|
Vulnerable Ports
This is a list of TCP/UDP ports currently tested by our Security Scanner, as well as descriptions of their corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 1 |
udp |
tcpmux |
not scanned |
IANA assigned to TCP Port Service Multiplexer.
Sockets des Troie remote access trojan uses this port (a.k.a. Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan, TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000. |
| 2 |
tcp |
compressnet |
Premium scan |
trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg
Port 2 is also registered with IANA for compressnet management utility. |
| 7 |
tcp |
Echo |
Members scan |
Echo Service, somewhat outdated by ICMP echo. Potential attack if probed. |
| 9 |
tcp |
Discard |
Members scan |
Discard server |
| 11 |
tcp,udp |
systat |
Premium scan |
system / active users information. |
| 13 |
tcp,udp |
Daytime |
Members scan |
Daytime service (RFC 867) - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines. |
| 19 |
tcp,udp |
Chargen |
Members scan |
Generates and replies with a character when queried. Should be disabled if there is no specific need for it. Source for potential attacks. |
| 20 |
tcp |
FTP - data |
Members scan |
File Transfer Protocol - Data |
| 20 |
udp |
? |
Basic scan |
|
| 21 |
tcp |
FTP |
Basic scan |
File Transfer Protocol.
List of some trojan horses/backdoors that also use this port: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm, W32.Sober.N@mm.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C (01.11.2006) |
| 21 |
udp |
FSP |
Basic scan |
FSP/FTP |
| 22 |
udp |
PC-Anywhere |
Basic scan |
Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22. |
| 22 |
tcp |
SSH |
Members scan |
Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service.
Some trojans also use this port: InCommand, Shaft, Skun |
| 23 |
tcp |
telnet |
Basic scan |
Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities.
Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (109.26.2005) |
| 25 |
tcp |
SMTP |
Basic scan |
SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.
List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock (01.12.2006) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries. |
| 30 |
tcp |
trojans |
Premium scan |
Agent 40421 trojan. Also uses port 40421/tcp |
| 31 |
tcp |
msg-auth |
Members scan |
MSG Authentication
The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun |
| 37 |
tcp |
worm |
Basic scan |
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
W32.Sober.J@mm (01.30.2005)
W32.Sober.O@mm (05.02.2005)
W32.Sober.X@mm (12.12.2005) |
| 41 |
|
trojans |
Members scan |
Some trojans use this port: Deep Throat , Foreplay |
| 42 |
tcp,udp |
WINS |
Members scan |
Port used by WINS (Windows Internet Naming Service).
Worms can exploit a recently announced buffer overflow vulnerability within WINS using this port.
See:
Microsoft - How to help protect against a WINS security issue
Technical Analysis by Steve Frield
W32.Dasher.D (12.19.2005) - a worm that exploits the following MS vulnerabilities: MS05-051 (on port 53/tcp) and MS04-045 (on port 42/tcp).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp. |
| 48 |
tcp |
auditd |
Premium scan |
DRAT remote access trojan (11-1999) uses ports 48,50.
Port is also IANA assigned for: Digital Audit Daemon |
| 49 |
udp |
TACACS |
Basic scan |
Login Host Protocol (TACACS) |
| 50,51 |
tcp |
re-mail-ck |
Premium scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
Some trojans that also use this port: DRAT remote access trojan (11-1999). Uses ports 48,50. |
| 53 |
tcp,udp |
DNS |
Basic scan |
DNS (Domain Name Service) is used for domain name resolution.
There are some attacks that target vulnerabilities within DNS servers. Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52, Trojan.Esteem.C (05.12.2005), W32.Spybot.ABDO (12.12.2005).
W32.Dasher.B (12.16.2005) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin MS05-051).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp. |
| 59 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AJ (01.10.2005) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 59/tcp. |
| 67 |
udp |
bootp server |
Basic scan |
Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients. |
| 68 |
udp |
bootp client |
Basic scan |
Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server. |
| 69 |
udp |
TFTP |
Basic scan |
Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a bacdoor on remote compromised computers on port 8594/tcp. Port 69/udp also used by the W32.Zotob.H variant of the worm. |
| 69,70 |
tcp |
trojans |
Premium scan |
W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef
Note: port 69/udp is used by TFTP. |
| 79 |
tcp,udp |
Finger |
Members scan |
Finger
Trojans that also use this port: ADM worm, CDK trojan (ports 79, 15858), Firehotcker (ports 79, 5321) |
| 80 |
udp |
trojans |
Premium scan |
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp. |
| 80 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - port used for web traffic. See also TCP ports 81, 8080, 8081.
Some broadband routers (Linksys, etc.) run a web server on port 80 or 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.
If you're not running web services, keep in mind that Code Red and Nimda worms also propagate via TCP port 80 (HTTP). Also, a number of trojans/backdoors use these ports: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
Trojan.Webus.C
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S (01.30.2005) - runs proxy on port 80.
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
Backdoor.Darkmoon.B (10.21.2005) - a backdoor trojan with keylogger capabilities. Opens a backdoor and listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Trojan.Lodear.F (12.18.2005) - trojan that attempts to download remote files.
W32.Feebs (01.07.2006) |
| 81 |
udp |
trojans |
Premium scan |
W32.Beagle.AR@mm (9.29.2004) - mass mailing worm with backdoor functionality on port 81/tcp & udp. Affects all current Windows versions. |
| 81 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See also TCP ports 80, 8080, 8081.
Some common uses for port 81/tcp include web administration (cobalt cube), web proxy servers, etc.
If you're not running web services on this port, keep in mind it is also used by some trojans:
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default.
W32.Beagle.AR@mm (09.29.2004) - port 81. |
| 82 |
tcp |
trojans |
Members scan |
W32.Netsky.X@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 82/tcp to receive and execute a file from an attacker.
The W32.Netsky.Y@mm variant also opens port 82/tcp. |
| 87 |
tcp |
terminal link |
Members scan |
terminal link - commonly used by intruders |
| 88 |
udp |
Kerberos |
Premium scan |
KDC (Kerberos key distribution center) server.
Related ports: 464,543,544,749 |
| 99 |
udp |
metagram |
Basic scan |
metagram relay, gnutella? |
| 110 |
udp |
pop-or-not |
Basic scan |
POP3 server traffic (should be TCP only?) |
| 110 |
tcp |
POP3 |
Basic scan |
POP3 (Post Office Protocol - Version 3) |
| 111 |
udp |
SunRPC |
Basic scan |
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Trojans that use this port: ADM worm, MscanWorm |
| 113 |
tcp,udp |
IDENT |
Basic scan |
Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman
W32.Bofra.C@mm (11.11.2004) - It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Linkbot.A (11.05.2004) - worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability. It also creates an IRC backdoor and attempts to install adware on the infected machine. It can affect all current Windows versions. Listens on port 113/tcp for remote commands.
W32.Spybot.LZI (04.06.2005) - worm that attempts to exploit the MS DCOM RPC vulnerability on ports 135, 445 & 1025. Opens a backdoor on port 113.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp. |
| 119 |
udp |
NNTP |
Basic scan |
NNTP (Network News Transfer Protocol) control messages. |
| 121 |
tcp |
erpc |
Premium scan |
trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)
Port is also IANA registered for: Encore Expedited Remote Pro.Call |
| 123 |
udp |
NTP |
Basic scan |
Network Time Protocol (NTP) |
| 135 |
tcp |
loc-srv |
Basic scan |
Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.
There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is a patch downloadable from Microsoft), or you can close port 135.
MS Security Bulletin MS03-026 outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin MS03-026). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 135 |
udp |
loc-srv |
Basic scan |
Port used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp. |
| 137-139 |
tcp,udp |
NetBIOS |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin MS03-026
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin MS03-026) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444. |
| 143 |
tcp,udp |
IMAP |
Basic scan |
IMAP mail server uses this port. See also port 993/tcp.
Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script. |
| 146 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 161,162 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162. |
| 177 |
tcp |
xdmcp |
Premium scan |
Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed. |
| 194 |
tcp,udp |
IRC |
Members scan |
Internet Relay Chat Protocol |
| 256 |
udp |
trojans |
not scanned |
Trojan.SpBot (04.05.2005) - trojan horse that opens a compromised computer to be used as an email relay. Opens a backdoor on port 256/udp. |
| 321 |
tcp |
trojans |
Members scan |
W32.Looksky.A@mm (10.25.2005) - a mass-mailing worm that lowers security settings and logs keystrokes on the compromised computer. It also gathers and sends out personal information. Opens a backdoor and listens for remote commands on port 321/tcp. It also periodically connects to proxy4u.ws on port 8080/tcp to check for updates.
Port also used by other variants:
W32.Looksky.A@mm
W32.Looksky.H@mm (01.17.2006). |
| 389 |
tcp |
LDAP |
Basic scan |
LDAP (Lightweight Directory Access Protocol) - an Internet protocol, used my MS Active Directory,as well as some email programs to look up contact information from a server.
Both Microsoft Exchange and NetMeeting install a LDAP server on this port. |
| 443 |
tcp |
HTTPS |
Members scan |
HTTPS / SSL - encrypted web traffic.
Port also used by some trojans:
W32.Kelvir.M (04.05.2005) - worm that spreads through MSN Messanger and drops a variant of the W32.Spybot.Worm. Connects to IRC servers on the s.defonic2.net and s.majesticwin.com domains, and listens for commands on port 443/tcp. |
| 445 |
tcp |
microsoft-ds |
Basic scan |
TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.
Leaving port 445 open will leave you vulnerable to some worms, such as W32.Deloader and IraqiWorm (aka Iraq_oil.exe ), W32.HLLW.Moega, W32.Sasser.Worm, W32.Korgo.AB (09.24.2004), Backdoor.Rtkit.B (10.01.2004), Trojan.Netdepix.B (01.16.2005), as well as the Windows Null Session Exploit.
MS Security Bulletin MS03-026 outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
See also: Microsoft Security Bulletin MS03-049 and Microsoft Security Bulletin MS03-043
W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. Port 445/tcp also used by the W32.Zotob.H variant of the worm. |
| 456 |
tcp |
trojans |
Premium scan |
used by Hackers Paradise trojan (also uses port 31) |
| 464 |
tcp,udp |
kpasswd |
not scanned |
Kerberos (v5)
Related ports: 88,543,544,749 |
| 500 |
udp |
ipsec |
Members scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
See also:
port 1701 (L2TP)
port 1723 (PPTP)
|
| 511 |
tcp |
|
Premium scan |
Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port. |
| 514 |
tcp |
shell |
Premium scan |
Used by rsh and (also rcp), interactive shell without any logging.
Some vulnerabilities of this port: RPC Backdoor, Whacky |
| 515 |
tcp |
printer |
not scanned |
Printing services, listening for incoming connections |
| 520 |
udp |
router |
Premium scan |
RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.
References: RFC1058 & RFC2453 |
| 520 |
tcp |
efs |
not scanned |
Extended File Name Server |
| 535 |
udp |
CORBA IIOP |
Premium scan |
Common Object Request Broker Architecture (CORBA) is an object-oriented remote procedure call (RPC) system. If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA broadcasts send out information that can often be used to hack back into the systems generating these broadcasts. |
| 540 |
tcp |
uucp |
Members scan |
a famous file transfer service, potential vulnerability. |
| 543 |
tcp |
klogin |
not scanned |
Kerberos login
Related ports: 88,464,544, 749 |
| 544 |
tcp |
kshell |
not scanned |
Kerberos remote shell
Related ports: 88,464,543,749 |
| 546 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Client |
| 547 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Server |
| 555 |
tcp |
dsf |
Members scan |
Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy |
| 559 |
tcp |
trojans |
Premium scan |
Port used by Domwis remote access trojan. Creates a backdoor and spam proxy on port 559. |
| | |
