Does anyone know a good, current listing for network ports? IANA.org and other sources I have looked at just do not have a comprehensive list, especially since vendors are often using unregistered ports. For example, it took me two weeks to determine that port 38037 on my machine was active because of Norton Antivirus Corporate Edition. There must be a good port reference out there somewhere...

Maybe even better would be a utility that identifies which application on your machine is responsible for which active ports. At least you could better understand what is happening when netstat reveals active ports.

Ah... You need a port mapper. Depends on your OS which mapper you can use. Take a look at TCPView and see if this type of prog is what you had in mind?

http://www.winternals.com/products/monitoringtools/tcpviewpro.asp

Welcome to the BB. :)

[QUOTE]Originally posted by Teflon Down Und
[B]Does anyone know a good, current listing for network ports? .................

-----------------------------------------------

It looks that you do not wish to be reached by e-mail, so I cannot send you the requested list:

I tried to paste it over here, but the system is refusing it and it has been truncated at about 15% of its original size (171 486 K), so what do you suggest, how do you wish to receive it.?
(if ever you still need it)

regards

Hi Teflon: Don't know if this is what you had in mind. I have a list of all ports (9 pages long). List updated 6/20/2001. Web site is: http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.ht. The port in your post is not on the list for known exploits. Also, you can use a search engine for: Nyheter 1999-02 "Tojanlistan" If you have questions re: actual tojan attacks or ports used by trojans not listed you can contact :Joakim von Braun at <joakim.von.braun@risab.se>. Regards, Newbietoo :)

Hi again, could not get to website myself using the address I gave you, but when I went to Google Search Engine and put in :Nyheter 1999-02 "Tojanlistan" the site was right there. And I was using a proxy. If you have any difficulty let me know. I think this list is what you want. Regards, Newbietoo

Originally posted by Unregistered
Hi again, could not get to website myself using the address I gave you, but when I went to Google Search Engine and put in :Nyheter 1999-02 "Tojanlistan" the site was right there. And I was using a proxy. If you have any difficulty let me know. I think this list is what you want. Regards, Newbietoo
----------------------------------------------
The link provided by you "Newbietoo" is absolutely correct.
unfortunately, it seems that you paste it truncated.
No pages end with ht, so I tried with html it works great, thank you newbietoo.
It is very similar to the list that I proposed earlier by e-mail.
this is the link of Newbietoo "corrected"
http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html

Hi, Gosh your post lifted my spirits!!! I knew that ht was incomplete, thought folks would pick up on the html. Hope the list helps everyone. I refer to it all of the time as my firewall is getting slammed every day :). Regards, Newbietoo

Don't count on any trojan port list as being complete. Many trojans don't use *standard* trojan ports. If you wanna know which apps in your computer use which ports - you need a port mapper.

hi,


Some one over irc send me this a long time,Its pretty old though,this list.Hope it comes in handy.
------------------------------------------------------------------------------

What port numbers do well-known trojan horses use?
After seeing several questions about trojan traffic directed at
ports as 31337 and 12345 I've put together a list of all trojans
known to me and the default ports they are using. Of course
several
of them could use any port, but I hope this list will maybe give
you
a clue of what might be going on.
If you find probes direct against ports normally not used, it may
be
someone trying to connect to a trojan inside your network. I hope

this list will be of some help for you. The problem with Remote
Access trojans or trojans trying to steal passwords is a new one.

Today there are no program, either anti virus or anti trojan
programmes, who can detect unknown trojan horses. And the
programmes
claiming to defend you can only find a fraction of all the
several

hundred trojans out there – 17 written in 1997, 81 constructed
the

following year, and at least 156 new trojans thus far in 1999.
This list was last (at last) updated 1999–11–01 and includes more

than 75 new entries compared with the June list. I am sorry for
the
delay, but it is really time consuming digging out all this
information.
Default ports used by some known trojan horses:
port 21 - Back Construction, Blade Runner, Doly Trojan, Fore, FTP

trojan, Invisible FTP, Larva,
WebEx, WinCrash
port 23 - Tiny Telnet Server (= TTS)
port 25 - Ajan, Antigen, Email Password Sender, Haebu Coceda (=
Naebi), Happy 99, Kuang2,
ProMail trojan, Shtrilitz, Stealth, Tapiras,
Terminator, WinPC, WinSpy
port 31 - Agent 31, Hackers Paradise, Masters Paradise
port 41 - DeepThroat
port 59 - DMSetup
port 79 - Firehotcker
port 80 - Executor, RingZero
port 99 - Hidden Port
port 110 - ProMail trojan
port 113 - Kazimas
port 119 - Happy 99
port 121 - JammerKillah
port 421 - TCP Wrappers
port 456 - Hackers Paradise
port 531 - Rasmin
port 555 - Ini-Killer, NeTAdmin, Phase Zero, Stealth Spy
port 666 - Attack FTP, Back Construction, Cain & Abel, Satanz
Backdoor, ServeU, Shadow Phyre
port 911 - Dark Shadow
port 999 - DeepThroat, WinSatan
port 1001 - Silencer, WebEx
port 1010 - Doly Trojan
port 1011 - Doly Trojan
port 1012 - Doly Trojan
port 1015 - Doly Trojan
port 1024 - NetSpy
port 1042 - Bla
port 1045 - Rasmin
port 1090 - Xtreme
port 1170 - Psyber Stream Server, Streaming Audio trojan, Voice
port 1234 - Ultors Trojan
port 1243 - BackDoor-G, SubSeven, SubSeven Apocalypse
port 1245 - VooDoo Doll
port 1269 - Mavericks Matrix
port 1349 (UDP) - BO DLL
port 1492 - FTP99CMP
port 1509 - Psyber Streaming Server
port 1600 - Shivka-Burka
port 1807 - SpySender
port 1981 - Shockrave
port 1999 - BackDoor
port 1999 - TransScout
port 2000 - TransScout
port 2001 - TransScout
port 2001 - Trojan Cow
port 2002 - TransScout
port 2003 - TransScout
port 2004 - TransScout
port 2005 - TransScout
port 2023 - Ripper
port 2115 - Bugs
port 2140 - Deep Throat, The Invasor
port 2155 - Illusion Mailer
port 2283 - HVL Rat5
port 2565 - Striker
port 2583 - WinCrash
port 2600 - Digital RootBeer
port 2801 - Phineas Phucker
port 2989 (UDP) - RAT
port 3024 - WinCrash
port 3128 - RingZero
port 3129 - Masters Paradise
port 3150 - Deep Throat, The Invasor
port 3459 - Eclipse 2000
port 3700 - Portal of Doom
port 3791 - Eclypse
port 3801 (UDP) - Eclypse
port 4092 - WinCrash
port 4321 - BoBo
port 4567 - File Nail
port 4590 - ICQTrojan
port 5000 - Bubbel, Back Door Setup, Sockets de Troie
port 5001 - Back Door Setup, Sockets de Troie
port 5011 - One of the Last Trojans (OOTLT)
port 5031 - NetMetro
port 5321 - Firehotcker
port 5400 - Blade Runner, Back Construction
port 5401 - Blade Runner, Back Construction
port 5402 - Blade Runner, Back Construction
port 5550 - Xtcp
port 5512 - Illusion Mailer
port 5555 - ServeMe
port 5556 - BO Facil
port 5557 - BO Facil
port 5569 - Robo-Hack
port 5742 - WinCrash
port 6400 - The Thing
port 6669 - Vampyre
port 6670 - DeepThroat
port 6771 - DeepThroat
port 6776 - BackDoor-G, SubSeven
port 6912 - Shit Heep (not port 69123!)
port 6939 - Indoctrination
port 6969 - GateCrasher, Priority, IRC 3
port 6970 - GateCrasher
port 7000 - Remote Grab, Kazimas
port 7300 - NetMonitor
port 7301 - NetMonitor
port 7306 - NetMonitor
port 7307 - NetMonitor
port 7308 - NetMonitor
port 7789 - Back Door Setup, ICKiller
port 8080 - RingZero
port 9400 - InCommand
port 9872 - Portal of Doom
port 9873 - Portal of Doom
port 9874 - Portal of Doom
port 9875 - Portal of Doom
port 9876 - Cyber Attacker
port 9878 - TransScout
port 9989 - iNi-Killer
port 10067 (UDP) - Portal of Doom
port 10101 - BrainSpy
port 10167 (UDP) - Portal of Doom
port 10520 - Acid Shivers
port 10607 - Coma
port 11000 - Senna Spy
port 11223 - Progenic trojan
port 12076 - Gjamer
port 12223 - Hack«99 KeyLogger
port 12345 - GabanBus, NetBus, Pie Bill Gates, X-bill
port 12346 - GabanBus, NetBus, X-bill
port 12361 - Whack-a-mole
port 12362 - Whack-a-mole
port 12631 - WhackJob
port 13000 - Senna Spy
port 16969 - Priority
port 17300 - Kuang2 The Virus
port 20000 - Millennium
port 20001 - Millennium
port 20034 - NetBus 2 Pro
port 20203 - Logged
port 21544 - GirlFriend
port 22222 - Prosiak
port 23456 - Evil FTP, Ugly FTP, Whack Job
port 23476 - Donald Dick
port 23477 - Donald Dick
port 26274 (UDP) - Delta Source
port 29891 (UDP) - The Unexplained
port 30029 - AOL Trojan
port 30100 - NetSphere
port 30101 - NetSphere
port 30102 - NetSphere
port 30303 - Sockets de Troi
port 30999 - Kuang2
port 31336 - Bo Whack
port 31337 - Baron Night, BO client, BO2, Bo Facil
port 31337 (UDP) - BackFire, Back Orifice, DeepBO
port 31338 - NetSpy DK
port 31338 (UDP) - Back Orifice, DeepBO
port 31339 - NetSpy DK
port 31666 - BOWhack
port 31785 - Hack«a«Tack
port 31787 - Hack«a«Tack
port 31788 - Hack«a«Tack
port 31789 (UDP) - Hack«a«Tack
port 31791 (UDP) - Hack«a«Tack
port 31792 - Hack«a«Tack
port 33333 - Prosiak
port 33911 - Spirit 2001a
port 34324 - BigGluck, TN
port 40412 - The Spy
port 40421 - Agent 40421, Masters Paradise
port 40422 - Masters Paradise
port 40423 - Masters Paradise
port 40426 - Masters Paradise
port 47262 (UDP) - Delta Source
port 50505 - Sockets de Troie
port 50766 - Fore, Schwindler
port 53001 - Remote Windows Shutdown
port 54320 - Back Orifice 2000
port 54321 - School Bus
port 54321 (UDP) - Back Orifice 2000
port 60000 - Deep Throat
port 61466 - Telecommando
port 65000 - Devil
In due time we will try to publish lists of known trojan files
and

disply them in alphabetical order and by size to help scan
through

your computers. At this moment I am reconstructing my database to

make the work possible. We will also put up a couple of
programmes

to help you detect and unmask all those hostile files.
Do you have information about ports used by trojans not listed
above, please contact me. And if you have any questions, do not
hesitate to mail me.
Joakim von Braun
joakim.von.braun@risab.se


regards Data.

What a surprise, Data you are actually .........? Wow. I've had that email addrress for awhile with your list. Regards, Newbietoo

I appreciate all the information.

Blacksheep, I tried the demo version of TCPView and it's a good tool. Something I like better, though, is Vision by Foundstone Tools or the command shell utility - FportNG. I found both of them on a CD in the back of Hacking Exposed, 3rd Edition.

Newbietoo, thanks for the website reference. It definitely deserved a bookmark.

HI NEWBIETOO,


What a surprise, Data you are actually .........? Wow. I've had that email addrress for awhile with your list. Regards, Newbietoo

I am me,dunno what u r talking about :)

> I've had that email addrress for awhile with your list.

which list?

U must be misunderstanding me for some one else.

regards Data.

Hi Data: re your post with the list. At the end it says "email me at--and name is joakim.von.braun, of course the author of the list, not you. From the post, it just seemed as though the list was "yours". Sorry :) Silly newbie. And here I go again - forum members should never give their email addresses in a public posting. Regards, Newbietoo

Originally posted by Unregistered
Hi Data: re your post with the list. ............................. - forum members should never give their email addresses in a public posting. Regards, Newbietoo

---------------------------------------------------

Allow me to disagree with you Newbietoo, I do not see any valid reason why not to give the email address in this forum..
Can somebody explain what kind of high risk am I taking by "exposing myself to this danger" and letting anyone having something to say, to send me a mail to
www@microsoft.gotdns.com