Commonly Exploited Ports Listfrom Pointman.org |
||||
Service |
Port |
Protocol |
Hostility |
Explanation |
reserved | 0 | TCP/UDP | Hi | source port - no good reason for this |
sscan signature | 0-5 | TCP | Hi | source ports - no good reason for this |
ttymux | 1 | TCP | Hi | possibly part of an sscan probe |
echo | 7 | TCP/UDP | Hi | potential UDP attack |
systat | 11 | TCP | Hi | system/user information (ps) |
unassigned | 15 | TCP | Hi | was netstat: open connections, routing tables, etc. |
chargen | 19 | TCP/UDP | Hi | potential UDP attack |
ftp | 21, 20 | TCP | Lo | famous file transfer service |
ssh | 22 | TCP | Med | secure shell service |
ssh | 22 | UDP | Lo | old version of PC Anywhere |
telnet | 23 | TCP | Med | remote login |
smtp | 25 | TCP | Hi | looking for spam relay |
DNS | 53 | TCP | Hi | compromising a DNS server via TCP zone transfers |
dhcpc | 67 | UDP | Lo | probably a mistake |
tftpd | 69 | UDP | Med | very insecure ftp alternative |
finger | 79 | TCP | Lo | user account information |
link | 87 | TCP | Hi | terminal link - commonly used by intruders |
pop | 110, 109 | TCP | Hi | looking for a mail or news spam relay |
sunrpc | 111 | TCP/UDP | Hi | NFS, NIS, any rpc-based service |
nntp | 119 | TCP | Med | free/public news feed or spam relay |
ntp | 123 | UDP | Lo | network time synchroniztion; ok, but impolite |
netbios-ns | 137 | TCP/UDP | Hi | Windows Name Service |
netbios-dgm | 138 | TCP/UDP | Hi | Windows Datagram Service |
netbios-ssn | 139 | TCP | Hi | Windows Session Service |
imap | 143 | TCP | Hi | famous security hole |
NeWS | 144 | TCP | Hi | Sun windowing management system |
snmp | 161, 162 | UDP | Hi | remote network administration |
xdmcp | 177 | UDP | Hi | xdm: XDMCP, X Display Manager |
rexec | 512 | TCP | Hi | intended for intranet use |
biff | 512 | UDP | Hi | intended for intranet use |
rlogin | 513 | TCP | Med | intended for intranet use |
who | 513 | UDP | Hi | intended for intranet use |
rsh | 514 | TCP | Med | intended for intranet use |
syslog | 514 | UDP | Hi | intended for intranet use |
printer | 515 | TCP | Hi | intended for intranet use |
talk | 517 | UDP | Med | intended for intranet use |
ntalk | 518 | UDP | Med | intended for intranet use |
route | 520 | UDP | Hi | routed |
uucp | 540 | TCP | Med | a "famous" file transfer service |
mount | 635 | UDP | Hi | NFS mount service |
socks | 1080 | TCP | Hi | potential spam relay point |
SQL | 1114 | TCP | Hi | part of an sscan signature |
openwin | 2000 | TCP | Hi | OpenWindows windowing system |
NFS | 2049 | TCP/UDP | Hi | remote filesystem access |
pcanywherestat | 5632 | UDP | Lo | PC Anywhere |
X11 | 6000+n | TCP | Hi | X Windows |
NetBus | 12345, 12346, 20034 | TCP | Hi |
|
BackOrifice | 31337 | UDP | Hi | Back Orifice trojan horse (system access) |
Hack'a'Tack | 31790, 31789 | UDP | Hi | Windows Hack'a'Tack trojan |
traceroute | 33434-33523 | UDP | Lo | incoming traceroute |
|
||||
ping | 8 | ICMP | Lo | incoming ping |
redirect | 5 | ICMP | Hi | incoming routing redirect bomb |
traceroute | 11 | ICMP | Lo | outgoing response to traceroute |
|
||||
OS type probe | 0 | TCP/UDP | Hi | broadcasts to destination address 0.0.0.0/0 |
Hostility ratings are gross estimates. Any probe can be motivated by innocent curiousity. The ratings are guesses based on a combination of their potential danger to the system and their likelihood of being hostile if that port was the only port probed as an isolated incident.