This article will explain you record your firewall (Log) to see what? Particularly those ports mean? You will be able to use the information to judge: I received Hacker attack? He / she in the end you want to do? This applies to both enterprise-class firewall to maintain security experts, but also apply to the use of personal firewall home user.
First, what is meant by the destination port ZZZZ
All communications are connected through the firewall a part of. A connection includes a pair of each "talk" to the IP address and a pair of IP addresses with the corresponding port. Destination port usually means being connected to a service. When the firewall blocks (block) a connection, it will be the destination port "on record" (logfile). This section will describe the significance of these ports.
Port can be divided into three broad categories:
1) recognized the port (Well Known Ports): from 0 to 1023, they are closely bound in some services. These ports are usually some kind of communication clear that the agreement on services. For example: HTTP communications port 80 is always in fact.
2) The registered ports (Registered Ports): from 1024 to 49,151. They are loosely bound to some services. There are many services that bind to these ports, these ports are also used for many other purposes. For example: many systems dealing with dynamic ports from around 1024.
3) Dynamic and / or private ports (Dynamic and / or Private Ports): from 49,152 to 65,535. In theory, these ports should not be allocated for the service. In fact, the machine usually dynamic port allocation from 1024 onwards. But there are exceptions: SUN's RPC ports starting from 32768.
Where more comprehensive port information:
1. ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
"Assigned Numbers" RFC, the official source port allocation.
2. http://advice.networkice.com/advice/Exploits/Ports/
Port database that contains the port number of system vulnerabilities.
3. / Etc / services
UNIX system files / etc / services contains the commonly used UNIX port allocation list. Windows NT, the file is located in% systemroot% / system32/drivers/etc/services.
4. http://www.con.wesleyan.edu/ ~ triemer / network / docservs.html
Specific protocol and port.
5. http://www.chebucto.ns.ca/ ~ rakerman / trojan-port-table.html
Describes a number of ports.
6. http://www.tlsecurity.com/trojanh.htm
TLSecurity the Trojan port list. Different from other people's collections, which I tested all ports.
7. http://www.simovits.com/nyheter9902.html
Trojan Horse Detection
Second, usually the firewall TCP / UDP port scan what?
This section describes usually TCP / UDP port scan the firewall information in the record. Remember: There is no so-called ICMP port. If you are interested in data interpretation ICMP, see the rest of this article.
0 is usually used to analyze the operating system. This approach can work because in some systems, "0" is invalid port, when you try to use a normally closed port to connect it will produce different results. A typical scan: Using IP address of 0.0.0.0, set the ACK bit in the Ethernet layer broadcast.
[Next]
1 tcpmux This shows that people are looking for SGI Irix machines. Irix is a leading provider of achieving tcpmux, default tcpmux in this system is opened. Iris at the time of the machine contains several default accounts without passwords, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to delete these accounts after installation. We therefore Hacker in Internet search tcpmux and use these accounts.
7 Echo you can see a lot of people search for Fraggle amplifier, is sent to xxx0 and xxx255 information.
DoS attacks are a common echo loop (echo-loop), the attacker sends forged from one machine to another machine's UDP packets, respectively, the two machines are the fastest way to respond to these packets. (See Chargen)
Another thing is the word port in DoubleClick established TCP connection. There is a product called "Resonate Global Dispatch", its connection with the DNS of the port to determine the nearest route.
Harvest / squid cache from the 3130 port to send UDP echo: "If the cache of source_ping on options open, it will be the original host of the UDP echo port in response to a HIT reply." This would have many such packets.
11 sysstat This is a UNIX service that will list all machines running processes and what started the process. This provides a lot of information for the intruder to threaten the safety of the machine, such as exposure to some of the weaknesses or the accounts of known procedures. This UNIX system "ps" command similar to the results of
Say it again: ICMP does not port, ICMP port 11 is usually ICMP type = 11
19 chargen This is a character only to send the service. UDP version will respond after receiving the UDP packet containing LJ-character package. TCP connection, sends the data stream containing the LJ character that connection closed. Hacker can use to launch DoS attacks on IP deception. Forged between the two chargen server UDP packets. As the server attempts to respond to the infinite between two servers from a chargen and echo data communication will lead to server overload. Similarly fraggle DoS attacks of this port to the destination address with a fake victims broadcast IP data packets, the victim in response to the data overload.
21 ftp for the most common attackers to find open the "anonymous" in the ftp server approach. These servers can read and write with the directory. Hackers or Crackers use these servers as a delivery warez (private program), and pr0n (intentionally misspelled words and avoid the search engines category) of the node.
22 ssh PcAnywhere and the port to establish TCP connection may be to find ssh. The service has many weaknesses. If configured to a specific pattern, and many use RSAREF version of the library there are many loopholes. (Recommended in other ports to run ssh)
It should also be noted that the ssh kit with a called make-ssh-known-hosts of the program. It will scan the entire domain of ssh host. Sometimes you will be using this procedure were inadvertently scanned.
UDP (not TCP) and the other end of the 5632 port connected to the scanning implies the existence of search pcAnywhere. 5632 (hexadecimal 0x1600) bit after the exchange is 0x0016 (to 22 decimal).
23 Telnet remote login UNIX intruder in the search service. In most cases the intruder scan the port is to find the machine running the operating system. In addition, use of other technologies, the invaders will find the password.
25 smtp attacker (spammer) to find SMTP server to deliver their spam. Intruder's total account is closed, they need to dial-up connections to high bandwidth e-mail server, the simple message to a different address. SMTP server (especially sendmail) into the system is one of the most common method, because they must be exposed to the full Internet and e-mail routing is complex (+ complex = exposed weaknesses).
53 DNS Hacker or crackers may be attempting to regional delivery (TCP), deception DNS (UDP) or hide other communications. So often the firewall port filtering or records 53.
Note that you often see a 53-port as the UDP source port. Firewalls are usually unstable to allow this communication, and assume that this is a DNS query responses. Hacker often use this method through the firewall.
67 and 68 Bootp and DHCP UDP on Bootp / DHCP: DSL and cable-modem through the firewall often see a large number sent to the broadcast address 255.255.255.255 data. The machine requests an address to the DHCP server assigned. Hacker regular access to their assigned an address to the local router and launched itself as a large number of "intermediaries" (man-in-middle) attack. The client port to 68 (bootps) broadcast request configuration, the server port to 67 (bootpc) broadcast the request. This response is to use broadcast because the client does not know to send the IP address.
69 TFTP (UDP) together with a number of server and bootp to provide this service, easy to download from the system boot code. But they are often misconfigured to provide any documents from the system, such as the password file. They can also be used to write files to the system.
79 finger Hacker used to obtain user information, check the operating system to detect buffer overflow error is known to respond to other machines from their finger scan machine.
[Next]
98 linuxconf This program provides a simple management of linux boxen. Through the integrated HTTP server port in the 98 service-based Web interface. It has found many security problems. Some versions of setuid root, trust in local area networks, in / tmp under the establishment of Internet-accessible files, LANG environment variable to a buffer overflow. In addition, integration of the server because it contains many of the typical HTTP vulnerability may exist (buffer overflow, calendar all over the catalog, etc.)
109 POP2 is not as well known as POP3, many servers offer both services (backward compatibility). POP3 server on the same vulnerability also exists in POP2.
110 POP3 server for client access to mail service. POP3 service has many recognized weaknesses. Exchange of user name and password buffer overflow vulnerability at least 20 (which means that Hacker can really enter the system before landing). After the successful landing there are other buffer overflow error.
111 sunrpc portmap rpcbind Sun RPC PortMapper / RPCBIND. Access to portmapper is scanning system see what RPC services to allow the first step. Common RPC services: rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd so on. Intruder found the service to allow the RPC services will shift to a specific port test holes.
Remember to record line in the daemon, IDS, or sniffer, you can see what programs are using to access the intruder to discover what happened in the end.
113 Ident auth This is a lot of machines running the protocol, TCP connection used to identify the user. This service uses the standard information available to many machines (Hacker will be used). But it can be used as recorder of many services, especially FTP, POP, IMAP, SMTP, and IRC services. Usually if there are many customers to access these services through the firewall, you will see a number of connection requests to this port. Remember, if you block the port the client will feel the other side of the firewall and e-mail server slow to connect. Many firewalls support the TCP connection back to block the process of RST, the will return to stop this slow connection.
119 NNTP news newsgroups Transfer Protocol, carries USENET communications. When you link to, such as: news: / / comp.security.firewalls /.'s Address usually use this port. The port connection attempts are usually people looking for USENET server. Most ISP restrictions only their customers can access their news server. Open the news group server will allow send / read anyone's post, access is limited to the news group servers, anonymous post or send spam.
135 oc-serv MS RPC end-point mapper Microsoft at this port to run DCE RPC end-point mapper for its DCOM services. This UNIX 111 port function is similar. Use DCOM and / or RPC services use the machine on the end-point mapper register their location. Remote client to connect to the machine, they query end-point mapper to find the location of services. Hacker also scans the machine is to find the port, such as: the machine is running Exchange Server do? What version?
In addition to being used to query the port services (such as the use epdump) can also be used for direct attack. Some DoS attacks directed at the port.
137 NetBIOS name service nbtstat (UDP) which is the most common firewall administrator, please read the article in the section behind the NetBIOS
139 NetBIOS File and Print Sharing connection through this port into trying to get NetBIOS / SMB service. This protocol is used for Windows "File and Printer Sharing" and SAMBA. The Internet to share their hard drive is probably the most common problem.
[Next]
Large for the port started in 1999, then gradually become less. 2000, have bounced back. Some VBS (IE5 VisualBasic Scripting) started their own copy to this port, trying to breed in this port.
143 IMAP and POP3 security issues above, as many IMAP servers have buffer overflow to run into the landing process. Remember: A Linux worm (admw0rm) will breed through this port, so many of the port scan from unwitting users have been infected. When RadHat release their versions of Linux allow IMAP default, these vulnerabilities have become popular. Morris worm was the first time since the widespread worms.
The port is also used IMAP2, but not popular.
Some reports have found that some of the attack from 0 to 143 ports from the script.
161 SNMP (UDP) ports that intruders often detected. SNMP allows remote management device. All configuration and operational information is stored in the database, the information obtained through SNMP off. Many administrators configure their error exposed to Internet. Crackers will attempt to use the default password "public" "private" access to the system. They may test all possible combinations.
SNMP packets may be the wrong point to your network. Windows machines often because of wrong configuration HP JetDirect remote management software using SNMP. HP OBJECT IDENTIFIER will receive SNMP packets. Analysis of the new version of Win98 using SNMP domain, you will see this package in the subnet broadcast (cable modem, DSL) query sysName and other information.
162 SNMP trap may be due to misconfigured
177 xdmcp through it to access many of Hacker X-Windows console, which also need to open port 6000.
513 rwho may use the cable modem or DSL from the landing to the subnet broadcast issued by UNIX machines. Hacker these people into their system provides very interesting information.
553 CORBA IIOP (UDP), if you use cable modem or DSL VLAN, you will see the port of broadcasting. CORBA is an object-oriented RPC (remote procedure call) system. Hacker will use the information into the system.
600 Pcserver backdoor port 1524, please see
Some kids think they play script by modifying the file ingreslock and pcserver completely break the system - Alan J. Rosenthal.
635 mountd Linux's mountd Bug. This is one scan of a popular Bug. Most of this is based on UDP port scan, but the increase mountd TCP-based (mountd to run on two ports). Remember, mountd can run on any port (Where is port, port 111 needs to do portmap query), but Linux defaults to 635 ports, like NFS usually runs on port 2049.
1024 Many people ask this port does. It is the beginning of the dynamic port. Many programs do not care which port to connect with the network operating system to assign them their request "the next unused port." Based on this allocation of port 1024 from the beginning. This means that the first request to the system dynamic port allocation procedure will be assigned port 1024. To verify this, you can reboot the machine, open the Telnet, and then open a window to run "natstat-a", you will see the Telnet port 1024 is assigned. Request process more dynamic port is also more. The operating system assigned port will become bigger. Do it again, when you browse Web pages with the "netstat" to view, each Web page needs a new port.
1025 See 1024
1026 See 1024
1080 SOCKS
[Next]
The agreement to form channels through the firewall, allowing many people behind the firewall through an IP address to access Internet. In theory it should only allow internal communication to the outside Internet. However, due to incorrect configuration, it will allow the Hacker / Cracker's is located in the attack outside the firewall through the firewall. Or simply respond to the computer in the Internet, to cover up their direct attack on your. WinGate is a popular Windows personal firewall, the above error occurs often configuration. Before joining IRC chat rooms often see this situation.
1114 SQL
System itself rarely scan the ports, but often sscan part of the script.
1243 Sub-7 Trojan (TCP)
See Subseven part.
1524 ingreslock back door
Many attack scripts install a backdoor to Shell in this port (especially those against Sun systems RPC service vulnerabilities in Sendmail and scripts, such as statd, ttdbserver and cmsd). If you just installed your firewall to see in this port connection attempts, it may be the reason. You can try Telnet to your machine on this port to see if it will give you a Shell. Connect to 600/pcserver there this problem.
2049 NFS
NFS program usually runs on this port. Typically need access to portmapper query the service running on which port, but most of the NFS is installed to run on this port, Hacker / Cracker can be closed and thus directly test the port open portmapper.
3128 squid
This is the Squid HTTP proxy server, the default port. Attackers scan this port is to search for a proxy server and anonymous access to Internet. You will see the search of other proxy server port: 8000/8001/8080/8888. Another reason for the port scanning is: users are entering the chat room. Other users (or the server itself) will test the port to determine whether to support the user's machine agent. Please see section 5.3.
5632 pcAnywere
You will see a lot of the port scan, depending on your location. When the user opens pcAnywere, it will automatically scan C class network LAN may need to find the agent (the translator: that agent rather than the proxy). Hacker / cracker will open the service to find the machine, so it should view the source address of such scans. Some search pcAnywere scans often contains the UDP port 22 packets. See dial-up scan.
6776 Sub-7 artifact
This port is the main port from the Sub-7 separate port for transferring data. For example, when the controller through the telephone line control of another machine, the machine hangs up when charged and you will see this. Thus, when this IP dial another person, they will see continued in the port of connection attempts. (Translation: the report of the port that the firewall when the connection attempt does not mean you have to be Sub-7 control.)
6970 RealAudio
RealAudio client from the server's UDP ports 6970-7170 to receive audio data stream. This is controlled by the TCP7070 port outgoing connection settings.
13223 PowWow
Is Tribal Voice PowWow chat program. It allows users to open a private chat at this port connection. This procedure is for a connection with "offensive." It will be "stationed" in the TCP port waiting for a response. This resulted in a similar heartbeat interval of connection attempts. If you are a dial-up users, from another chat in the hands of "inherited" the IP address of this will happen: if a lot of different people in the test the port. This protocol uses "OPNG" as the first four bytes of connection attempts.
17027 Conducent
[Next]
This is an outgoing connection. This is because the company was installed with Conducent "adbot" shareware. Conducent "adbot" is to share the software displays advertising services. Using this service a popular software Pkware. Some tests: block the outgoing connection will not have any problems, but sealing of IP address itself will lead to adbots continues to attempt to connect several times per second connection overload caused by:
The machine will continue to try to resolve DNS name-ads.conducent.com, that IP address 216.33.210.40; 216.33.199.77; 216.33.199.80; 216.33.199.81; 216.33.210.41. (Translation: I do not know whether NetAnts Radiate use such phenomena)
27374 Sub-7 Trojan (TCP)
See Subseven part.
30100 NetSphere Trojan (TCP)
Usually the port scan is to look for in a NetSphere Trojan.
31337 Back Orifice "elite"
Hacker in 31,337 pronounced "elite" / ei'li: t / (Translator: French, translated into the backbone of the essence. That 3 = E, 1 = L, 7 = T). Therefore, many backdoor programs running on this port. One of the most famous is Back Orifice. This was a period of time is the most common scanning Internet. Now it's less and less popular, the other more popular Trojans.
31789 Hack-a-tack
The UDP port communication is usually due to "Hack-a-tack" Remote Access Trojan (RAT, Remote Access Trojan). This Trojan contains a built-31790 port scanner, so any 31 789 317 890 port to port connection means has been the invasion. (31 789 control port is connected, 317 890 file transfer port is connected)
32770 ~ 32900 RPC service
Sun Solaris for RPC services in this context. Detailed said: Early versions of Solaris (2.5.1 before) the portmapper placed in this context, even if the low port closed by the firewall still allows Hacker / cracker to access the port. Scan range of ports that is not to find portmapper, is to look for known attacks can be RPC service.
33434 ~ 33600 traceroute
If you see this port within the UDP data packets (and only within this range) may be caused by traceroute. See traceroute part.
41508 Inoculan
Early versions of Inoculan subnet will produce large amounts of UDP communications are used to identify each other. See
http://www.circlemud.org/ ~ jelson / software / udpsend.html
http://www.ccd.bnl.gov/nss/tips/inoculan/index.html
Following the source port mean?
Port 1 to 1024 are reserved ports, so they almost would not be the source port. But there are some exceptions, such as connections from the NAT machine. See 1.9.
1024 followed by the port often seen, they are assigned to those systems and do not care which port to connect the application "dynamic port."
Server Client Services Description
1-5/tcp dynamic port means sscan script FTP 1-5
20/tcp FTP FTP server the dynamic port to transfer files
53 Dynamic FTP DNS UDP responses sent from this port. You may also see the source / destination port of TCP connection.
123 Dynamic S / NTP Simple Network Time Protocol (S / NTP) server running on port. They will also be sent to the port of broadcasting.
27910 ~ 27961/udp dynamic Quake Quake or Quake engine-driven games in the port to run the server. So from this side
UDP port range to send packets or UDP packets to this port range is usually the game.
Dynamic FTP 61000 more than 61000 ports may come from Linux NAT server (IP Masquerade)
Third, I found a port scan for the same series of changes, from the Internet a great source address is usually as "decoy" scan (decoy scan), such as nmap. One of the attackers, the other is not.
Using firewall rules and protocol analysis we can track who they are? For example: If you ping each system, you can obtain the TTL match those connection attempts. So you can at least which one is "decoy" scan (TTL should match, if not match then they are being "lured" a). However, the new version of the scanner will be the attacker's own TTL randomized, so more difficult to find them back.
You can further your firewall logs, looking in the same subnet to be lured into the address (people). You usually just try to find the attacker to connect to you, who will not be lured.
[Next]
4, Trojan scan is?
Trojan horse attacks, the first step is to place the Trojan to the user's machine. Common tricks are:
1) Trojan horse program is distributed in the Newsgroup, the claim that this is another program.
2) widespread E-mail with attachments
3) The Trojans posted on its Web
4) through instant messaging software or chat systems to distribute Trojans (ICQ, AIM, IRC, etc.)
5) counterfeiting ISP (like AOL) in the E-mail to deceive the user to execute programs (such as software upgrades)
6) through the "File and Print Sharing" Copy the program to start the group
The next step will be to find a machine that can be controlled. The biggest problem is the above-mentioned methods can not tell Hacker / Cracker Where a victim's machine. Therefore, Hacker / Cracker scanning Internet.
This leads to firewall users (including personal firewall users) often see their point to scan the machine. Their machines have not been attacked, scan itself will not cause any harm. Scan itself will not cause the machine to be attacked. Will ignore the real administrator of this "attack"
The following are common this scan. To discover whether your machine is kind of a Trojan horse, run "NETSTAT-an". See if any of the following port connections.
Port Trojan
555 phAse zero
1243 Sub-7, SubSeven
3129 Masters Paradise
6670 DeepThroat
6711 Sub-7, SubSeven
6969 GateCrasher
21544 GirlFriend
12345 NetBus
23456 EvilFtp
27374 Sub-7, Seven
30100 NetSphere
31789 Hack'a'Tack
31337 BackOrifice, and many others
50505 Sockets de Troie
For more information see: http://www.commodon.com/threat/threat-ports.htm
What is SUBSEVEN (sub-7)
Sub-7 is the most famous one of the remote control Trojan. Now it has become easy to use, powerful, a Trojan horse. The reasons are:
1〕 it easy to access, upgrade quickly. Most Trojans outside bug changes and after the election of the development to a halt.
2〕 This process not only includes a scanner, the machine can also be controlled using scanning.
3〕 game maker had used sub-7 control sites.
4〕 support "port redirection", so any attacker can use it to control the victim's machine.
5〕 with a large number and ICQ, AOL IM, MSN Messager and Yahoo messenger-related features, including password sniffing, send messages and so on.
6〕 a large number of UI-related features, such as upside down screen, sound amplifier with the victims, the victims of the screen peeping.
In short it is not only a hacking tool but a toy, intimidation of victims of the toys.
Sub-7 is claimed to "Mobman" people to write, his site is http://subseven.slak.org/.
Sub-7 may use the following ports:
The old version of the default port 1243
2772 screenshots port
2773 record keyboard port
6711 bin log svn tmp
6776 I do not know what this port is used, but it is behind a number of versions (that can connect without a password).
7215 "matrix" chat program
The default port 27374 v2.0
54283 Spy port
[Next]
V. DNS packets from low-port
Q: I saw many from the following DNS requests for port 1024. These services are "reserved" it? Not that they should use the 1024-65535 port?
A: They come from a machine behind the NAT firewall. NAT does not need to keep port. (Ryan Russell> http://www.sybase.com/)
Q: My firewall discarded a number of source port lower than 1024 packages, so DNS queries fail.
A: Do not filter in this way. Many firewalls have similar rules, but this is misleading. Because Hacker / Cracker can forge any port.
Q: The NAT firewall is not working properly?
A: In theory no, but in fact will lead to failure. The proper way is in any case make absolutely sure that DNS communications. (Especially in those "proxy" DNS and forced DNS ports through the case of 53)
Q: I thought DNS queries should use random port above 1024 port?
A: In fact, the general DNS client will use non-reserved port. But there are many programs use 53 port. In any case, NAT would be completely different, because it changes all the SOCKET (IP + port combo)
6, once I dial-up connection to the ISP, my personal firewall started warning "was in the detection of your xxxx port."
It is very common. Because you use the ISP assigned to your IP, but just before you use someone to use. You see is a user of the "residual" information.
Common example is the chat program. If someone just hang up, just now and he will continue to try to chat to connect. Some procedures, "overtime" setting is very long. If POWWOW or ICQ.
Another example is the multiplayer online game. You will see the communication from the game provider (such as MPlayer), or other unknown game server. These games are usually based on UDP, can not establish a connection. But in order to get a better sense of the user, and they all connect and very "stubborn." Here are some of the game port:
7777 Unreal, Klingon Honor Guard
7778 Unreal Tournament
22450 Sin
26000 Quake
26900 Hexen 2
26950 HexenWorld
27015 Half-life, Team Fortress Classic (TFC)
27500 QuakeWorld
27910 Quake 2
28000-28008 Starsiege TRIBES (TRIBES.DYNAMIX.COM)
28910 Heretic 2
Another example is the multi-media radio, television. Such as RealAudio client to receive voice data using the 6970-7170 ports.
You need to connect the source. Such as ICQ server running on port 4000, and its clients to use more random port. This means that you will see that you will see the port from 4000 to the high random port UDP packets. In other words, do not try to check the port list to find the use of random high port. Important source port.
Sub-7 also have similar problems. It uses a different TCP connections for different services. If the victim's machine offline, it will continue to attempt to connect the victim machine's ports, especially the 6776 port.
7, IRC server in the detection of I
One of the most popular chat is IRC. One of the features of this chat program that can tell you are and your IP address of the person talking. One of the chat room is: anonymous login and roaming around killing people, often encountered off the point comments, rude words interrupted conversation, by the server "wash" or other customer kicked off the assembly line.
Therefore, the server and client are prohibited in the chat room to use the default anonymous login. Of particular note is that when people enter the chat room, to check whether they are connected through other proxy servers. This scan is the most common SOCKS. Suppose you come to that place to support SOCKS, so you very likely have a completely separate machine, you are trying to Ming Chu's proxy server to hide your true identity in the dark. Undernet's strategy in this respect refer to http://help.undernet.org/proxyscan.
At the same time, crackers / hackers will try to scan people's machines to determine whether they are running a service, they can be used as a springboard. Similarly, by checking SOCKS, the attacker would like to find someone to open a SOCKS, for example, a family of individuals SOCKS shared connection, but its error set to all users on the Internet through it.
8, What is "redirect" port
A common technique is to redirect a port to another address. For example, the default HTTP port is 80, many of them to make a port redirection, such as 8080 (so, if you intend to visit this must be written http://www.robertgraham.com:8080/pubs/firewall-seen . html)
Redirect the port to make it more difficult to be found, so Hacker attacks more difficult. Hacker can not be recognized as a default port must be port scanning attacks.
Most port redirection and the original port are similar. Therefore, most of the changes HTTP port 80 from: 81,88,8000,8080,8888. Similarly, the original POP port 110, are often redirected to 1100.
There are many cases is to select statistics on the number of special significance, such as 1234,23456,34567. Many people have other reasons for choosing the odd numbers, 42,69,666,31337. Recently, a growing number of remote control Trojans (Remote Access Trojans, RATs) use the same default port. If NetBus the default port is 12345.
Blake R. Swopes that redirect the port to use for another reason, the UNIX system, if you want to listen on ports below 1024 requires root privileges. If you do not have root privileges and want to open web services, you will need to be installed in the high port. In addition, some ISP's firewall will block low port communication, so even if you have the machine you still have to redirect port.
[Next]
9, I still do not understand when someone attempts to connect to a port on my how can I do?
You can use Netcat to establish a listening process. For example, you want to listen on port 1234:
NETCAT-L-p 1234
Many agreements are part of the connection start sending data. When using Netcat listening on a port, you can try to figure out what protocol in use. If you're lucky, you will find a HTTP protocol, it will provide you with a wealth of information, so you can track what is happening.
"-L" parameter is to continue listening Netcat. Under normal circumstances Netcat will accept a connection, copy its contents, and exit. With this parameter, it can continue to run in order to listen for multiple connections.
ICMP
TCP and UDP can carry data, ICMP contains only control information. Therefore, ICMP message can not be true for the invasion of other machines. Hacker who normally use the ICMP is to scan the network, launch a DoS attack, redirect network traffic. (This view appears to be incorrect, please refer to the article shotgun on the Trojans, translator note)
ICMP type number of firewall ports that have been mislabeled. Remember, ICMP is not TCP or UDP as a port, but it does contain two fields: type (type) and code (code). And the role of these domains, and ports are completely different, perhaps because of the two domains so a firewall often incorrectly labeled them. More knowledge about ICMP See Infosec Lexicon entry on ICMP.
About ICMP type / code, meaning the official information, please refer to the http://www.isi.edu/in-notes/iana/assignments/icmp-parameters. The official document describing the meaning, but this article attempts to describe the Hacker, see below.
Type the code name meaning
0 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Echo replay 对ping的回应
3 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Destination Unreachable 主机或路由器返回信息:一些包未达到目的地
0 Net Unreachable 路由器配置错误或错误指定IP地址
1 Host Unreachable 最后一个路由器无法与主机进行ARP通讯
3 Port unreachable 服务器告诉客户端其试图联系的端口无进程侦听
4 Fragmentation Needed but DF set 重要:如果你在防火墙丢弃记录中发现这些包,你应该让他们通过否则你的客户端将发现TCP连接莫名其妙地断开
4 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Source Quench Internet阻塞
5 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Redirect 有人试图重定向你的默认路由器,可能Hacker试图对你进行“man-in-middle”的攻击,使你的机器通过他们的机器路由。
8 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Echo Request ping
9 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Router Advertisement hacker可能通过重定向你的默认的路由器DoS攻击你的Win9x 或Solaris。邻近的Hacker也可以发动man-in-the-middle的攻击
10 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Time Exceeded In Transit 因为超时包未达到目的地
0 TTL Exceeded 因为路由循环或由于运行traceroute,路由器将包丢弃
1 Fragment reassembly timeout 由于没有收到所有片断,主机将包丢弃
11 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news:10 news:11 news:12 news:13 news:14 news:15 news:16 news:17 news:18 news:2 news:3 news:4 news:5 news:6 news:7 news:8 news:9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Parameter Problem 发生某种不正常,可能遇到了攻击
(一) type=0 (Echo reply)
发送者在回应由你的地址发送的ping,可能是由于以下原因:
[Next]
有人在ping那个人:防火墙后面有人在ping目标。
自动ping:许多程序为了不同目的使用ping,如测试联系对象是否在线,或测定反应时间。很可能是使用了类似VitalSign‘s Net.Medic的软件,它会发送不同大小的ping包以确定连接速度。
诱骗ping扫描:有人在利用你的IP地址进行ping扫描,所以你看到回应。
转变通讯信道:很多网络阻挡进入的ping(type=8),但是允许ping回应(type=0)。因此,Hacker已经开始利用ping回应穿透防火墙。例如,针对internet站点的DdoS攻击,其命令可能被嵌入ping回应中,然后洪水般的回应将发向这些站点而其它Internet连接将被忽略。
(二) Type=3 (Destination Unreachable)
在无法到达的包中含有的代码(code)很重要记住这可以用于击败“SYN洪水攻击”。即如果正在和你通讯的主机受到“SYN洪水攻击”,只要你禁止ping(type=3)进入,你就无法连接该主机。
有些情况下,你会收到来自你从未听说的主机的ping(type=3)包,这通常意味着“诱骗扫描”。攻击者使用很多源地址向目标发送一个伪造的包,其中有一个是真正的地址。Hacker的理论是:受害者不会费力从许多假地址中搜寻真正的地址。
解决这个问题的最好办法是:检查你看到的模式是否与“诱骗扫描”一致。比如,在ICMP包中的TCP或UDP头部分寻找交互的端口。
1) Type = 3, Code = 0 (Destination Net Unreachable)
无路由器或主机:即一个路由器对主机或客户说,:“我根本不知道在网络中如何路由!包括你正连接的主机”。这意味着不是客户选错了IP地址就是某处的路由表配置错误。记住,当你把自己UNIX机器上的路由表搞乱后你就会看到“无路由器或主机”的信息。这常发生在配置点对点连接的时候。
2) Type = 3, Code = 3 (Destination Port Unreachable)
这是当客户端试图连击一个并不存在的UDP端口时服务器发送的包。例如,如果你向161端口发送SNMP包,但机器并不支持SNMP服务,你就会收到ICMP Destination Port Unreachable包。
解码的方案
解决这个问题的第一件事是:检查包中的端口。你可能需要一个嗅探器,因为防火墙通常不会记录这种信息。这种方法基于ICMP原始包头包含IP和UDP头。以下是复制的一个ICMP unreachable包:
00 00 BA 5E BA 11 00 60 97 07 C0 FF 08 00 45 00
00 38 6F DF 00 00 80 01 B4 12 0A 00 01 0B 0A 00
01 C9 03 03 C2 D2 00 00 00 00 45 00 00 47 07 F0
00 00 80 11 1B E3 0A 00 01 C9 0A 00 01 0B 08 A7
79 19 00 33 B8 36
其中字节03 03是ICMP的类型和代码。最后8个字节是原始UDP头,解码如下:
08A7 UDP源端口 port=2215,可能是临时分配的,并不是很重要。
7919 UDP目标端口 port=31001,很重要,可能原来用户想连接31001端口的服务。
0033 UDP长度 length=51,这是原始UDP数据的长度,可能很重要。
B836 UDP校验和 checksum=0xB836,可能不重要。
你为什么会看到这些?
“诱骗UDP扫描”:有人在扫描向你发送ICMP的机器。他们伪造源地址,其中之一是你的IP地址。他们实际上伪造了许多不同的源地址使受害者无法确定谁是攻击者。如果你在短时间内收到大量来自同一地址的这种包,很有可能是上述情况。检查UDP源端口,它总在变化的话,很可能是Scenario。
“陈旧DNS”:客户端会向服务器发送DNS请求,这将花很长时间解析。当你的DNS服务器回应的时候,客户端可能已经忘记你并关闭了用于接受你回应的UDP端口。如果发现UDP端口值是53,大概就发生了这种情况。这是怎么发生的?服务器可能在解析一个递归请求,但是它自己的包丢失了,所以它只能超时然后再试。当回到客户时,客户认为超时了。许多客户程序(尤其是Windows中的程序)自己做DNS解析。即它们自己建立SOCKET进行DNS解析。如果它们把要求交给操作系统,操作系统就会一直把端口开在那里。
“多重DNS回应”:另一种情况是客户收到对于一个请求的多重回应。收到一个回应,端口就关闭了,后序的回应无法达到。此外,一个Sun机器与同一个以太网中的多个NICs连接时,将为两个NICs分配相同的MAC地址,这样Sun机器每桢会收到两个拷贝,并发送多重回复。还有,一个编写的很糟糕的客户端程序(特别是那些吹嘘是多线程DNS解析但实际上线程不安全的程序)有时发送多重请求,收到第一个回应后关闭了Socket。但是,这也可能是DNS欺骗,攻击者既发送请求由发送回应,企图使解析缓存崩溃。
“NetBIOS解析”:如果Windows机器接收到ICMP包,看看UDP目标端口是否是137。如果是,那就是windows机器企图执行gethostbyaddr()函数,它将将会同时使用DNS和NetBIOS解析IP地址。DNS请求被发送到某处的DNS服务器,但NetBIOS直接发往目标机器。如果目标机器不支持NetBIOS,目标机器将发送ICMP unreachable。
“Traceroute”:大多数Traceroute程序(Windows中的Tracert.exe除外)向关闭的端口发送UDP包。这引起一系列的背靠背的ICMP Port Unreachable包发回来。因此你看到防火墙显示这样ICMP包,可能是防火墙后面的人在运行Traceroute。你也会看到TTL增加。
3) Type = 3, Code = 4 (Fragmentation Needed and Don‘t Fragment was Set)
这是由于路由器打算发送标记有(DF, 不允许片断)的IP报文引起的。 Why? IP和TCP都将报文分成片断。 TCP在管理片断方面比IP有效得多。因此,饯堆趋向于找到“Path MTU”(路由最大传输单元)。在这个过程将发送这种ICMP包。
假设ALICE和BOB交谈。他们在同一个以太网上(max frame size = 1500 bytes),但是中间有连接限制最大IP包为600 byte。这意味着所有发送的IP包都要由路由器切割成3个片断。因此在TCP层分割片断将更有效。TCP层将试图找到MTU(最大传输单元)。它将所有包设置DF位(Don‘t Fragment),一旦这种包碰到不能传输如此大的包的路由器时路由器将发回ICMP错误信息。由此,TCP层能确定如何正确分割片断。
你也许应该允许这些包通过防火墙。否则,当小的包可以通过达到目的地建立连接,而大包会莫名其妙的丢失断线。通常的结果是,人们只能看到Web页仅显示一半。
路由最大传输单元的发现越来越整合到通讯中。如IPsec需要用到这个功能。
(三) Type = 4 (Source Quench)
这种包可能是当网络通讯超过极限时由路由器或目的主机发送的。但是当今的许多系统不生成这些包。原因是现在相信简单包丢失是网络阻塞的最后信号(因为包丢失的原因就是阻塞)。
现在source quenches的规则是(RFC 1122):
路由器不许生成它们
主机可以生成它们
主机不能随便生成它们
防火墙应该丢弃它们
但是,主机遇到Source Quench仍然减慢通讯,因此这被用于DoS。防火墙应该过滤它们。如果怀疑发生DoS,包中的源地址是无意义的,因为IP地址肯定是虚构的。
已知某些SMTP服务器会发送Source Quench。
(四) Type = 8 (Echo aka PING)
这是ping请求包。有很多场合使用它们;它可能意味着某人扫描你机器的恶意企图,但它也可能是正常网络功能的一部分。参见Type = 0 (Echo Response)
很多网络管理扫描器会生成特定的ping包。包括ISS扫描器,WhatsUp监视器等。这在扫描器的有效载荷中可见。许多防火墙并不记录这些,因此你需要一些嗅探器捕捉它们或使用入侵检测系统(IDS)标记它们。
记住,阻挡ping进入并不意味着Hacker不能扫描你的网络。有许多方法可以代替。例如,TCP ACK扫描越来越流行。它们通常能穿透防火墙而引起目标系统不正常的反应。
发送到广播地址(如x.x.x.0或x.x.x.255)的ping可能在你的网络中用于smurf放大。
(五) Type = 11 (Time Exceeded In Transit)
这一般不会是Hacker或Cracker的攻击
1) Type = 11, Code = 0 (TTL Exceeded In Transit)
这可能有许多事情引起。如果有人从你的站点traceroute到Internet,你会看到许多来自路由器的TTL增加的包。这就是traceroute的工作原理:强迫路由器生成TTL增加的信息来发现路由器。
防火墙管理员看到这种情况的原因是Internet上发生路由循环。路由器Flapping(持续变换路由器)是一个常见的问题,常会导致循环。这意味着当一个IP包朝目的地前进时,这个包被一个路由器错误引导至一个它曾经通过的路由器。如果路由器在包经过的时候把TTL域减一,这个包只好循环运动。实际上当TTL值为0时它被丢弃。
造成这种情况的另一个原因是距离。许多机器(Windows)的默认TTL值是127或更低。路由器也常常会把TTL值减去大于1的值,以便反应诸如电话拨号或跨洋连接的慢速连接。因此,可能由于初始TTL值太小,而使站点无法到达。此外,一些Hacker/Cracker也会使用这种办法使站点无法到达。
2) Type = 11, Code = 1 (Fragment Reassembly Time Exceeded)
当发送分割成片断的IP报文时,发送者并不接收所有片断。通常,大多数TCP/IP通讯甚至不分割片断。你看到这种情况必定是采用了分割片断而且你和目的地之间有阻塞。
(六) Type = 12 (Parameter Problem)
这可能意味着一种进攻。有许多足印技术会生成这种包。