FAQ: Firewall Forensics (What am I seeing?)
This document explains what you see in firewall logs, especially what port
numbers means. You can use this information to help figure out what hackers are
up to.
This document is intended for both security-experts maintaining corporate
firewalls as well as home users of personal firewalls.
-
0. Information about this FAQ
- Version 1.0.1, August, 2002
http://www.robertgraham.com/pubs/firewall-seen.html
Copyright 1998-2002 by Robert Graham (firewall-seen@robertgraham.com.
All rights reserved. This document may only be reproduced (whole or in part)
for non-commercial purposes. All reproductions must contain this copyright
notice and must not be altered, except by permission of the author.
Special thanks to Alan J. Rosenthal (maintainer of FAQs himself) for some
really good input.
-
-
- 1. What does destination port
number ZZZZ mean?
- PORT GUIDE |
source-ports |
many-to-one |
trojans |
DNS | dial-up |
IRC |
remapping | still can't figure it out
- 2. What does this ICMP info
mean?
- 0 (echo reply) |
3 (unreachable) |
4 (source quench) |
8 (ping) |
11 (ttl exceeded) 12 (problem)
- 3. What do these IP addresses
indicate?
- source-routing |
255.255.255.255 |
track owner |
10.x.x.x |
known IP addresses | 0.0.0.0 |
directed-broadcasts |
169.254.x.x
- 4. Stuff doesn't work
- slow connections
- 5. What are some typical
signatures of well-known programs?
- traceroute |
sscan |
proxy scanners | smurf |
fraggle
- 7. What do these other logs
mean?
- DNS |
HTTP | RPC |
SMTP |
identd
- 8. How do I configure filters?
- ICMP filters |
split DNS
- 9. Packet Zen
- IP ID |
TTL | Resources
- 10. What's the deal with
NetBIOS (UDP port 137)?
- What? |
Why? | But
I'm not Win? | Statistics |
Signature |
Get rid of them? |
Attacks
- A. Appendix
You'll note that some sections are missing. This is an evolving
document; when sections are removed (because the info is moved into other
sections), I don't renumber the document.
-
1. What does destination port number ZZZZ mean?
- All the traffic going through the firewall is part of a connection.
A connection consists of the pair of IP addresses that are talking to each
other, as well a pair of port numbers. The destination port
number often indicates the type of service being connected to. When a firewall
blocks a connection, it will save the destination port number to its logfile.
This section describes some of the meanings of these port numbers.
Port numbers are divided into three ranges:
 | The Well Known Ports are those from 0 through 1023. These are tightly
bound to services, and usually traffic on this port clearly indicates the
protocol for that service. For example, port 80 virtually always indicates
HTTP traffic. |
| The Registered Ports are those from 1024 through 49151. These are
loosely bound to services, which means that while there are numerous
services "bound" to these ports, these ports are likewise used for many
other purposes. For example, most systems start handing out dynamic ports
starting around 1024. |
| The Dynamic and/or Private Ports are those from 49152 through 65535. In
theory, no service should be assigned to these ports. |
In reality, machines start assigning "dynamic" ports starting at 1024. We
also see strangeness, such as Sun starting their RPC ports at 32768.
Where to get a more complete list of port info:
-
ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
- "Assigned Numbers" RFC, the official source for port assignments.
-
http://advice.networkice.com/advice/Exploits/Ports/
- Database of port numbers, hyper-linked to various exploits on those port
numbers.
-
/etc/services
- On UNIX systems, the file
/etc/services
contains a list of commonly used UNIX port number assignments. On Windows
NT, this file is located in %systemroot%/system32/drivers/etc/services.
-
http://www.con.wesleyan.edu/~triemer/network/docservs.html
- Links back to the protocol specifications frequently.
-
http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html
- Pages describing various ports.
-
http://www.tlsecurity.com/trojanh.htm
- TLSecurity's list of Trojans. Rather than a collection of rumors by
other people, the maintainers of this list claim to verify each and every
port personally.
-
http://www.simovits.com/nyheter9902.html
- Trojan Horse probes page.
1.1 What are some common incoming TCP/UDP probes against
my firewall?
This section contains a list of common TCP and UDP port scans that people
see against their firewalls. Note: there is no such thing as an ICMP port.
If you are interested in interpreting ICMP data, look in
section 2.
|
0 |
|
Commonly used to help determine the operating system. This works because
on some systems, port 0 is "invalid" and will generate a different
response when you connect to it vs. a normal closed port. One typical scan
uses a destination IP address of 0.0.0.0 and sets the ACK bit, with
broadcast at the Ethernet layer. |
|
1 |
tcpmux |
Indicates someone searching for SGI Irix machines. Irix is the only major
vendor that has implemented tcpmux, and it is enabled by default on Irix
machines. Irix machines ship with several default passwordless accounts,
such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and
4Dgifts. Many administrators forget to close these accounts after
installation. Therefore, hackers scan the Internet looking first for
tcpmux, then these accounts. [
CA-1995-15
RFC 1078 ] |
|
7 |
Echo |
You will see lots of these from people looking for
fraggle amplifiers sent
to addresses of x.x.x.0 and x.x.x.255.
A common DoS attack is an echo-loop, where the attacker forges a
UDP from one machine and sends it to the other, then both machines bounce
packets off each other as fast as they can (see also
chargen). [CA-96.01]
Another common thing seen is TCP connections to this port by
DoubleClick. They use a product called "Resonate Global Dispatch" that
connects to this port on DNS servers in order to locate the closest one.
Harvest/squid caches will send UDP echoes from port 3130. To quote:
If the cache is configured with source_ping
on, it also bounces a HIT reply off the original host's UDP echo port.
It can generate a lot of these packets. |
|
11 |
sysstat |
This is a UNIX service that will list all the running processes on a
machine and who started them. This gives an intruder a huge amount of
information that might be used to compromise the machine, such as
indicating programs with known vulnerabilities or user accounts. It is
similar the contents that can be displayed with the UNIX "ps" command.
ICMP doesn't have ports; if you see something that says "ICMP port
11", you probably want ICMP type=11.
|
|
19 |
chargen |
This is a service that simply spits out characters. The UDP version will
respond with a packet containing garbage characters whenever a UDP packet
is received. On a TCP connection, it spits out a stream of garbage
characters until the connection is closed. Hackers can take advantage of
IP spoofing for denial of service attacks. Forging UDP packets between two
chargen servers, or a chargen and
echo can overload links as the two servers attempt to infinitely
bounce the traffic back and forth. Likewise, the "fraggle"
DoS attack broadcasts a packet destined to this port with a forged victim
address, and the victim gets overloaded with all the responses. [CA-96.01]
|
|
21 |
FTP |
The most common attack you will see are hackers/crackers looking for "open
anonymous" FTP servers. These are servers with directories that can be
written to and read from. Hackers/crackers use these machines as
way-points for transferring
warez (pirated programs) and pr0n (intentionally misspelled word to
avoid search engines classifying this document). |
|
22 |
ssh
pcAnywhere |
TCP connections to this port might indicate a search for
ssh, which has a few exploitable features. Many versions using
the
RSAREF library can be exploited if they are configured in a certain
fashion. (Suggestion: run ssh on some other port).
Also note that the ssh package comes
with a program called make-ssh-known-hosts
that will scan a domain for
ssh hosts. You will sometimes be scanned
from innocent people running this utility.
UDP (rather than TCP) packets directed at this port along with
port 5632 indicate a scan
for pcAnywhere. The number 5632 is (hex) 0x1600, which byte-swapped is
0x0016, which is 22 decimal. |
|
23 |
Telnet |
The intruder is looking for a remote login to UNIX. Most of the time
intruders scan for this port simply to find out more about what operating
system is being used. In addition, if the intruder finds passwords using
some other technique, they will try the passwords here. |
|
25 |
SMTP |
Spammers are looking for SMTP servers that allow them to "relay" spam.
Since spammers keep getting their accounts shut down, they use dial-ups to
connect to high bandwidth e-mail servers, and then send a single message
to the relay with multiple addresses. The relay then forwards to all the
victims. SMTP servers (esp. sendmail) are
one of the favorite ways to break into systems because they must be
exposed to the Internet as a whole and e-mail routing is complex
(complexity + exposure = vulnerability). |
|
53 |
DNS |
DNS. Hackers/crackers may be attempting to do zone transfers (TCP), to
spoof DNS (UDP), or even hide other traffic since port 53 is frequently
neither filtered nor logged by firewalls.
An important thing to note is that you will frequently see port 53 used
as the source UDP port. Stateless firewalls frequently allow such
traffic on the assumption that it is a response to a DNS query. Hackers
are increasingly exploiting this to
pierce firewalls. |
|
67 and 68 |
bootp
DHCP |
Bootp/DHCP over UDP. Firewalls hooked to DSL and cable-modem lines see a
ton of these sent to the broadcast address
255.255.255.255.
These machines are asking to for an address assignment from a DHCP server.
You could probably hack into them by giving them such an assignment and
specifying yourself as the local router, then execute a wide range of
man-in-the-middle attacks. The client requests configuration on a
broadcast to port 68 (bootps). The server broadcasts back the response to
port 67 (bootpc). The response uses some type of broadcast because the
client doesn't yet have an IP address that can be sent to. |
|
69 |
TFTP |
(over UDP). Many servers support this protocol in conjunction with
BOOTP in order to download
boot code to the system. However, they are frequently misconfigured to
provide any file from the system, such as password files. They can also be
used to write files to the system. |
|
79 |
finger |
Hackers are trying to:
|
|
98 |
linuxconf |
The utility "linuxconf"
provide easy administration of Linux boxen. It includes a web-enabled
interface at port 98 through an integrated HTTP server. It has had a
number of security issues. Some versions are
setuid root, trust the local network, create world-accessible files in
/tmp, and a buffer overflow in the LANG environment variable. Also,
because it contains an integrated web server, it may be vulnerable to many
of the typical HTTP exploits (buffer overruns, directory traversal using
../.., etc.). |
|
109 |
POP2 |
POP2 is not nearly as popular as POP3 (see below), but many servers
support both (for backwards compatibility). Many of the holes that can be
exploited on POP3 can also be exploited via the POP2 port on the same
server. |
|
110 |
POP3 |
POP3 is used by clients accessing e-mail on their servers. POP3 services
have many well-known vulnerabilities. At least 20 implementations are
vulnerable to a buffer overflow in the username or password exchange
(meaning that hackers can break in at this stage before really logging
in). There are other buffer overflows that can be executed after
successfully logging in. |
|
111 |
sunrpc
portmap
rpcbind |
Sun RPC PortMapper/RPCBIND. Access to portmapper is the first step in
scanning a system looking for all the RPC services enabled, such as
rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. If the intruder
finds the appropriate service enabled, s/he will then run an exploit
against the port where the service is running.
Note that by putting a logging daemon, IDS, or sniffer on the wire, you
can find out what programs the intruder is attempting to access in order
to figure out exactly what is going on. |
|
113 |
identd
auth |
This is a protocol that runs on many machines that identifies the user of
a TCP connection. In standard usage this reveals a LOT of information
about a machine that hackers can exploit. However, it used by a lot of
services by loggers, especially FTP, POP, IMAP, SMTP, and IRC servers. In
general, if you have any clients accessing these services through a
firewall, you will see incoming connection attempts on this port. Note
that if you block this port, clients will perceive
slow connections to
e-mail servers on the other side of the firewall. Many firewalls support
sending back a RST on the TCP connection as part of the blocking
procedure, which will stop these slow connections. |
|
119 |
NNTP
news |
Network News Transfer Protocol, carries USENET traffic. This is the port
used when you have a URL like
news://comp.security.firewalls. Attempts on this port are usually by
people hunting for open USENET servers. Most ISPs restrict access to their
news servers to only their customers. Open news servers allow posting and
reading from anybody, and are used to access newsgroups blocked by
someone's ISP, to post anonymously, or to post spam.
Update: @Home has started scanning their subscribers to see if
they are running USENET servers. They are doing this in order to find
these servers and close them before spammers can take advantage of them.
|
|
135 |
loc-serv
MS RPC end-point mapper |
Microsoft runs its DCE RPC end-point mapper for its DCOM services at this
port.
This has much the same functionality as
port 111 for UNIX systems.
Services that use DCOM and/or RPC register their location with the
end-point mapper on the machine. When clients remotely connect to the
machine, they query the end-point mapper to find out where the service is.
Likewise, hackers can scan the machine on this port in order to find out
such things as "is Exchange Server running on this machine, and which
version?".
This port is often hit in order to scan for services (for example,
using the "epdump" utility), but this port may also be attacked directly.
Currently, there are a few denial-of-service attacks that can be directed
at this port. |
|
137 |
NetBIOS
name service
nbtstat |
(UDP) This is the most common item seen by firewall administrators and
is perfectly normal. Please read the
NetBIOS section below for
more details. |
|
139 |
NetBIOS
File and Print Sharing |
Incoming connections to this port are trying to reach NetBIOS/SMB, the
protocols used for Windows "File and Print Sharing" as well as SAMBA.
People sharing their hard disks on this port are probably the most common
vulnerability on the Internet.
Attempts on this port were common at the beginning of 1999, but tapered
off near the end. Now at the start of year 2000, attempts on this port
have picked up again. Several VBS (IE5 VisualBasic Scripting) worms have
appeared that attempt to copy themselves on this port. Therefore, it may
be worms attempting to propagate on this port.
In late 2001 and early 2002, the Nimda worm would share the C$ drive
when it infected a machine. Many attempts against this port are from
people scanning for drives left open by Nimda. |
|
143 |
IMAP4 |
Same security idea as POP3 above, numerous IMAP servers have buffer
overflows that allow compromise during the login. Note that for awhile,
there was a Linux worm (admw0rm) that would spread by compromising port
143, so a lot of scans on this port are actually from innocent people who
have already been compromised. IMAP exploits became popular when RedHat
enabled the service by default on its distributions. In fact, this may
have been the first widely scanned for exploit since the Morris Worm.
This port is also used for IMAP2, but that version wasn't very popular.
Several people have noted attacks from port 0 to port 143, which
appears to be from some attack script. |
|
161 |
SNMP |
(UDP) A very common port that intruders probe for. SNMP allows for remote
management of devices. All the configuration and performance information
is stored in a database that can be retrieved or set via SNMP. Many
managers mistakeningly leave this available on the Internet. Crackers will
first attempt to use the default passwords "public" and "private" to
access the system; they may then attempt to "crack" the password by trying
all combinations.
SNMP packets may be mistakenly directed at your network. Windows
machines running HP JetDirect remote management software uses SNMP, and
misconfigured machines are frequent. HP OBJECT IDENTIFIERs will be seen in
the packets. Newer versions of Win98 will use SNMP for name resolution;
you will see packets broadcast on local subnets (cable modem, DSL) looking
up sysName and other info.
In early 2002, a university in Finland released its "PROTOS" tool that
demonstrated many flaws in popular SNMP implementations. These flaws had
been known for more than a decade, but this was the first time security
implications were shown for these flaws. |
|
162 |
SNMP trap |
Probably a misconfiguration. |
|
177 |
xdmcp |
Numerous hacks may allow access to an X-Window console; it needs port 6000
open as well in order to really succeed. |
|
445 |
NetBIOS
File and Print Sharing |
See port 139 for more
information.
In Windows 2000 and Windows XP, port 445 is essentially a duplicate of
port 139. These ports are used for Micrsoft's file and printer sharing,
remote registry access, named pipes services, and many MS-RPC services.
The difference is that port 139 supports these services on top of NetBIOS,
whereas port 445 gets rid of this middleman, supporting these services
directly over TCP/IP.
Whereas many ISPs now filter port 139, many do not filter port 445. As
of mid-2002, we are seeing more scans for port 445 as hackers learn to get
around port 139 filters. |
|
513 |
rwho |
Probably from UNIX machines on your DSL/cable-modem segment broadcasting
who is logged into their servers. These people are kindly giving you
really interesting information that you can use to hack into their
systems. |
|
515 |
lp
printer |
This is the standard protocol for remote printing on UNIX systems.
Virtually every UNIX system from Sun Solaris to Linux will listen on this
port. In addition, most laster printers support this protocol as well.
There are widespread vulnerabilities on this port, due either to
vulnerabilities in the protocol itself, or vulnerabilities in
printer-specific drivers behind this port. The RedHat 7 LPRng bug was
exploited by the Ramen worm; many attempts against this port will be from
that worm. |
|
535 |
CORBA
IIOP |
(UDP) If you are on a cable-modem or DSL VLAN, then you may see broadcasts
to this port. CORBA is an object-oriented remote procedure call (RPC)
system. It is highly likely that when you see these broadcasts, you can
use the information to hack back into the systems generating these
broadcasts. There are many exploits possible against this port, but as of
August 2002, they haven't been reported to Bugtraq yet. |
|
600 |
pcserver
backdoor |
See port 1524 for more
info.
Some script kiddies feel they're contributing substantially to the
exploit programs by making a minor change from
ingreslock to pcserver in constant
text... -- Alan J. Rosenthal. |
|
635 |
mountd |
Linux mountd bug. This is a popular bug that people are scanning for. Most
scans on this port are UDP-based, but they are increasingly TCP-based (mountd
runs on both ports simultaneously). Note that mountd can run at any port
(for which you must first do a portmap lookup at port
111), it's just that Linux
defaulted to port 635 in much the same way that NFS universally runs at
port 2049. |
|
1024 |
----- |
Many people ask the question what this port is used for. The answer is
that this is the first port number in the dynamic range of ports. Many
applications don't care what port they use for a network connection, so
they ask the operating system to assign the "next freely available port".
In point of fact, they as for port 0, but are assigned one starting with
port 1024. This means the first application on your system that requests a
dynamic port will be assigned port 1024. You can test this fact by booting
your computer, then in one window open a Telnet session, and in another
window run "netstat -a". You will see that the Telnet application has been
assigned port 1024 for its end of the connection. As more applications
request more and more dynamic ports, the operating system will assign
increasingly higher port numbers. Again, you can watch this effect with 'netstat'
as your browse the Internet with your web browser, as each web-page
requires a new connection. |
|
1025 |
----- |
See port 1024. |
|
1026 |
----- |
See port 1024. |
|
1027 |
----- |
See port 1024. |
|
1080 |
SOCKS |
This protocol tunnels traffic through firewalls, allowing many people
behind the firewall access to the Internet through a single IP address. In
theory, it should only tunnel inside traffic out towards the Internet.
However, it is frequently misconfigured and allows hackers/crackers to
tunnel their attacks inwards, or simply bounce through the system to other
Internet machines, masking their attacks as if they were coming from you.
WinGate, a popular Windows personal firewall, is frequently misconfigured
this way. This is often seen when joining
IRC chatrooms. |
|
1114 |
SQL |
This is rarely probed by itself, but is almost always seen as part of the
sscan script. |
|
1243 |
Sub-7 |
Trojan Horse (TCP). See
the section on SubSeven for
more details. |
|
1524 |
ingreslock
backdoor |
Many attack scripts install a backdoor shell at this port (especially
those against Sun systems via holes in sendmail and RPC services like
statd, ttdbserver, and cmsd). If you've just installed your firewall and
are seeing connection attempts on this port, then this may be the cause.
Try telnetting to the attempted machine in order to see if it indeed comes
up with a shell. Connections to port 600/pcserver also have this problem.
[IN-99-04]
|
|
2049 |
NFS |
The NFS program usually runs at this port. Normally, access to
portmapper is needed to find
which port this service runs on, but since most installations run NFS on
this port, hackers/crackers can bypass
portmapper and try this port
directly. |
|
2766 |
listen
npls |
Used by Sun Solaris boxes as a printer service, alternative to the
standard printer on port 515.
Exploit scripts against Solaris machines will frequently bind a shell to
this port, similar to the
ingreslock port. In particular, a well-known exploit against the
snmpXdmid vulnerability
left behind a shell on this port. |
|
3128 |
squid |
This is the default port for the "squid" HTTP proxy. An attacker scanning
for this port is likely searching for a proxy server they can use to surf
the Internet anonymously. You may see scans for other proxies at the same
time, such as at port 8000/8001/8080/8888. Another cause of scans at this
port, for a similar reason, is when users enter chatrooms. Others users
(or the servers themselves) will attempt to check this port to see if the
user's machines supports proxying. See section
5.3 for more info. |
|
5632 |
pcAnywhere |
You may see lots of these, depending on the sort of segment you are on.
When a user opens pcAnywhere, it scans the local Class C range looking for
potential agents. Hackers/crackers also scan looking for open machines, so
look at the source address to see which it is. Some scans for pcAnywhere
frequently also include a UDP packet to
port 22. See
dialup probes for more
info. |
|
6776 |
Sub7 artifact |
This port is used separately from the
SubSeven main port to
transfer data. One example where you might see this is when a master is
controling a slave on a dialup line, then the slave machine hangs up.
Therefore, when someone else dials-in at that IP address, they will see a
continuous stream of connection attempts at this port.
more on dialups |
|
6970 |
RealAudio |
Clients receive incoming audio streams from servers on UDP ports in the
range 6970-7170. This is setup by the outgoing control connection on TCP
port 7070. |
|
13223 |
PowWow |
The "PowWow" chat program from Tribal Voice. It allows users to open up
private chat connections with each other on this port. The program is very
aggressive at trying to establish the connection and will "camp" on the
TCP port waiting for a response. This causes a connection attempt at
regular intervals like a heartbeat. This can be seen by dial-up users who
inherit IP addresses from somebody who was chatting with other people: it
will appear as if many different people are probing that port. The
protocol uses the letters "OPNG" as the first four bytes of its connection
attempt. more |
|
17027 |
Conducent |
Outbound: This is seen on outbound connections. It is caused by
users inside the corporation who have installed shareware programs using
the Conducent "adbot" wrapper. This wrapper shows advertisements to users
of the shareware. A popular shareware program that uses this is
PKware.
Bill Royds mentions that in his experience, you can block this outbound
connection with no problem, but if you block the IP addresses themselves,
then the adbots can overload the link trying to reach the servers by
continually connecting many times per second.
The machines will attempt to resolve the DNS name "ads.conducent.com",
which resolve to the IP addresses:
216.33.210.40
216.33.199.77
216.33.199.80
216.33.199.81
216.33.210.41
These addresses are hosted by Exodus. |
|
27374 |
Sub-7 |
Trojan Horse (TCP). See
the section on SubSeven for
more details.
Also used as a backdoor port left behind by exploit scripts, such as
those in the Ramen worm. While some scans for this port may be due to
SubSeven, others may be looking for a remote shell. |
|
30100 |
NetSphere |
Trojan Horse (TCP).
This is a commonly seen scan looking for systems compromised by this
trojan. |
|
31337 |
Back Orifice
"elite" |
This number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T). Lots
of hacker/cracker backdoors run at this port, but the most important is
Back Orifice. At one time, this was by far the most popular scan on the
Internet. These days, it's popularity is waning and other remote access
trojans are becoming popular. |
|
31789 |
Hack-a-tack |
UDP traffic on this port is currently being seen due to the "Hack-a-tack"
RAT (Remote Access Trojan). This trojan includes a built-in scanner that
scans from port 31790, so any packets FROM 31789 TO 317890 indicate a
possible intrusion. (Port 31789 is the control connection; port 31790 is
the file transfer connection). |
|
32770 ~ 32900 |
RPC services |
Sun Solaris puts most of its RPC services in this range. In particular,
older versions of Solaris (pre-2.5.1) put a
portmapper in this range,
allowing hackers access to this even when low ports are blocked by a
firewall. Probes in this range might either be for this portmapper, or for
known RPC services that can be
exploited. |
|
33434 - 33600 |
traceroute |
If you see a series of UDP packets within this port range (and only within
thisrange), then it is probably indicative of traceroute. See
traceroute for more info.
|
|
41508 |
Inoculan |
Inoculan on UDP. Older versions of Inoculan apparently generate huge
quantities of UDP traffic directed at subnets in order to discover each
other. More info can be found at
http://www.circlemud.org/~jelson/software/udpsend.html and
http://www.ccd.bnl.gov/nss/tips/inoculan/index.html. Thanks to Jerry
Leslie, NeoNET < leslie at clio dot rice dot edu> |
1.2 What do the following source ports mean?
Ports 1-1024 are for reserved services, and almost never appear
as the source. There are some exceptions, such as when connections come from
NAT machines. See section 1.9 for
some more details.
Ports closely after 1024 (i.e. 1024-5000) are the ones most commonly seen.
These are the "dynamic" range that are assigned to applications that don't
care what port they use for their connection.
|
Server |
Client |
Service |
Description |
|
1-5/tcp |
dynamic |
FTP |
Ports 1-5 are indicative of a script called 'sscan'
|
|
20/tcp |
dynamic |
FTP |
FTP servers usually transfer files from this port. |
|
53 |
dynamic |
FTP |
DNS servers will send UDP responses from this port. You may also see TCP
connections with source/destination ports of 53. |
|
123 |
dynamic |
S/NTP |
The (Simple) Network Time Protocol (S/NTP) servers run at this port. They
will also send broadcasts to this port. |
|
27910-27961/udp |
dynamic |
Quake games |
Quake (and Quake-derived games) usually run servers at these ports.
Therefore, UDP packet from this range (and to this range) will usually be
games. |
|
61000+ |
dynamic |
FTP |
Ports above 61000 might come from machines behind a Linux NAT server
called "IP Masquerade". |
1.3 I'm seeing attempts on the same set of ports from
widely varying sources all over the Internet.
This is due to a "decoy" scan, such as in 'nmap'. One of them is the
attacker; the others are not.
Forensics and protocol analysis can be used to track down who this is. For
example, if you ping each of the systems, you can match up the TTL fields in
those responses with the connection attempts. This will at least point a
finger at a decoy scan. (The TTLs should match; if not, then they are being
spoofed). [Newer versions of scanner now randomize the attackers own TTL,
making it harder to weed them out].
You can also attempt to go back further in your logs, looking for all the
decoy addresses or people from the same subnets. You will often see that the
attacker has actually connected to you recently, while the decoyed addresses
haven't.
The first stage of a Trojan Horse attack is to get the program on a user's
machine. Typical techniques are:
| post the program to newsgroups claiming to be some other program |
| spam mailing lists with the attached program |
| post program to websites |
| send via instant messenger programs and chat systems (ICQ, AIM, IRC,
etc.) |
| forge e-mail from the ISP (like AOL) with a hoax message asking somebody
to run a program (such as a software update). |
| copy to startup folder via "File and Print Sharing". |
The next stage of the attack is to scan the Internet looking for machines
that might be compromised. The problem is that most of the techniques outlined
above don't tell the cracker/hacker where their victim machine is. Therefore,
the cracker/hacker must scan the Internet looking for the machines they might
have compromised.
This leads the condition where owners of firewalls (including personal
firewalls) regularly see "probes" directed at their machines from
crackers/hackers looking for these machines. However, if the machine hasn't
been compromised, then these probes are not a problem. The probes cannot
compromise the machine by themselves. Administrators can usually ignore these
"attacks".
Typical ports used by these probes are listed below. In order to tell if
your machine might be running one of these trojans, run the program "netstat
-an" on your machine. Look for the ports that might be "listening" for
incoming connections.
Resources:
http://www.commodon.com/threat/threat-ports.htm
Sub7 has become the most popular remote access trojan. At this time, it is
the easiest-to-use and most powerful trojan. The reasons for this are:
| It is actively maintained/updated. Most other Trojans were created once
then development stopped except for a couple of bug fixes. |
| The program not only includes a scanner, but also can tell a slave
machine to scan as well. |
| The creator has a contest for cracked sites using Sub7. |
| Supports "port redirection", so that any attack can be funneled through
a victim's machines. |
| Contains extensive tricks to play with ICQ, AOL IM, MSN Messenger, and
Yahoo messenger, including password sniffing, posting messages, and other
features. |
| Extensive UI tricks, such as flipping the screen, talking through the
victim's speaker, and spying on the victim's screen. |
In short, it not only is an excellent hacking tool, the little "magic"
tricks are designed to scare the <bleep> out of victims.
Sub7 is written by a hacker who calls himself "Mobman". His site can be
reached at
http://subseven.slak.org/.
Sub7 might use the following ports:
-
1243
- The default connection port for older versions.
-
2772
- Screen capture port
-
2773
- Key logger port
-
6711
- ???
-
6776
- I'm not sure what this port is for, but it has been claimed that this
can serve as a "backdoor" in some versions. (Yes, a backdoor program with a
backdoor to avoid password prompts).
-
7215
- Port for the "matrix" chat program
-
27374
- Another default port appearing in v2.0
-
54283
- Spy port
1.9 DNS packets from low numbered ports
Q: I've seen many DNS requests from many low port numbers below 1024.
Aren't they supposed to be reserved? Aren't they supposed to use 1024-65535
range?
A: These are coming from machines behind NAT firewalls. A NAT doesn't
necessarily have the concept of reserved port numbers. thanks to Ryan
Russell Ryan.Russell at sybase dot com
Q: My filters reject incoming packets with source ports below 1024, so
the DNS lookups are failing.
A: Don't filter that way. Lots of firewalls have similar rules, but this is
somewhat "misguided" since hackers/crackers can forge whatever ports they
want.
Q: Are these NAT firewalls doing it incorrectly?
A: Not in theory, but in practice it will result in failures. The "correct"
way would be more strictly control DNS traffic in any case (such as
essentially "proxying" DNS and forcing out through port 53).
Q: I thought DNS lookup was supposed to use a random source port above
1024?
A: In practice, your average DNS client will use a non-reserved port. However,
a lot of implementations use a source port of 53. In any case, the NAT issue
is completely separate because it completely changes the entire 'socket' (IP
address + port combo).
1.10 Immediately upon dialing
up to my ISP, my personal firewall starts alarming me about probes against
port X.
This is very common. The cause is that somebody hung up just before you
dialed in and your ISP assigned you the same IP address. You are now seeing
the remnants of communication with the previous person.
A typical example is chat
programs. If someone simply hangs up, then everyone who was chatting with that
person will attempt to still send traffic to them. Some programs take a long
time to timeout. Typical programs that show this behavior are PowWow and ICQ.
Another example is on-line, multiple games. You might see such traffic from
gaming providers like MPlayer, or maybe from unknown servers (Quake servers
litter the Internet). These games are typically UDP based, so there is no
concept of a connection that can be dropped. They also are quite aggressive at
maintaining connections, in order to make a good user experience. Some game
ports that you might see are:
Another example is multimedia audio/visual. For example,
RealAudio uses UDP ports in the range of 6970-7170 for clients to
receive audio streams.
Make sure that you carefully figure out the correct side of the connection.
For example, an ICQ server runs on port 4000, and the client chooses a random
high-numbered port. That means you will see UDP packets from port 4000 going
to the random port. In other words, don't go looking in a port database trying
to figure what that random, high-numbered port means. The significant port is
the source.
The SubSeven trojan has a
similar problem. It uses separate TCP connections for different services. If
the slave agent goes away, it will continue to create connection attempts to
the slave ports, especially at port
6776.
1.11 IRC servers are probing
me.
One of the most popular applications is "chat", like IRC. One feature of
chat programs is that they reveal the IP address of the people you are
chatting with. One problem with chatrooms is that people enter the rooms
"anonymously" and play around, either by disrupting conversations with
offtopic comments and flamebait, or by "flooding" the servers or other clients
in an attempt to kicked them off.
Therefore, both servers and clients are implementing measures to stop
"anonymous" use of chatrooms. In particular, they check people entering
chatrooms in order to see if they are "proxying" through some other
connection. The most popular of such probes is SOCKS. The assumption is that
if the IP address of where you are coming from supports SOCKS, then it is
possible that you have a completely separate machine and are only going
through the indicated machine in order to hide your true identity. Undernet's
policy on this can be found at
http://help.undernet.org/proxyscan.
At the same time, crackers/hackers will scan people's machines in order to
determine if they are running some sort of server that can be bounced through.
Again, by checking for SOCKS, the attacker hopes to find somebody that has
left SOCKS open, such as a home user implementing connection sharing using
SOCKS, but accidentally configured it so that anybody on the Internet has
access to it.
1.12 What are "remapped" ports?
A common technique is to remap ports to some other address. For example,
whereas the default port for HTTP is 80, many people remap it to another port,
such as 8080 (hence, this document could reside at
http://www.robertgraham.com:8080/pubs/firewall-seen.html if I were to remap
the port).
Remapping is done under the theory that making the port harder to find will
make it more difficult for a hacker to exploit. Instead of simply exploiting a
well-known service at a well-known port, the hacker will have to port scan the
machine.
Most port remapping is done at some variation of the original port.
Therefore, most HTTP ports are based upon a variation of the theme "80":
81, 88, 8000, 8080, 8888, and so forth. POP, which is originally at port
110 can often be found at port
1100.
There are other statistically significant chosen numbers, like 12345,
23456, 34567, etc. Many people also choose numbers that are well known for
other reasons; 42, 69, 666, 31337, and so on. The recent proliferation of
Remote Access Trojans (RATs) has resulted in hackers/crackers choosing the
same defaults for their programs. For example, NetBus defaults to port 12345.
Blake R. Swopes points out that remapping is also done because on UNIX
machines, your server needs root privileges to listen on ports below 1024. If
you don't have root level access and want to run a web service, you will need
to install it on a high-numbered port. Likewise, some ISPs might firewall
low-numbered ports, forcing you to remap even when you own the entire machine.
1.13 I still can't figure out what somebody is trying
to connect to a port, what can I do?
Use netcat in order to setup a listening process. For port '1234', use:
netcat -L -p 1234
|
