[ Home | Contact Me ]
This page is a companion to my main TCP/IP Ports table. That page lists ports that you might want to open or be aware of in order to use various Internet services.
This page documents DANGEROUS TCP/IP ports, that are used by trojan horse and backdoor programs or that expose system vulnerabilities, that hackers use to break into your network. These are ports that you definitely want closed, possibly with firewall alarms set on them to detect any external probes or internal compromise.
Please note that unfortunately, trojans can use the same port number as legitimate services; therefore, just because a port shows up, it doesn't necessarily mean that it has been trojanized.
I have found many much better resources for trojan and insecure ports, so instead of trying to list every port here, I am just going to provide links to some sites with good lists, as well as a variety of other security resources. I have placed a particular emphasis on home broadband network security.
Please contact me with any suggestions, corrections, or comments. See below if you have Questions.
Firewalls: What am I seeing? is an excellent must-read FAQ on what kind of probes you may be seeing on different ports.
Although not specific to trojan ports, you may find the port search resources from my TCP/IP Ports page to be useful.
As of 2004-07-25, based on news reports and probes I see on my network.
| Port | Trojans | Notes |
|---|---|---|
| 1080 | MyDoom.B, MyDoom.F, MyDoom.G, MyDoom.H | registered port for SOCKS |
| 2283 | Dumaru.Y | registered port for Lotus Notes LNVSTATUS |
| 2535 | Beagle.W, Beagle.X, other Beagle/Bagle variants | registered for MADCAP |
| 2745 | Beagle.C through Beagle.K | registered port for URBISNET |
| 3127 | MyDoom.A | registered port for EMC CTX-Bridge |
| 3128 | MyDoom.B | This port is commonly used by the squid proxy. |
| 3410 | Backdoor.OptixPro.13 and variants | This port is registered for NetworkLens SSL Event. |
| 5554 | Sasser through Sasser.C, Sasser.F | This port is commonly used by SGI ESP HTTP. |
| 8866 | Beagle.B | not a registered port. within a range 8800-8900 used by Ultima Online Messenger. |
| 9898 | Dabber.A and Dabber.B | This port is registered for MonkeyCom. |
| 10000 | Dumaru.Y | This is the registered port for the NDMP network storage backup protocol. |
| 10080 | MyDoom.B | This is the registered port for the Amanda backup software. |
| 12345 | NetBus | This is the registered port for the Italk Chat System. TrendMicro OfficeScan antivirus also uses this port. |
| 17300 | Kuang2 | not a registered port. |
| 27374 | SubSeven | not a registered port. |
| 65506 | various names: PhatBot, Agobot, Gaobot | in the dynamic/private ports range. More info at TCP port 65506 proxy scan and New Worms scanning on 1025 and others |
MyDoom.A actually may choose in a range from port 3127 to 3198. Some of these trojans may also use port 80 (registered HTTP port) and 8080 (common HTTP port).
Information mostly from Symantec Security Response (used to be called SARC).
Please note, the port numbers listed below are not trojans. They are for services that have security vulnerabilities. I have listed these particular ones because you might not recognize them.
These are ports you may want to BLOCK, at least at the edge of your network. (Of course, the best security of all is "default deny", where you block EVERYTHING and then only allow a small number of required services.) An asterisk * in the Notes field indicates that the ports are IANA registered. There is no way I can keep up with all of these, but this is a selection of ones I have noticed. Note that some of these vulnerabilities may be platform-specific.
| Service | TCP | UDP | Notes |
|---|---|---|---|
| SWAT, RealSecure | 901 | 901 | Samba Web Administration Tool. Also port that RealSecure IDS listens on for console communications. IANA registered for SMP NAME RES (Simple Messaging Protocol name resolution?). Also used by a Trojan. |
| possible Messenger Service or others | 1026-1029 | 1026-1029 | this low range in the ephemeral ports is a usual place for services to be communicating, however see MS Messenger 1026 info |
| MS SQL Server | 1433, 1434 | 1433, 1434 | * CERT Advisories CA-2002-22, CA-2003-04 |
| MS Universal Plug and Play (UPnP) | 1900, 5000, 2869? | 1900, 5000, 2869? | Port 1900 is IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol). Port 5000 is also registered, but not by Microsoft, and not for this service I don't think. Microsoft Security Bulletins: MS01-054, MS01-059. NIPC Advisory 01-030.2, SecurityFocus. Also see the Remote Access Trojan FAQ about port 5000. About 2869 (which is IANA registered as MS ICSLAP), Microsoft says starting with Windows XP SP2, SSDP event notification service will rely on TCP port 2869. Currently this is only a speculative risk. |
| Remote Desktop Protocol | 3389 | 3389 | potential for unauthorized use of XP Pro Remote Desktop or XP Remote Assistance |
| radmin | 4899 | 4899 | remote administration of your computer, essentially remote control. See Radmin Default Installation Security Vulnerabilities. |
| DameWare | 6129 | 6129 | CERT Vulnerability Note VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets |
There has been a recent (2002-10-11) upsurge in NET SEND spam. This will pop up a window on a Windows machine, using the Messenger Service (note this is different from Windows or MSN Messenger, it's a low-level service built-in to the Windows operating system).
The NET SEND messages are making it past the usual NetBIOS filters (ports 137-139, port 445) because in Windows 2000 and XP, the Messenger Service now works using RPC. A lookup is done on port 135 (epmap, DCE [RPC] endpoint resolution). That tells what high-numbered port the Messenger Service is listening on. The best way to stop this is to permanently disable the Messenger Service. You may also want to block port 135. I have also included information about Microsoft Distributed COM (DCOM), which uses port 135.
You may also want to block port 1026, based on Windows Messenger Popup Spam on UDP Port 1026.
For more information on the NET SEND issue and how to handle it, read:
DCOM info:
The W32 Blaster Worm has gotten a lot of attention recently (2003-08-13). It uses a vulnerability in MS RPC port 135 to compromise a Windows system. For more information, see my page Microsoft RPC and Blaster Worm.
For more information about some of the ports that Windows uses (for legitimate purposes) see the Windows Resources section of my TCP/IP Ports page.
Note that this is not an endorsement or recommendation of any software or services listed.
As a starting point I suggest CERT's Home Network Security. It explains a lot of terminology and technology and gives a comprehensive guide to steps you can take to secure your home network. Their Home Computer Security guide is also good.
I recommend the video Warriors of the Net which gives a good general overview of networking and firewall concepts. It's quite entertaining, really. It is a free download, in MPEG format.
The SANS/FBI list of the Twenty Most Critical Internet Security Vulnerabilities has some useful information, including Appendix A - Common Vulnerable Ports. However be aware that this is quite a technical, detailed report - it's really more targeted at enterprises and organizations rather than home users. As well, in many cases the ports that they list are also the most commonly used ports for normal services, so blocking them may not be practical.
Microsoft's Protect Your PC site lists the steps you should follow to improve the security of your Windows installation. However note there is more software available than they list, including free versions. See the list in the Windows Security Software section below.
Microsoft's main site for home user security is http://www.microsoft.com/security/home/. The most relevant item for this page is Checklist: Install a Firewall.
I liked the Q&A format in Securing your [Windows] Computer by Marcus Jansson.
The Windows 2000 - Home User Self-Defence guide from UK Security Online is pretty good.
Karl Levinson has a very comprehensive page on microsoft.public.*.security Frequently Asked Questions.
Some relevant USENET groups:
Advanced:
To keep up-to-date with security patches, you should run Software Update and also regularly update your anti-virus signatures (although virii are in general a fairly minor problem on the Mac platform).
A good starting point is the comp.os.linux.security FAQ.
Some relevant USENET newsgroups:
You may find that you have ports open (e.g. by using the scanning services above) but that doesn't tell you exactly what's going on. It may be a legitimate service is using that port. That's where local software to view what ports are open can come in handy, particularly when it can show what application or process is using each port.
Viewing the process attached to a port is for the most part only supported using NT/2000/XP.
Microsoft Port Reporter (PortRptr.exe).
Port Reporter logs TCP and UDP port activity on a local Windows system.
Port Reporter is a small application that runs as a service on Windows 2000, Windows XP, and Windows Server 2003.
It can only report what app is using the port under XP and 2003.
For more advanced network monitoring (more than just viewing ports) some other handy tools are:
You can also use the netstat -an command on many different operating systems, UNIX/Linux/BSD based in particular (including MacOS X), but also some versions of Windows.
The rather obscurely named lsof -i (LiSt Open Files) command with the -i option will list what program opened a particular port. The command has quite a powerful syntax. It comes with some UNIX and BSD distributions (including MacOS X), and can be downloaded and/or compiled for other distributions. Here are some resources:
I also found an article that said
you can get similar information from the Solaris pfiles program and from
AIX's pstat,
but in both cases, lsof offers more functionality and ease of use.
If you want to capture TCP sessions, you can use tcpflow, which runs on various BSD flavours, including OS X.
You may not have the bandwidth to download Microsoft's hundreds of megs worth of patches. Fortunately, they provide many patches and tools on CD.
NOTE: It is always wise to backup your computer before any major new software installation. In Windows XP, you can take a snapshot of the machine's current state by making a Restore Point using the System Restore Wizard. From the MS Help and Support Center:
To access the System Restore Wizard, click Start, and then click Help and Support. Click Performance and Maintenance, click Using System Restore to undo changes, and then click Run the System Restore Wizard. Click Create a restore point, and then click Next.
You can get Windows XP Service Pack 2 free on CD.
In North America, Office Service Packs can be obtained free of charge on CD.
Order Office Service Packs on CD-ROMs.
Your Internet Service Provider/ISP (the company you get your Internet connection from) may provide free software to protect your Windows computer. Check with your provider. I won't list them all, but here are a few Canadian examples:
There are many Windows security applications available for download, and often the basic versions are free.
Free 12-month software subscription to CA's eTrust EZ Armor-LE Antivirus and Firewall security suite. Valid for new users only. Limit 1 per household.
Web browsers are frequent vectors for attack. No browser is perfect, and you should always keep up-to-date with the latest patches. That being said, Internet Explorer is the most popular browser target for various types of malware, mostly due to its popularity but also partly due to its support for ActiveX.
The Firefox web browser is an alternative.
Microsoft provides some software to add more layers of protection to your computer. Currently (December 2005) these offerings are free and many are in beta. The final business model remains to be seen.
Runs quietly in the background, providing anti-virus and firewall protection.
The beta version of Windows OneCare Live is free, though the final service will be a paid subscription.
Microsoft describes the OneCare Live Firewall as two-way. That means that unlike the built-in Windows XP firewall, which only watches incoming traffic, OneCare looks at both incoming and outgoing traffic.
For more information see:
There are also some built-in firewall features in recent versions of Windows. In particular, Windows XP Service Pack 2 (XP SP2) has replaced the rather basic Internet Connection Firewall (ICF) with a more advanced one now just called Windows Firewall.
The XP SP2 Windows Firewall is a stateful host firewall that provides protection for computers
against incoming traffic
. Note that it DOES NOT provide outbound filtering, unlike many of the
firewalls in the list above. You can configure it to allow a particular application, or specific
ports.
Information about firewalls in previous versions of Windows.
In addition to the free built-in firewall software listed, Microsoft now offers the two-way OneCare Live Firewall.
Microsoft updates for Mac software can be found at Mactopia: Downloads. Also see Mactopia: Making sure your version of Office is up to date.
If you're using MacOS X 10.2 Jaguar, you should of course check with the vendor to ensure their application is fully compatible.
The Open Door "Who's There?" Firewall Advisor is a neat product. It takes firewall logs in a number of formats and analyzes them further to give you some more informative reports. The MacOS X version reports directly from the built-in firewall logs.
Mac OS X has some built-in firewall features (it uses the BSD ipfw utility) and OS X 10.2 now includes a limited interface to the firewall. The firewall is OFF by default. Logging is also OFF by default, and the interface provides no way to turn it on.
The interface is rather obscurely hidden in System Preferences... Internet and Network: Sharing, the middle tab "Firewall". Unless you have some particularly important reason not to, I recommend you turn it on. If it causes problems, you can always turn it off later. For example, I had a problem doing an FTP upload using SiteMill 2 from Classic - so I just turned the firewall off for the duration of the transfer, and then turned it back on. It does have some really stupid behavior, like interfering with sending email (the email will be sent once you turn the firewall back off).
You can see an image of the OS X 10.2 firewall preferences interface here (image from the Ars Technica review of MacOS X 10.2).
There is some more information in the article Configuring Jaguar's Firewall.
Currently for full control you would either have to write the firewall setup yourself in a text editor, or use one of the configuration utilities.
Advanced Users Only
Since MacOS X is based on BSD, it includes the BSD ipfw firewall. To access its full functionality, you will need to use a command line (e.g. the Terminal).
Section 10.7 Firewalls from the FreeBSD Handbook gives a good overview of firewalls and ipfw specifically.
You don't have to worry about any kernel configuration stuff, all the needed features have already been compiled in by Apple (thank goodness:)
Writing your own setup in a text file is for advanced users only.
Some basic commands (note that since most of these commands require root access, you will have to preface them with sudo and enter your password to run them):
You can find all of the parameters for ipfw by doing the standard UNIX command
man ipfw
In order to activate logging, you will need to use the command
sysctl -w net.inet.ip.fw.verbose=1
This would normally be done as part of a script at startup.
REMINDER If you configure the firewall incorrectly, you can completely screw up your Internet and network connections. Please only try this if you know what you are doing.
Here is a report from Macintouch on scanning a default (firewall off) OS X 10.2 install:
For example, here's a scan of an un-firewalled Jaguar box: [rei:~] rmohns% sudo nmap -v -O -F [hostname] [...] The SYN Stealth Scan took 20 seconds to scan 1149 ports. [...] Interesting ports on rei.ncipherusa.com (172.24.2.36): (The 1144 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 427/tcp open svrloc 548/tcp open afpovertcp Remote OS guesses: FreeBSD 4.4-5 or Mac OS X 10.0.4 (Darwin V. 1.3-1.3.7 or 4P13), FreeBSD 4.4 for i386 (IA-32) Uptime 5.999 days (since Thu Aug 29 10:58:40 2002)
Here's some information on firewall configuration for previous versions of Mac OS X. Much of it still applies to Jaguar.
Linux has extensive firewall and security features built-in.
This page currently lists mostly host-based, software security solutions. As part of a strategy of defence-in-depth, you may also want to add security hardware devices that sit in between your "internal" home network and your connection to the Internet. For the home user, this usually consists of firewall features built-in to a broadband router.
Note that the term "firewall" is bandied about quite freely. Most of the inexpensive boxes only provide NAT (Network Address Translation) and port filtering. This is not the same as a full Stateful Packet Inspection (SPI) firewall.
For this topic in general you should look to other sites on the web for reviews and information, and to the vendor and your ISP for support on how to configure the firewall features of your broadband router.
Some good starting points are:
Another possibility, for advanced users, is to built your own firewall using commodity hardware and free software. There are too many software possibilities for me to list here. I will mention just one that was recommended.
Astaro Security Linux is free for home use. You will still have to register it in order to get a license key. You will of course have to also supply your own hardware to run it on.
Wireless is becoming a popular technology. Please be aware that there are many security concerns with current wireless implementations. This page does not deal with wireless security, but there are many other good ones that do.
Some starting points:
Free Wi-Fi Security Chapter 8: Unauthorized Access and Privacy (PDF).
Brian Livingston's Window Manager columns from InfoWorld on security for "always on" (cable/xDSL) Internet connections.
The final version has been released at http://www.securecyberspace.gov/
A lot of the material in the draft has been removed.
For the purposes of this page, the most relevant section is "Level 1: The Home User and Small Business". (Used to be on page 15 of the draft document.) They suggest 5 steps, of which I think 4 are important:
And of course, the most relevant one for this page
As well, the strategy points to many other (US) network resources on security, including:
The resources they indicate do give useful basic guidelines, but nothing really in the way of detailed technical information. This page tries to provide some of that technical info. Plus I use the term "cyber" a lot less.
Although it may not help you in the short term, one way you can participate in improving Internet security is by contributing your logs for analysis by a third party. Of course, you will have to decide for yourself whether you have any privacy or security concerns about this.
I sometimes get questions from people who are seeing unusual Internet traffic or experiencing other Internet security problems. Unfortunately, the resources available (that I know of) are mainly targetted at helping companies recover from security breaches, rather than individuals. My main advice is: remain calm. Try to determine if it is a serious (i.e. criminal) problem, or just some unusual network traffic. A good place to start is the FAQ way at the top of this document, it has lots of information that will help you identify most common types of port probes. Here are some other resources:
Network Ice has an article Oh my gosh, I'm being HACKED!!! What do I do now?
SANS has a report on Incident Handling Step by Step but it is mainly targetted at corporate networks dealing with Unix Trojans and related Denial of Service issues. Network Magazine also has an article on Incident Handling that discusses planning, the law and who to contact, and incident response steps.
If the nature of the problem is cyberstalking or other related personally directed attacks, you can try Wired Patrol.
Other resources you can try are your ISP (Information Service Provider - the company that provides your Internet service), the attacker's ISP, and local law enforcement.
You may also be interested in the EU's Internet Action Plan (IAP), of which Safer Internet is a part.
I am told
contact your local police - they will then refer it on to your states computer crimes unit
.
Sorry, I don't know. I would assume local or national policing authorities.
In the US, forward all spam (junk email) to the Federal Trade Commission's collection address for Unsolicited Commercial Email: uce@ftc.gov
In Canada, the main organization set up to deal with phone / snailmail / email fraud is PhoneBusters.
You can forward "Nigerian scams" (advanced fee fraud) to them at the West African Fraud Letter address: wafl@phonebusters.com. For anything else, content them at info@phonebusters.com.
You can read more in the e-mail section of the Scams FAQ from the RCMP.
Google has an overwhelming list of resources for dealing with Internet abuse in its directory Computers > Internet > Abuse
If you want to understand more advanced concepts and detail about firewalls, there are lots of resources available.
The first edition of the classic Cheswick and Bellovin book Firewalls and Internet Security: Repelling the Wily Hacker is available in its entirety for free online.
Some sample chapters from the second edition are available:
Free chapters from other books:
For a good general overview of computer and network security, I highly recommend the book Secrets and Lies by Bruce Schneier. Go to the library (note for Internet users: large quiet building filled with books - most towns have one) and borrow it. Or even buy it. The book webpage has some excerpts.
For general suggestions, corrections, or comments please feel free to contact me by email.
For questions specifically about TCP/IP ports visit my QuickTopic: Discuss TCP/IP Ports.
Otherwise I suggest you try
Copyright © 2000-2005 Richard Akerman. All Rights Reserved. No mirroring without prior written consent.
[ Home | Contact Me ]
