Commonly Exploited Ports Listfrom Pointman.org |
||||
Service |
Port |
Protocol |
Hostility |
Explanation |
| reserved | 0 | TCP/UDP | Hi | source port - no good reason for this |
| sscan signature | 0-5 | TCP | Hi | source ports - no good reason for this |
| ttymux | 1 | TCP | Hi | possibly part of an sscan probe |
| echo | 7 | TCP/UDP | Hi | potential UDP attack |
| systat | 11 | TCP | Hi | system/user information (ps) |
| unassigned | 15 | TCP | Hi | was netstat: open connections, routing tables, etc. |
| chargen | 19 | TCP/UDP | Hi | potential UDP attack |
| ftp | 21, 20 | TCP | Lo | famous file transfer service |
| ssh | 22 | TCP | Med | secure shell service |
| ssh | 22 | UDP | Lo | old version of PC Anywhere |
| telnet | 23 | TCP | Med | remote login |
| smtp | 25 | TCP | Hi | looking for spam relay |
| DNS | 53 | TCP | Hi | compromising a DNS server via TCP zone transfers |
| dhcpc | 67 | UDP | Lo | probably a mistake |
| tftpd | 69 | UDP | Med | very insecure ftp alternative |
| finger | 79 | TCP | Lo | user account information |
| link | 87 | TCP | Hi | terminal link - commonly used by intruders |
| pop | 110, 109 | TCP | Hi | looking for a mail or news spam relay |
| sunrpc | 111 | TCP/UDP | Hi | NFS, NIS, any rpc-based service |
| nntp | 119 | TCP | Med | free/public news feed or spam relay |
| ntp | 123 | UDP | Lo | network time synchroniztion; ok, but impolite |
| netbios-ns | 137 | TCP/UDP | Hi | Windows Name Service |
| netbios-dgm | 138 | TCP/UDP | Hi | Windows Datagram Service |
| netbios-ssn | 139 | TCP | Hi | Windows Session Service |
| imap | 143 | TCP | Hi | famous security hole |
| NeWS | 144 | TCP | Hi | Sun windowing management system |
| snmp | 161, 162 | UDP | Hi | remote network administration |
| xdmcp | 177 | UDP | Hi | xdm: XDMCP, X Display Manager |
| rexec | 512 | TCP | Hi | intended for intranet use |
| biff | 512 | UDP | Hi | intended for intranet use |
| rlogin | 513 | TCP | Med | intended for intranet use |
| who | 513 | UDP | Hi | intended for intranet use |
| rsh | 514 | TCP | Med | intended for intranet use |
| syslog | 514 | UDP | Hi | intended for intranet use |
| printer | 515 | TCP | Hi | intended for intranet use |
| talk | 517 | UDP | Med | intended for intranet use |
| ntalk | 518 | UDP | Med | intended for intranet use |
| route | 520 | UDP | Hi | routed |
| uucp | 540 | TCP | Med | a "famous" file transfer service |
| mount | 635 | UDP | Hi | NFS mount service |
| socks | 1080 | TCP | Hi | potential spam relay point |
| SQL | 1114 | TCP | Hi | part of an sscan signature |
| openwin | 2000 | TCP | Hi | OpenWindows windowing system |
| NFS | 2049 | TCP/UDP | Hi | remote filesystem access |
| pcanywherestat | 5632 | UDP | Lo | PC Anywhere |
| X11 | 6000+n | TCP | Hi | X Windows |
| NetBus | 12345, 12346, 20034 | TCP | Hi |
|
| BackOrifice | 31337 | UDP | Hi | Back Orifice trojan horse (system access) |
| Hack'a'Tack | 31790, 31789 | UDP | Hi | Windows Hack'a'Tack trojan |
| traceroute | 33434-33523 | UDP | Lo | incoming traceroute |
|
|
||||
| ping | 8 | ICMP | Lo | incoming ping |
| redirect | 5 | ICMP | Hi | incoming routing redirect bomb |
| traceroute | 11 | ICMP | Lo | outgoing response to traceroute |
|
|
||||
| OS type probe | 0 | TCP/UDP | Hi | broadcasts to destination address 0.0.0.0/0 |
Hostility ratings are gross estimates. Any probe can be motivated by innocent curiousity. The ratings are guesses based on a combination of their potential danger to the system and their likelihood of being hostile if that port was the only port probed as an isolated incident.