hyperic
+ Reply to Thread
Results 1 to 14 of 14

Thread: Port list needed for trojan research

  1. #1
    Join Date
    Apr 2002
    Posts
    3

    Question Port list needed for trojan research

    Does anyone know a good, current listing for network ports? IANA.org and other sources I have looked at just do not have a comprehensive list, especially since vendors are often using unregistered ports. For example, it took me two weeks to determine that port *80*7 on my machine was active because of Norton Antivirus Corporate Edition. There must be a good port reference out there somewhere...

    Maybe even better would be a utility that identifies which application on your machine is responsible for which active ports. At least you could better understand what is happening when netstat reveals active ports.

  2. #2
    Join Date
    May 2001
    Posts
    218

    Port mapper

    Ah... You need a port mapper. Depends on your OS which mapper you can use. Take a look at TCPView and see if this type of prog is what you had in mind?

    [url]http://www.winternals.com/products/monitoringtools/tcpviewpro.asp[/url]

    Welcome to the BB.
    Blacksheep

  3. #3
    Join Date
    Apr 2002
    Posts
    180

    Re: Port list needed for trojan research

    [QUOTE]Originally posted by Teflon Down Und
    [B]Does anyone know a good, current listing for network ports? .................

    -----------------------------------------------

    It looks that you do not wish to be reached by e-mail, so I cannot send you the requested list:

    I tried to paste it over here, but the system is refusing it and it has been truncated at about *5% of its original size (*7* 486 K), so what do you s***est, how do you wish to receive it.?
    (if ever you still need it)

    regards

  4. #4
    Unregistered Guest

    To Teflon Down Und From Newbietoo

    Hi Teflon: Don't know if this is what you had in mind. I have a list of all ports (* pages long). List updated 6/20/200*. Web site is: [url]http://www.simovits.com/sve/nyhetsarkiv/****/nyheter**02.ht.[/url] The port in your post is not on the list for known exploits. Also, you can use a search engine for: Nyheter ****-02 "Tojanlistan" If you have questions re: actual tojan attacks or ports used by trojans not listed you can contact :Joakim von Braun at <joakim.von.braun@risab.se>. Regards, Newbietoo

  5. #5
    Unregistered Guest

    To Teflon From Newbietoo

    Hi again, could not get to website myself using the address I gave you, but when I went to Google Search Engine and put in :Nyheter ****-02 "Tojanlistan" the site was right there. And I was using a proxy. If you have any difficulty let me know. I think this list is what you want. Regards, Newbietoo

  6. #6
    Join Date
    Apr 2002
    Posts
    180

    Re: To Teflon From Newbietoo

    Originally posted by Unregistered
    Hi again, could not get to website myself using the address I gave you, but when I went to Google Search Engine and put in :Nyheter ****-02 "Tojanlistan" the site was right there. And I was using a proxy. If you have any difficulty let me know. I think this list is what you want. Regards, Newbietoo
    ----------------------------------------------
    The link provided by you "Newbietoo" is absolutely correct.
    unfortunately, it seems that you paste it truncated.
    No pages end with ht, so I tried with html it works great, thank you newbietoo.
    It is very similar to the list that I proposed earlier by e-mail.
    this is the link of Newbietoo "corrected"
    [url]http://www.simovits.com/sve/nyhetsarkiv/****/nyheter**02.html[/url]

  7. #7
    Unregistered Guest

    To Fever from Newbietoo

    Hi, Gosh your post lifted my spirits!!! I knew that ht was incomplete, thought folks would pick up on the html. Hope the list helps everyone. I refer to it all of the time as my firewall is getting slammed every day . Regards, Newbietoo

  8. #8
    Join Date
    May 2001
    Posts
    218

    trojan ports

    Don't count on any trojan port list as being complete. Many trojans don't use *standard* trojan ports. If you wanna know which apps in your computer use which ports - you need a port mapper.
    Blacksheep

  9. #9
    Join Date
    Jun 2001
    Posts
    398
    hi,


    Some one over irc send me this a long time,Its pretty old though,this list.Hope it comes in handy.
    ------------------------------------------------------------------------------

    What port numbers do well-known trojan horses use?
    After seeing several questions about trojan traffic directed at
    ports as ****7 and *2*45 I've put together a list of all trojans
    known to me and the default ports they are using. Of course
    several
    of them could use any port, but I hope this list will maybe give
    you
    a clue of what might be going on.
    If you find probes direct against ports normally not used, it may
    be
    someone trying to connect to a trojan inside your network. I hope

    this list will be of some help for you. The problem with Remote
    Access trojans or trojans trying to steal passwords is a new one.

    Today there are no program, either anti virus or anti trojan
    programmes, who can detect unknown trojan horses. And the
    programmes
    claiming to defend you can only find a fraction of all the
    several

    hundred trojans out there *7 written in ***7, 8* constructed
    the

    following year, and at least *56 new trojans thus far in ****.
    This list was last (at last) updated ******0* and includes more

    than 75 new entries compared with the June list. I am sorry for
    the
    delay, but it is really time consuming digging out all this
    information.
    Default ports used by some known trojan horses:
    port 2* - Back Construction, Blade Runner, Doly Trojan, Fore, FTP

    trojan, Invisible FTP, Larva,
    WebEx, WinCrash
    port 2* - Tiny Telnet Server (= TTS)
    port 25 - Ajan, Antigen, Email Password Sender, Haebu Coceda (=
    Naebi), Happy **, Kuang2,
    ProMail trojan, Shtrilitz, Stealth, Tapiras,
    Terminator, WinPC, WinSpy
    port ** - Agent **, Hackers Paradise, ******s Paradise
    port 4* - DeepThroat
    port 5* - DMSetup
    port 7* - Firehotcker
    port 80 - Executor, RingZero
    port ** - Hidden Port
    port **0 - ProMail trojan
    port *** - Kazimas
    port *** - Happy **
    port *2* - JammerKillah
    port 42* - TCP Wrappers
    port 456 - Hackers Paradise
    port 5** - Rasmin
    port 555 - Ini-Killer, NeTAdmin, Phase Zero, Stealth Spy
    port 666 - Attack FTP, Back Construction, Cain & Abel, Satanz
    Backdoor, ServeU, Shadow Phyre
    port *** - Dark Shadow
    port *** - DeepThroat, WinSatan
    port *00* - Silencer, WebEx
    port *0*0 - Doly Trojan
    port *0** - Doly Trojan
    port *0*2 - Doly Trojan
    port *0*5 - Doly Trojan
    port *024 - NetSpy
    port *042 - Bla
    port *045 - Rasmin
    port *0*0 - Xtreme
    port **70 - Psyber Stream Server, Streaming Audio trojan, Voice
    port *2*4 - Ultors Trojan
    port *24* - BackDoor-G, SubSeven, SubSeven Apocalypse
    port *245 - VooDoo Doll
    port *26* - Mavericks Matrix
    port **4* (UDP) - BO DLL
    port *4*2 - FTP**CMP
    port *50* - Psyber Streaming Server
    port *600 - Shivka-Burka
    port *807 - SpySender
    port **8* - Shockrave
    port **** - BackDoor
    port **** - TransScout
    port 2000 - TransScout
    port 200* - TransScout
    port 200* - Trojan Cow
    port 2002 - TransScout
    port 200* - TransScout
    port 2004 - TransScout
    port 2005 - TransScout
    port 202* - Ripper
    port 2**5 - Bugs
    port 2*40 - Deep Throat, The Invasor
    port 2*55 - Illusion Mailer
    port 228* - HVL Rat5
    port 2565 - Striker
    port 258* - WinCrash
    port 2600 - Digital RootBeer
    port 280* - Phineas Phucker
    port 2*8* (UDP) - RAT
    port *024 - WinCrash
    port **28 - RingZero
    port **2* - ******s Paradise
    port **50 - Deep Throat, The Invasor
    port *45* - Eclipse 2000
    port *700 - Portal of Doom
    port *7** - Eclypse
    port *80* (UDP) - Eclypse
    port 40*2 - WinCrash
    port 4*2* - BoBo
    port 4567 - File Nail
    port 45*0 - ***Trojan
    port 5000 - Bubbel, Back Door Setup, Sockets de Troie
    port 500* - Back Door Setup, Sockets de Troie
    port 50** - One of the Last Trojans (OOTLT)
    port 50** - NetMetro
    port 5*2* - Firehotcker
    port 5400 - Blade Runner, Back Construction
    port 540* - Blade Runner, Back Construction
    port 5402 - Blade Runner, Back Construction
    port 5550 - Xtcp
    port 55*2 - Illusion Mailer
    port 5555 - ServeMe
    port 5556 - BO Facil
    port 5557 - BO Facil
    port 556* - Robo-Hack
    port 5742 - WinCrash
    port 6400 - The Thing
    port 666* - Vampyre
    port 6670 - DeepThroat
    port 677* - DeepThroat
    port 6776 - BackDoor-G, SubSeven
    port 6**2 - Shit Heep (not port 6**2*!)
    port 6*** - Indoctrination
    port 6*6* - GateCrasher, Priority, IRC *
    port 6*70 - GateCrasher
    port 7000 - Remote Grab, Kazimas
    port 7*00 - NetMonitor
    port 7*0* - NetMonitor
    port 7*06 - NetMonitor
    port 7*07 - NetMonitor
    port 7*08 - NetMonitor
    port 778* - Back Door Setup, ICKiller
    port 8080 - RingZero
    port *400 - InCommand
    port *872 - Portal of Doom
    port *87* - Portal of Doom
    port *874 - Portal of Doom
    port *875 - Portal of Doom
    port *876 - Cyber Attacker
    port *878 - TransScout
    port **8* - iNi-Killer
    port *0067 (UDP) - Portal of Doom
    port *0*0* - BrainSpy
    port *0*67 (UDP) - Portal of Doom
    port *0520 - Acid Shivers
    port *0607 - Coma
    port **000 - Senna Spy
    port **22* - Progenic trojan
    port *2076 - Gjamer
    port *222* - Hack** KeyLogger
    port *2*45 - GabanBus, NetBus, Pie Bill Gates, X-bill
    port *2*46 - GabanBus, NetBus, X-bill
    port *2*6* - Whack-a-mole
    port *2*62 - Whack-a-mole
    port *26** - WhackJob
    port **000 - Senna Spy
    port *6*6* - Priority
    port *7*00 - Kuang2 The Virus
    port 20000 - Millennium
    port 2000* - Millennium
    port 200*4 - NetBus 2 Pro
    port 2020* - Logged
    port 2*544 - GirlFriend
    port 22222 - Prosiak
    port 2*456 - Evil FTP, Ugly FTP, Whack Job
    port 2*476 - Donald Dick
    port 2*477 - Donald Dick
    port 26274 (UDP) - Delta Source
    port 2*8** (UDP) - The Unexplained
    port *002* - AOL Trojan
    port *0*00 - NetSphere
    port *0*0* - NetSphere
    port *0*02 - NetSphere
    port *0*0* - Sockets de Troi
    port *0*** - Kuang2
    port ****6 - Bo Whack
    port ****7 - Baron Night, BO client, BO2, Bo Facil
    port ****7 (UDP) - BackFire, Back Orifice, DeepBO
    port ****8 - NetSpy DK
    port ****8 (UDP) - Back Orifice, DeepBO
    port ***** - NetSpy DK
    port **666 - BOWhack
    port **785 - Hack玜玊ack
    port **787 - Hack玜玊ack
    port **788 - Hack玜玊ack
    port **78* (UDP) - Hack玜玊ack
    port **7** (UDP) - Hack玜玊ack
    port **7*2 - Hack玜玊ack
    port ***** - Prosiak
    port ***** - Spirit 200*a
    port *4*24 - BigGluck, TN
    port 404*2 - The Spy
    port 4042* - Agent 4042*, ******s Paradise
    port 40422 - ******s Paradise
    port 4042* - ******s Paradise
    port 40426 - ******s Paradise
    port 47262 (UDP) - Delta Source
    port 50505 - Sockets de Troie
    port 50766 - Fore, Schwindler
    port 5*00* - Remote Windows Shutdown
    port 54*20 - Back Orifice 2000
    port 54*2* - School Bus
    port 54*2* (UDP) - Back Orifice 2000
    port 60000 - Deep Throat
    port 6*466 - Telecommando
    port 65000 - Devil
    In due time we will try to publish lists of known trojan files
    and

    disply them in alphabetical order and by size to help scan
    through

    your computers. At this moment I am reconstructing my database to

    make the work possible. We will also put up a couple of
    programmes

    to help you detect and unmask all those hostile files.
    Do you have information about ports used by trojans not listed
    above, please contact me. And if you have any questions, do not
    hesitate to mail me.
    Joakim von Braun
    [email]joakim.von.braun@risab.se[/email]


    regards Data.

  10. #10
    Unregistered Guest

    From Newbietoo to Data

    What a surprise, Data you are actually .........? Wow. I've had that email addrress for awhile with your list. Regards, Newbietoo

  11. #11
    Join Date
    Apr 2002
    Posts
    3

    Thanks for the info

    I appreciate all the information.

    Blacksheep, I tried the demo version of TCPView and it's a good tool. Something I like better, though, is Vision by Foundstone Tools or the command shell utility - FportNG. I found both of them on a CD in the back of Hacking Exposed, *rd Edition.

    Newbietoo, thanks for the website reference. It definitely deserved a bookmark.

  12. #12
    Join Date
    Jun 2001
    Posts
    398
    HI NEWBIETOO,


    What a surprise, Data you are actually .........? Wow. I've had that email addrress for awhile with your list. Regards, Newbietoo

    I am me,dunno what u r talking about

    > I've had that email addrress for awhile with your list.

    which list?

    U must be misunderstanding me for some one else.

    regards Data.

  13. #13
    Unregistered Guest

    To Data from Newbietoo - Yup misunderstanding

    Hi Data: re your post with the list. At the end it says "email me at--and name is joakim.von.braun, of course the author of the list, not you. From the post, it just seemed as though the list was "yours". Sorry Silly newbie. And here I go again - forum members should never give their email addresses in a public posting. Regards, Newbietoo

  14. #14
    Join Date
    Apr 2002
    Posts
    180

    Re: To Data from Newbietoo - Yup misunderstanding

    Originally posted by Unregistered
    Hi Data: re your post with the list. ............................. - forum members should never give their email addresses in a public posting. Regards, Newbietoo
    ---------------------------------------------------

    Allow me to disagree with you Newbietoo, I do not see any valid reason why not to give the email address in this forum..
    Can somebody explain what kind of high risk am I taking by "exposing myself to this danger" and letting anyone having something to say, to send me a mail to
    [email]www@microsoft.gotdns.com[/email]
    Last edited by fEǚ.法Er; 04-17-2002 at 09:48 PM.

+ Reply to Thread

Similar Threads

  1. Top Social Media Profiles Research
    By lextimmulty in forum General discussion
    Replies: 0
    Last Post: 08-24-2012, 09:07 AM
  2. drop trojan on open port
    By NickSing3 in forum Viruses and Trojans
    Replies: 1
    Last Post: 12-10-2006, 03:27 PM
  3. Port list (somehow complete)
    By fEǚ.法Er in forum Proxies and Firewalls
    Replies: 1
    Last Post: 04-27-2002, 11:24 PM
  4. Port list needed for trojan research
    By Teflon Down Und in forum Viruses and Trojans
    Replies: 1
    Last Post: 04-19-2002, 07:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts