§I€MFKR™
10-03-03, 05:38 PM
I did the SG security test and all my ports came up Filtered?
Port Status Service Description
13/udp filtered? daytime Daytime service (RFC 867) - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.
19/udp filtered? chargen Generates and replies with a character when queried. Should be disabled if there is no specific need for it. Source for potential attacks.
20/udp filtered? ftp-data
21/udp filtered? ftp FSP/FTP
22/udp filtered? ssh Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22.
49/udp filtered? tacacs Login Host Protocol (TACACS)
53/udp filtered? domain DNS (Domain Name Service) is used for domain name resolution.
Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52
67/udp filtered? dhcpserver Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients.
68/udp filtered? dhcpclient Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.
69/udp filtered? tftp Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
79/udp filtered? finger Finger
Trojans that also use this port: ADM worm, Firehotcker
88/udp filtered? kerberos-sec KDC (Kerberos key distribution center) server.
99/udp filtered? metagram metagram relay, gnutella?
110/udp filtered? pop-3 POP3 server traffic (should be TCP only?)
111/udp filtered? sunrpc Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Trojans that use this port: ADM worm, MscanWorm
113/udp filtered? auth Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman
119/udp filtered? nntp NNTP (Network News Transfer Protocol) control messages.
123/udp filtered? ntp Network Time Protocol (NTP)
143/udp filtered? imap2 IMAP
161/udp filtered? snmp Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
162/udp filtered? snmptrap same as port 161/udp
194/udp filtered? irc Internet Relay Chat Protocol
635/udp filtered? mount NFS (remote filesystem access) mount service.
666/udp filtered? doom Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors.
Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers).
Backdoor.FTP_Ana.C - backdoor trojan, 03.2003. Affects all current Windows versions.
Backdoor.Checkesp - backdoor trojan, 06.2003. Affects all current Windows versions.
Backdoor.Private - backdoor trojan, 05.2003. Affects all current Windows versions.
1025/udp filtered? blackjack Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
1026/udp filtered? unknown same as port 1025/udp
1027/udp filtered? unknown same as port 1025/udp
1028/udp filtered? ms-lsa same as port 1025/udp
1029/udp filtered? unknown same as port 1025/udp
1723/udp filtered? unknown PPTP virtual private network (VPN)
1863/udp filtered? unknown Port used by MSN Messenger
2049/udp filtered? nfs Network File System (NFS) - remote filesystem access. (RFC 1813)
3150/udp filtered? unknown Netmike assessor administrator port.
Some trojans that also use this port: The Invasor (TCP), Deep Throat, Foreplay (UDP), Mini Backlash (UDP).
5000/udp filtered? UPnP Universal Plug and Pray - "Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices." MSKB - Universal PnP
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. Here is a list of some known vulnerabilities with UPnP:
MS Security Bulletin MS01-054
MS Security Bulletin MS01-059
UPnP Vulnerabilities
Also, the following Trojan Horses use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
5631/udp filtered? unknown PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
5632/udp filtered? pcanywherestat same as port 5631/udp
5678/udp filtered? unknown Port used by Linksys (and other) Cable/DSL Routers Remote Administration
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
6665/udp filtered? unknown IRC (Internet Relay Chat)
Many trojans/backdoors also use these ports: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood.
6666/udp filtered? unknown same as port 6665/udp
6667/udp filtered? unknown same as port 6665/udp
6668/udp filtered? unknown same as port 6665/udp
6669/udp filtered? unknown same as port 6665/udp
27374/udp filtered? unknown SubSeven Trojan horse (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.
Some other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, SubSeven (many versions), Ttfloader
31337/udp filtered? BackOrifice This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and because of the special meaning is often used for interesting stuff... Many backdoors/trojans run on this port, the most notable being Back Orifice.
Here are some others that run on the same port: Back Fire, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini
31789/udp filtered? unknown Windows Hack'a'Tack trojan
31790/udp filtered? unknown same as port 31789/udp
Total scanned ports: 125
Open ports: 0
Closed ports: 0
Filtered ports: 125
Port Status Service Description
13/udp filtered? daytime Daytime service (RFC 867) - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.
19/udp filtered? chargen Generates and replies with a character when queried. Should be disabled if there is no specific need for it. Source for potential attacks.
20/udp filtered? ftp-data
21/udp filtered? ftp FSP/FTP
22/udp filtered? ssh Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22.
49/udp filtered? tacacs Login Host Protocol (TACACS)
53/udp filtered? domain DNS (Domain Name Service) is used for domain name resolution.
Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52
67/udp filtered? dhcpserver Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients.
68/udp filtered? dhcpclient Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.
69/udp filtered? tftp Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
79/udp filtered? finger Finger
Trojans that also use this port: ADM worm, Firehotcker
88/udp filtered? kerberos-sec KDC (Kerberos key distribution center) server.
99/udp filtered? metagram metagram relay, gnutella?
110/udp filtered? pop-3 POP3 server traffic (should be TCP only?)
111/udp filtered? sunrpc Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Trojans that use this port: ADM worm, MscanWorm
113/udp filtered? auth Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman
119/udp filtered? nntp NNTP (Network News Transfer Protocol) control messages.
123/udp filtered? ntp Network Time Protocol (NTP)
143/udp filtered? imap2 IMAP
161/udp filtered? snmp Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
162/udp filtered? snmptrap same as port 161/udp
194/udp filtered? irc Internet Relay Chat Protocol
635/udp filtered? mount NFS (remote filesystem access) mount service.
666/udp filtered? doom Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors.
Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers).
Backdoor.FTP_Ana.C - backdoor trojan, 03.2003. Affects all current Windows versions.
Backdoor.Checkesp - backdoor trojan, 06.2003. Affects all current Windows versions.
Backdoor.Private - backdoor trojan, 05.2003. Affects all current Windows versions.
1025/udp filtered? blackjack Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
1026/udp filtered? unknown same as port 1025/udp
1027/udp filtered? unknown same as port 1025/udp
1028/udp filtered? ms-lsa same as port 1025/udp
1029/udp filtered? unknown same as port 1025/udp
1723/udp filtered? unknown PPTP virtual private network (VPN)
1863/udp filtered? unknown Port used by MSN Messenger
2049/udp filtered? nfs Network File System (NFS) - remote filesystem access. (RFC 1813)
3150/udp filtered? unknown Netmike assessor administrator port.
Some trojans that also use this port: The Invasor (TCP), Deep Throat, Foreplay (UDP), Mini Backlash (UDP).
5000/udp filtered? UPnP Universal Plug and Pray - "Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices." MSKB - Universal PnP
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. Here is a list of some known vulnerabilities with UPnP:
MS Security Bulletin MS01-054
MS Security Bulletin MS01-059
UPnP Vulnerabilities
Also, the following Trojan Horses use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
5631/udp filtered? unknown PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
5632/udp filtered? pcanywherestat same as port 5631/udp
5678/udp filtered? unknown Port used by Linksys (and other) Cable/DSL Routers Remote Administration
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
6665/udp filtered? unknown IRC (Internet Relay Chat)
Many trojans/backdoors also use these ports: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood.
6666/udp filtered? unknown same as port 6665/udp
6667/udp filtered? unknown same as port 6665/udp
6668/udp filtered? unknown same as port 6665/udp
6669/udp filtered? unknown same as port 6665/udp
27374/udp filtered? unknown SubSeven Trojan horse (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.
Some other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, SubSeven (many versions), Ttfloader
31337/udp filtered? BackOrifice This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and because of the special meaning is often used for interesting stuff... Many backdoors/trojans run on this port, the most notable being Back Orifice.
Here are some others that run on the same port: Back Fire, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini
31789/udp filtered? unknown Windows Hack'a'Tack trojan
31790/udp filtered? unknown same as port 31789/udp
Total scanned ports: 125
Open ports: 0
Closed ports: 0
Filtered ports: 125