpts.


Questions

For general suggestions, corrections, or comments please feel free to contact me by email.

For questions specifically about TCP/IP ports visit my QuickTopic: Discuss TCP/IP Ports.

Otherwise I suggest you try


Copyright © 2000-2005 Richard Akerman. All Rights Reserved. No mirroring without prior written consent.


[ Home | Contact Me ]