PDA

View Full Version : Port list needed for trojan research



Teflon Down Und
04-14-2002, 09:44 PM
Does anyone know a good, current listing for network ports? IANA.org and other sources I have looked at just do not have a comprehensive list, especially since vendors are often using unregistered ports. For example, it took me two weeks to determine that port *80*7 on my machine was active because of Norton Antivirus Corporate Edition. There must be a good port reference out there somewhere...

Maybe even better would be a utility that identifies which application on your machine is responsible for which active ports. At least you could better understand what is happening when netstat reveals active ports.

Blacksheep
04-14-2002, 10:44 PM
Ah... You need a port mapper. Depends on your OS which mapper you can use. Take a look at TCPView and see if this type of prog is what you had in mind?

http://www.winternals.com/products/monitoringtools/tcpviewpro.asp

Welcome to the BB. :)

fE¨·.·¨Er
04-15-2002, 09:47 AM
[QUOTE]Originally posted by Teflon Down Und
[B]Does anyone know a good, current listing for network ports? .................

-----------------------------------------------

It looks that you do not wish to be reached by e-mail, so I cannot send you the requested list:

I tried to paste it over here, but the system is refusing it and it has been truncated at about *5% of its original size (*7* 486 K), so what do you s***est, how do you wish to receive it.?
(if ever you still need it)

regards

Unregistered
04-15-2002, 12:34 PM
Hi Teflon: Don't know if this is what you had in mind. I have a list of all ports (* pages long). List updated 6/20/200*. Web site is: http://www.simovits.com/sve/nyhetsarkiv/****/nyheter**02.ht. The port in your post is not on the list for known exploits. Also, you can use a search engine for: Nyheter ****-02 "Tojanlistan" If you have questions re: actual tojan attacks or ports used by trojans not listed you can contact :Joakim von Braun at <joakim.von.braun@risab.se>. Regards, Newbietoo :)

Unregistered
04-15-2002, 12:48 PM
Hi again, could not get to website myself using the address I gave you, but when I went to Google Search Engine and put in :Nyheter ****-02 "Tojanlistan" the site was right there. And I was using a proxy. If you have any difficulty let me know. I think this list is what you want. Regards, Newbietoo

fE¨·.·¨Er
04-15-2002, 02:11 PM
Originally posted by Unregistered
Hi again, could not get to website myself using the address I gave you, but when I went to Google Search Engine and put in :Nyheter ****-02 "Tojanlistan" the site was right there. And I was using a proxy. If you have any difficulty let me know. I think this list is what you want. Regards, Newbietoo
----------------------------------------------
The link provided by you "Newbietoo" is absolutely correct.
unfortunately, it seems that you paste it truncated.
No pages end with ht, so I tried with html it works great, thank you newbietoo.
It is very similar to the list that I proposed earlier by e-mail.
this is the link of Newbietoo "corrected"
http://www.simovits.com/sve/nyhetsarkiv/****/nyheter**02.html

Unregistered
04-15-2002, 08:05 PM
Hi, Gosh your post lifted my spirits!!! I knew that ht was incomplete, thought folks would pick up on the html. Hope the list helps everyone. I refer to it all of the time as my firewall is getting slammed every day :). Regards, Newbietoo

Blacksheep
04-15-2002, 10:50 PM
Don't count on any trojan port list as being complete. Many trojans don't use *standard* trojan ports. If you wanna know which apps in your computer use which ports - you need a port mapper.

DATA
04-16-2002, 10:22 AM
hi,


Some one over irc send me this a long time,Its pretty old though,this list.Hope it comes in handy.
------------------------------------------------------------------------------

What port numbers do well-known trojan horses use?
After seeing several questions about trojan traffic directed at
ports as ****7 and *2*45 I've put together a list of all trojans
known to me and the default ports they are using. Of course
several
of them could use any port, but I hope this list will maybe give
you
a clue of what might be going on.
If you find probes direct against ports normally not used, it may
be
someone trying to connect to a trojan inside your network. I hope

this list will be of some help for you. The problem with Remote
Access trojans or trojans trying to steal passwords is a new one.

Today there are no program, either anti virus or anti trojan
programmes, who can detect unknown trojan horses. And the
programmes
claiming to defend you can only find a fraction of all the
several

hundred trojans out there – *7 written in ***7, 8* constructed
the

following year, and at least *56 new trojans thus far in ****.
This list was last (at last) updated ****–**–0* and includes more

than 75 new entries compared with the June list. I am sorry for
the
delay, but it is really time consuming digging out all this
information.
Default ports used by some known trojan horses:
port 2* - Back Construction, Blade Runner, Doly Trojan, Fore, FTP

trojan, Invisible FTP, Larva,
WebEx, WinCrash
port 2* - Tiny Telnet Server (= TTS)
port 25 - Ajan, Antigen, Email Password Sender, Haebu Coceda (=
Naebi), Happy **, Kuang2,
ProMail trojan, Shtrilitz, Stealth, Tapiras,
Terminator, WinPC, WinSpy
port ** - Agent **, Hackers Paradise, ******s Paradise
port 4* - DeepThroat
port 5* - DMSetup
port 7* - Firehotcker
port 80 - Executor, RingZero
port ** - Hidden Port
port **0 - ProMail trojan
port *** - Kazimas
port *** - Happy **
port *2* - JammerKillah
port 42* - TCP Wrappers
port 456 - Hackers Paradise
port 5** - Rasmin
port 555 - Ini-Killer, NeTAdmin, Phase Zero, Stealth Spy
port 666 - Attack FTP, Back Construction, Cain & Abel, Satanz
Backdoor, ServeU, Shadow Phyre
port *** - Dark Shadow
port *** - DeepThroat, WinSatan
port *00* - Silencer, WebEx
port *0*0 - Doly Trojan
port *0** - Doly Trojan
port *0*2 - Doly Trojan
port *0*5 - Doly Trojan
port *024 - NetSpy
port *042 - Bla
port *045 - Rasmin
port *0*0 - Xtreme
port **70 - Psyber Stream Server, Streaming Audio trojan, Voice
port *2*4 - Ultors Trojan
port *24* - BackDoor-G, SubSeven, SubSeven Apocalypse
port *245 - VooDoo Doll
port *26* - Mavericks Matrix
port **4* (UDP) - BO DLL
port *4*2 - FTP**CMP
port *50* - Psyber Streaming Server
port *600 - Shivka-Burka
port *807 - SpySender
port **8* - Shockrave
port **** - BackDoor
port **** - TransScout
port 2000 - TransScout
port 200* - TransScout
port 200* - Trojan Cow
port 2002 - TransScout
port 200* - TransScout
port 2004 - TransScout
port 2005 - TransScout
port 202* - Ripper
port 2**5 - Bugs
port 2*40 - Deep Throat, The Invasor
port 2*55 - Illusion Mailer
port 228* - HVL Rat5
port 2565 - Striker
port 258* - WinCrash
port 2600 - Digital RootBeer
port 280* - Phineas Phucker
port 2*8* (UDP) - RAT
port *024 - WinCrash
port **28 - RingZero
port **2* - ******s Paradise
port **50 - Deep Throat, The Invasor
port *45* - Eclipse 2000
port *700 - Portal of Doom
port *7** - Eclypse
port *80* (UDP) - Eclypse
port 40*2 - WinCrash
port 4*2* - BoBo
port 4567 - File Nail
port 45*0 - ***Trojan
port 5000 - Bubbel, Back Door Setup, Sockets de Troie
port 500* - Back Door Setup, Sockets de Troie
port 50** - One of the Last Trojans (OOTLT)
port 50** - NetMetro
port 5*2* - Firehotcker
port 5400 - Blade Runner, Back Construction
port 540* - Blade Runner, Back Construction
port 5402 - Blade Runner, Back Construction
port 5550 - Xtcp
port 55*2 - Illusion Mailer
port 5555 - ServeMe
port 5556 - BO Facil
port 5557 - BO Facil
port 556* - Robo-Hack
port 5742 - WinCrash
port 6400 - The Thing
port 666* - Vampyre
port 6670 - DeepThroat
port 677* - DeepThroat
port 6776 - BackDoor-G, SubSeven
port 6**2 - Shit Heep (not port 6**2*!)
port 6*** - Indoctrination
port 6*6* - GateCrasher, Priority, IRC *
port 6*70 - GateCrasher
port 7000 - Remote Grab, Kazimas
port 7*00 - NetMonitor
port 7*0* - NetMonitor
port 7*06 - NetMonitor
port 7*07 - NetMonitor
port 7*08 - NetMonitor
port 778* - Back Door Setup, ICKiller
port 8080 - RingZero
port *400 - InCommand
port *872 - Portal of Doom
port *87* - Portal of Doom
port *874 - Portal of Doom
port *875 - Portal of Doom
port *876 - Cyber Attacker
port *878 - TransScout
port **8* - iNi-Killer
port *0067 (UDP) - Portal of Doom
port *0*0* - BrainSpy
port *0*67 (UDP) - Portal of Doom
port *0520 - Acid Shivers
port *0607 - Coma
port **000 - Senna Spy
port **22* - Progenic trojan
port *2076 - Gjamer
port *222* - Hack«** KeyLogger
port *2*45 - GabanBus, NetBus, Pie Bill Gates, X-bill
port *2*46 - GabanBus, NetBus, X-bill
port *2*6* - Whack-a-mole
port *2*62 - Whack-a-mole
port *26** - WhackJob
port **000 - Senna Spy
port *6*6* - Priority
port *7*00 - Kuang2 The Virus
port 20000 - Millennium
port 2000* - Millennium
port 200*4 - NetBus 2 Pro
port 2020* - Logged
port 2*544 - GirlFriend
port 22222 - Prosiak
port 2*456 - Evil FTP, Ugly FTP, Whack Job
port 2*476 - Donald Dick
port 2*477 - Donald Dick
port 26274 (UDP) - Delta Source
port 2*8** (UDP) - The Unexplained
port *002* - AOL Trojan
port *0*00 - NetSphere
port *0*0* - NetSphere
port *0*02 - NetSphere
port *0*0* - Sockets de Troi
port *0*** - Kuang2
port ****6 - Bo Whack
port ****7 - Baron Night, BO client, BO2, Bo Facil
port ****7 (UDP) - BackFire, Back Orifice, DeepBO
port ****8 - NetSpy DK
port ****8 (UDP) - Back Orifice, DeepBO
port ***** - NetSpy DK
port **666 - BOWhack
port **785 - Hack«a«Tack
port **787 - Hack«a«Tack
port **788 - Hack«a«Tack
port **78* (UDP) - Hack«a«Tack
port **7** (UDP) - Hack«a«Tack
port **7*2 - Hack«a«Tack
port ***** - Prosiak
port ***** - Spirit 200*a
port *4*24 - BigGluck, TN
port 404*2 - The Spy
port 4042* - Agent 4042*, ******s Paradise
port 40422 - ******s Paradise
port 4042* - ******s Paradise
port 40426 - ******s Paradise
port 47262 (UDP) - Delta Source
port 50505 - Sockets de Troie
port 50766 - Fore, Schwindler
port 5*00* - Remote Windows Shutdown
port 54*20 - Back Orifice 2000
port 54*2* - School Bus
port 54*2* (UDP) - Back Orifice 2000
port 60000 - Deep Throat
port 6*466 - Telecommando
port 65000 - Devil
In due time we will try to publish lists of known trojan files
and

disply them in alphabetical order and by size to help scan
through

your computers. At this moment I am reconstructing my database to

make the work possible. We will also put up a couple of
programmes

to help you detect and unmask all those hostile files.
Do you have information about ports used by trojans not listed
above, please contact me. And if you have any questions, do not
hesitate to mail me.
Joakim von Braun
joakim.von.braun@risab.se


regards Data.

Unregistered
04-16-2002, 11:50 AM
What a surprise, Data you are actually .........? Wow. I've had that email addrress for awhile with your list. Regards, Newbietoo

Teflon Down Und
04-16-2002, 11:51 PM
I appreciate all the information.

Blacksheep, I tried the demo version of TCPView and it's a good tool. Something I like better, though, is Vision by Foundstone Tools or the command shell utility - FportNG. I found both of them on a CD in the back of Hacking Exposed, *rd Edition.

Newbietoo, thanks for the website reference. It definitely deserved a bookmark.

DATA
04-17-2002, 03:41 AM
HI NEWBIETOO,


What a surprise, Data you are actually .........? Wow. I've had that email addrress for awhile with your list. Regards, Newbietoo

I am me,dunno what u r talking about :)

> I've had that email addrress for awhile with your list.

which list?

U must be misunderstanding me for some one else.

regards Data.

Unregistered
04-17-2002, 11:50 AM
Hi Data: re your post with the list. At the end it says "email me at--and name is joakim.von.braun, of course the author of the list, not you. From the post, it just seemed as though the list was "yours". Sorry :) Silly newbie. And here I go again - forum members should never give their email addresses in a public posting. Regards, Newbietoo

fE¨·.·¨Er
04-17-2002, 08:45 PM
Originally posted by Unregistered
Hi Data: re your post with the list. ............................. - forum members should never give their email addresses in a public posting. Regards, Newbietoo

---------------------------------------------------

Allow me to disagree with you Newbietoo, I do not see any valid reason why not to give the email address in this forum..
Can somebody explain what kind of high risk am I taking by "exposing myself to this danger" and letting anyone having something to say, to send me a mail to
www@microsoft.gotdns.com