=================================
------------------------------------------------
PORTS REFERENCE LIST ---------------
------------------------------------------------
=================================


This is the most up to date port and process list from Diamondcs.com.au:

New Port REF updates available from here:
http://tds.diamondcs.com.au/portref.txt


-------------------------------------------------------------------------------

!download this great port lookup file below to your desktop!.

- ONLINE PORT SEARCH - Updated 1/27/2004 -
http://lists.gpick.com/portlist/lookup.asp

Port Reference is available for download as a Windows HTML Help (.chm) file.
The help file is available in two formats, double page, like the web site, and single page,
with the lookup at the top of the port list.

---------------------------------------------------------------------------------


Read this review of the top PORT monitoring tools available:



http://www.winnetmag.com/WindowsSecurity/A...rity_40313.html

------------------------------------------------------------------------------------
Dont forget to read the Anti-Trojan guide:
http://www.bluetack.co.uk/forums/index.php...p?showtopic=770
-------------------------------------------------------------------------------------

Tried and tested PORT TOOLS : (port to process mappers)

free tools -
TCPview- (Window$ 98/ME/XP) - {TCPview pro is not compatible with Norton Antivirus..TCpView free is though.}
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Netstat Viewer - Window$ (98-ME-XP) - simple easy to use netstat GUI .
http://www.misec.net/freeware/

F-PORT - fport supports Window$ NT4/2000/XP- command line program.
http://www.foundstone.com/index.htm?subnav...ddesc/fport.htm

the best- $$$
Port Explorer-
http://www.diamondcs.com.au/portexplorer/

------------------------------------------------------------------------------------

One of the best PORT information security pages:
http://www.chebucto.ns.ca/~rakerman/trojan...port-table.html

This page documents DANGEROUS TCP/IP ports, that are used by trojan horse and backdoor programs or that expose system vulnerabilities, that hackers use to break into your network.

These are ports that you definitely want closed, possibly with firewall alarms set on them to detect any external probes or internal compromise.

Please note that trojans can use the same port number as legitimate services; therefore, just because a port shows up, it doesn't necessarily mean that it has been trojanized.



this search page is also worth a look for tcp/udp trojans info and more:
http://www.emsisoft.com/en/kb/portlist/Default.aspx

Commonly used ports:
http://www.vtestaconsultants.com/commonports.htm

Port scans:
http://www.by-users.co.uk/faqs/security/portscans/

===============================================

DELIMITER=":"
0:(Reserved)
1:TCP-MUX - TCP Port Service Multiplexer. Common start for port-scans
2:COMPRESSNET - Management Utility, RAT: Death
3:COMPRESSNET - Compression Process
4:SFSSD - Self-Certifying File System Daemon
5:RJE - Remote Job Entry (RFC 725)
7:Echo Protocol (RFC 862), RAT: GForce
9:Discard Protocol (RFC 863)
11:SYSSTAT - System Status, Active Users, RAT: NetSlayer
12:RAT: Red Horse
13:Daytime Protocol (RFC 867)
15:NETSTAT - Network Status
17:QOTD - Quote of the Day Protocol (RFC 865)
18:MSP - Message Send Protocol (RFC 1312)
19:CHARGEN - Character Generator (RFC 864), RAT: Infector
20:FTP-DATA - File Transfer Protocol [Data] (RFC 354), RAT: Senna Spy FTP server
21:FTP - File Transfer Protocol [Control] (RFC 354), RAT: Back Construction, Blade Runner, Doly Trojan, Fore, Invisible FTP, Juggernaut, Reverse Trojan, Larva, MotIv FTP, Net Administrator, Senna Spy FTP server, Traitor 21, WebEx, WinCrash, NerTe, LittleWitch FTP, NMKB, MaLPaYo, FTP.Owned FTP, Diems Mutter, TrojMax, FreddyK, LMR, PaSzCzuS
22:SSH - SSH (Secure Shell) Remote Login Protocol, RAT: Shaft, Shadow Remote, Bingle
23:Telnet Protocol (RFC 854), WinGate, RAT: Fire HacKer, Tiny Telnet Server - TTS, Truva Atl, RTB666, TelnetPro 1.0, Swarm, Baron Night, AlphaDog, MMX, Net Coach, PEST, Manipulator Lite, Mind Control
24:PMS - Private Mail System
25:SMTP - Simple Mail Transfer Protocol (RFC 913), RAT: Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy, Under7 Pro
27:NSW-FE - NSW User System FE
28:RAT: Googs, FTP.Rewind
29:MSG-ICP - Messege ICP
31:MSG Authentication, RAT: Agent 31, Hackers Paradise, Masters Paradise
33:DSP - Display Support Protocol
35:PPS - Private Printer Server
36:RAT: Dizer
37:Time Protocol (RFC 868)
38:RAP - Internet Route Access Protocol (RFC 1476)
39:RLP - Resource Location Protocol (RFC 887)
41:Graphics Protocol (RFC 493), RAT: Deep Throat, Foreplay or Reduced Foreplay
42:NAMESERVER - Host Name Server (RFC 953)
43:WHOIS - Who Is (RFC 812)
44:MPM-FLAGS - MPM FLAGS Protocol
45:MPM - Message Processing Module (Receive)
46:MPM-SND - Message Processeing Module (Send)
47:NI-FTP - NI FTP (File Transfer Protocol)
48:AUDITD - Digital Audit Daemon, RAT: DRAT
49:BBN-LOGIN - Login Host Protocol (TACACS) (RFC 1492)
50:RE-MAIL-CK - Remote Mail Checking Protocol (RFC 1339), RAT: DRAT
51:LA-MAINT - IMP Logical Address Maintenance, RAT: FLB
52:XNS-TIME - XNS Time Protocol, RAT: Muska52
53:DOMAIN - Domain Name Server, RAT: Muska52
54:XNS-CH - XNS Clearinghouse, RAT: Muska52
55:ISI-GL - ISI Graphics Language, RAT: Muska52
56:XNS-AUTH - XNS Authentication
57:MTP - Private terminal access
58:XNS-MAIL - XNS Mail, RAT: DMSetup
59:PFS - Private File System, RAT: DMSetup
61:NI-MAIL
62:ACAS - ACA Services
63:WHOIS++ - whois++ (RFC 1834)
64:COVIA - Communications Integrator (CI)
65:TACACS-DS - TACACS-Database Service
66:SQL*NET - Oracle SQL*NET, RAT: Albareki, Storm, Dark Sill
67:BOOTPS - Bootstrap Protocol Server (RFC 951)
68:BOOTPC - Bootstrap Protocol Client (RFC 951)
69:TFTP - Trivial File Transfer Protocol (RFC 1986), RAT: Pasana
70:GOPHER - Gopher (RFC 1436)
71:NETRJS-1 - Remote Job Service
72:NETRJS-2 - Remote Job Service
73:NETRJS-3 - Remote Job Service
74:NETRJS-4 - Remote Job Service
75:PDOS - Private dial out service
76:DEOS - Distributed External Object Store
77:RJE - Private RJE (Remote Job Entry) service
78:VETTCP
79:Name/Finger Protocol (RFC 742), RAT: CDK, Firehotcker
80:WWW-HTTP - World Wide Web HTTP (Hyper Text Transfer Protocol) (RFC 1945), RAT: AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero, RTB666, NerTe, 23, Keylog.ev0, m invisible webserver lite, IIEx, Haan, ItAdEm, Task-X, HTTP, Back Attack
81:HOSTS2-NS - HOSTS2 Name Server, RAT: RemoConChubo, 23
82:XFER Utility
83:MIT-ML-DEV
84:CTF - Common Trace Facility
85:MIT-ML-DEV - MIT ML Device
86:MFCOBOL - Micro Focus Cobol
87:LINK - Private terminal link
88:KERBEROS, RAT: Deaths Corner
89:SU-MIT-TG - SU/MIT Telnet Gateway
90:DNSIX - DNSIX Securit Attribute Token Map, RAT: NetGod
91:MIT Dover Spooler, RAT: Delf.cc
92:NPP - Network Printing Protocol, RAT: Delf.cc
93:DCP - Device Control Protocol
94:OBJCALL - Tivoli Object Dispatcher
95:SUPDUP
96:DIXIE - DIXIE Protocol Specification (RFC 1249)
97:SWIFT-RVF - Swift Remote Virtural File Protocol
98:TAC News, RAT: Delf.cc
99:Metagram Relay, RAT: Hidden port, Delf.cc
100:NEWACCT - [unauthorized use], RAT: Manipulator, Googs, Back Atack
101:HOSTNAMES - NIC Host Name Server, RAT: Udps, Back Atack
102:ISO-TSAP Class 0, RAT: Carved, Back Atack
103:Genesis Point-to-Point Trans Net, Webster Dictionary / x400, RAT: Back Atack
104:X400-SND - x400-snd, ACR-NEMA Digital Imag. & Comm. 300, RAT: Back Atack
105:CSNET-NS - Mailbox Name Nameserver
106:3COM-TSMUX
107:RTELNET - Remote Telnet Service
108:SNAGAS - SNA Gateway Access Server
109:POP - Post Office Protocol - Version 2 (RFC 937)
110:POP3 - Post Office Protocol - Version 3 (RFC 1081), RAT: ProMail trojan, Latinus or variant, Vagr
111:SUNRPC - SUN Remote Procedure Call (RFC 1050)
112:MCIDAS - McIDAS Data Transmission Protocol, RAT: Keylog.PEST
113:IDENT - Identification/Authentication Service (RFC 1413), RAT: Invisible Identd Deamon, Kazimas, Cyn
114:AUDIONEWS - Audio News Multicast
115:SFTP - Simple File Transfer Protocol (RFC 913)
116:ANSANOTIFY - ANSA REX Notify
117:UUCP-PATH - UUCP Path Service
118:SQL Services
119:NNTP - Network News Transfer Protocol (RFC 977), RAT: Happy99
120:CFDPTKT
121:ERPC - Encore Expedited Remote Pro.Call, RAT: BO JammerkillahV, HAW
122:SMAKYNET, RAT: Skun
123:NTP - Network Time Protocol (RFC 958), RAT: Net Controller, Gift, Wintrix, Freeze, Propel, ZUD, Ass4ss1n, Peeper, Madfind
124:ANSATRADER - ANSA REX Trader
125:LOCUS-MAP - Locus PC-Interface Net Map Ser
126:UNITARY - Unisys Unitary Login
127:LOCUS-CON - Locus PC-Interface Conn Server
128:GSS-XLICEN - GSS X License Verification
129:PWDGEN - Password Generator Protocol
130:Cisco FNATIVE
131:Cisco TNATIVE, RAT: Delf.cc
132:Cisco SYSMAINT
133:STATSRV - Statistics Service, RAT: Farnaz
134:INGRES-NET - INGRES-NET Service
135:DCE endpoint resolution, RPC-LOCATOR - RPC (Remote Procedure Location Service
136:PROFILE - PROFILE Naming System
137:NBNS - NETBIOS Name Service
138:NBDGM - NETBIOS Datagram Service, RAT: LazyAdmin
139:NBSSN - NETBIOS Session Service
140:EMFIS-DATA - EMFIS Data Service
141:EMFIS-CNTL - EMFIS Control Service
142:BL-IDM - Britton-Lee IDM, RAT: NetTaxi
143:IMAP - Interactive Mail Access Protocol v2 (RFC 1064), RAT: Back Atack
144:NEWS
145:UAAC Protocol
146:ISO-IP0, RAT: Infector
147:ISO-IP
148:CRONUS - CRONUS-SUPPORT, Jargon
149:AED-512 - AED 512 Emulation Service
150:SQL-NET
151:HEMS
152:BFTP - Background File Transfer Program
153:SGMP
154:NETSC-PROD - NETSC
155:NETSC-DEV - NETSC
156:SQLSRV - SQL Service
157:KNET-CMP - KNET/VM Command/Message Protocol
158:PCMAIL-SRV - PCMail Server
159:NSS-ROUTING - NSS-Routing
160:SGMP-TRAPS - SGMP-TRAPS, RAT: Infector II
161:SNMP - Simple Network Management Protocol (RFC 1067)
162:SNMPTRAP - SNMPTRAP (Simple Network Management Protocol) (RFC 1067)
163:CMIP-MAN - CMIP/TCP Manager
164:CMIP-AGENT - CMIP/TCP Agent
165:XNS-COURIER - Xerox
166:S-NET - Sirius Systems
167:NAMP
168:RSVD
169:SEND
170:PRINT-SRV - Network PostScript, RAT: A-trojan
171:MULTIPLEX - Network Innovations Multiplex
172:CL/1 - Network Innovations CL/1
173:XYPLEX-MUX - Xyplex
174:MAILQ
175:VMNET
176:GENRAD-MUX - GENRAD-MUX
177:XDMCP - X Display Manager Control Protocol
178:NEXTSTEP - NextStep Window Server
179:BGP - Border Gateway Protocol (RFC 1105), RAT: Delf.cc
180:RIS - Intergraph
181:UNIFY - Unify
182:AUDIT - Unisys Audit SITP
183:OCBINDER - OCBinder
184:OCSERVER - OCServer
185:REMOTE-KIS - Remote-KIS
186:KIS - KIS Protocol
187:ACI - Application Communication Interface
188:MUMPS - Plus Five's MUMPS
189:QFT - Queued File Transport
190:GACP - Gateway Access Control Protocol
191:PROSPERO - Prospero Directory Service
192:OSU-NMS - OSU Network Monitoring System
193:SRMP - Spider Remote Monitoring Protocol
194:IRC - Internet Relay Chat Protocol (RFC 1459)
195:DN6-NLM-AUD - DNSIX Network Level Module Audit
196:DN6-SMM-RED - DNSIX Session Mgt Module Audit Redir
197:DLS - Directory Location Service
198:DLS-MON - Directory Location Service Monitor
199:SMUX
200:SRC - IBM System Resource Controller, RAT: Cyberspy, Rebate
201:AT-RTMP - AppleTalk Routing Maintenance, RAT: One, Kernel32
202:AT-NBP - AppleTalk Name Binding
203:AT-3 - AppleTalk Unused
204:AT-ECHO - AppleTalk Echo
205:AT-5 - AppleTalk Unused
206:AT-ZIS - AppleTalk Zone Information
207:AT-7 - AppleTalk Unused
208:AT-8 - AppleTalk Unused
209:QMTP - The Quick Mail Transfer Protocol
210:Z39.50 - ANSI Z39.50, RAT: FTP.Anal FTP
211:914C/G - Texas Instruments 914C/G Terminal, RAT: One
212:ANET - ATEXSSTR
213:IPX
214:VMPWSCS - VM PWSCS
215:SOFTPC - Insignia Solutions
216:CAILIC - Computer Associates Int'l License Server
217:DBASE - dBASE Unix
218:MPP - Netix Message Posting Protocol (RFC 1204)
219:UARPS - Unisys ARPs
220:IMAP3 - Interactive Mail Access Protocol v3
221:FLN-SPX - Berkeley rlogind with SPX auth, RAT: Snape
222:RSH-SPX - Berkeley rshd with SPX auth, RAT: NeuroticKat, Snape
223:CDC - Certificate Distribution Center
242:Direct
243:SUR-MEAS - Survey Measurement
244:Dayna
245:LINK - LINK
246:DSP3270 - Display Systems Protocol
256:RAP
257:Secure Electronic Transaction
258:Yak Winsock Personal Chat
259:Efficient Short Remote Operations
260:Openport
261:IIOP Name Service over TLS/SSL
262:ARCISDMS - Arcisdms
263:HDAP
280:HTTP-MGMT - http-mgmt
281:Personal Link
282:CABLEPORT-AX - Cable Port A/X
285:RAT: Webcam Trojan
299:RAT: One
303:RAT: Nova
304:RAT: Nova
305:RAT: Nova
306:RAT: Nova
309:ENTRUSTTIME - EntrustTime
314:RAT: Blaire
333:RAT: NeoPets
334:RAT: Backage
344:PDAP - Prospero Data Access Protocol
345:PAWSERV - Perf Analysis Workbench, RAT: Cang, XZ
346:ZSERV - Zebra server
347:FATSERV - Fatmen Server
348:CSI-SGWP - Cabletron Management Protocol
350:MATIP Type A
351:MATIP Type B
352:DTG-STE-SB - DTAG
370:RAT: NeuroticKat
371:CLEAR- Clearcase
372:ULISTSERV - Unix Listserv
373:LEGENT-1 - Legent Corporation
374:LEGENT-2 - Legent Corporation
375:HASSLE
376:NIP - Amiga Envoy Network Inquiry Proto
377:TNETOS - NEC Corporation
378:DSETOS - NEC Corporation
379:IS99C - TIA/EIA/IS-99 modem client
380:IS99S - TIA/EIA/IS-99 modem server
381:HP-COLLECTOR - HP Performance Data Collector
382:HP-MANAGED-NODE - HP Performance Data Managed Node
383:HP-ALARM-MGR - HP Performance Data Alarm Manager
384:ARNS - A Remote Network Server System
385:IBM-APP - IBM Application
386:ASA - ASA Message Router Object Def.
387:AURP - Appletalk Update-Based Routing Pro.
388:UNIDATA-LDM - Unidata LDM Version 4
389:LDAP - Lightweight Directory Access Protocol (RFC 1777)
390:UIS
391:SYNOTICS-RELAY - SynOptics SNMP Relay Port
392:SYNOTICS-BROKER - SynOptics Port Broker Port
393:DIS - Data Interpretation System
394:EMBL-NDT - EMBL Nucleic Data Transfer
395:NETCP - NETscout Control Protocol
396:NETWARE-IP - Novell Netware over IP
397:MPTN - Multi Protocol Trans. Net.
398:KRYPTOLAN
399:ISO-TSAP-C2 - ISO Transport Class 2 Non-Control over TCP
400:WORK-SOL - Workstation Solutions
401:UPS - Uninterruptible Power Supply, RAT: One
402:Genie Protocol
403:DECAP
404:NCED, RAT: Orbit
405:NCLD
406:IMSP - Interactive Mail Support Protocol
407:TIMBUKTU - Timbuktu
408:PRM-SM - Prospero Resource Manager Sys. Man.
409:PRM-NM - Prospero Resource Manager Node Man.
410:DECLADEBUG - DECLadebug Remote Debug Protocol
411:RMT - Remote MT Protocol
412:SYNOPTICS-TRAP - Trap Convention Port, Direct Connect Peer-2-Peer File Sharing
413:SMSP - SMSP
414:INFOSEEK - InfoSeek
415:BNET - BNet
416:Silverplatter, RAT: Monator
417:Onmux
418:Hyper-G
419:ARIEL1
420:SMPTE - SMPTE, RAT: Breach, Exploiter, Freddy K, Girlfriend
421:ARIEL2, RAT: TCP Wrappers trojan
422:ARIEL3
423:OPC-JOB-START - IBM Operations Planning and Control Start
424:OPC-JOB-TRACK - IBM Operations Planning and Control Track
425:ICAD-EL
426:SMARTSDP - smartsdp
427:SVRLOC - Server Location
428:OCS_CMU
429:OCS_AMU
430:UTMPSD
431:UTMPCD
432:IASD
433:NNSP
434:MobileIP-Agent
435:MOBILIP-MN
436:DNA-CML
437:COMSCM
438:DSFGW
439:DASP
440:SGCP
441:DECVMS-SYSMGT
442:CVC_HOSTD
443:HTTPS - HTTPS (Hyper Text Transfer Protocol Secure) - SSL (Secure Socket Layer)
444:SNPP - Simple Network Paging Protocol (RFC 1568)
445:MICROSOFT-DS
446:DDM-RDB
447:DDM-DFM
448:DDM-BYTE
449:AS Server Mapper
450:TSERVER
451:SFS-SMP-NET - Cray Network Semaphore server
452:SFS-CONFIG - Cray SFS config server, RAT: OMPN Flash, OMPN Magic
453:CREATIVESERVER - CreativeServer
454:CONTENTSERVER - ContentServer, RAT: DTCold
455:CREATIVEPARTNR - CreativePartnr, RAT: Hackers Paradise, Fatal Connections
456:MACON-TCP - macon-tcp, RAT: Hackers Paradise, Daniel, Keylog.Clandestine 2
457:SCOHELP
458:APPLEQTC - Apple Quick Time
459:AMPR-RCMD
460:SKRONK
461:DATASURFSRV
462:DATASURFSRVSEC
463:ALPES
464:KPASSWD
465:SSMTP - SMTP Protocol over TLS/SSL (was ssmtp)
466:DIGITAL-VRC
467:MYLEX-MAPD
468:PHOTURIS
469:RCP - Radio Control Protocol
470:SCX-PROXY
471:MONDEX
472:LJK-LOGIN
473:HYBRID-POP
474:TN-TL-W1
475:TCPNETHASPSRV
476:TN-TL-FD1
477:SS7NS
478:SPSC
479:IAFSERVER
480:IAFDBASE
481:PH - Ph service
482:BGS-NSI
483:ULPNET
484:INTEGRA-SME - Integra Software Management Environment
485:POWERBURST - Air Soft Power Burst
486:AVIAN
487:SAFT
488:GSS-HTTP
489:NEST-PROTOCOL
490:MICOM-PFS
491:GO-LOGIN
492:TICF-1 - Transport Independent Convergence for FNA
493:TICF-2 - Transport Independent Convergence for FNA
494:POV-RAY
495:INTECOURIER
496:PIM-RP-DISC
497:DANTZ
498:SIAM
499:ISO ILL Protocol
500:ISAKMP, RAT: Optix Pro
501:STMF
502:ASA-APPL-PROTO, RAT: Optix Pro
503:INTRINSA, RAT: Optix Pro
504:CITADEL
505:MAILBOX-LM
506:OHIMSRV
507:CRS
508:XVTTP
509:SNARE
510:FCP - FirstClass Protocol
511:MYNET
512:EXEC - Remote Process Execution
513:LOGIN - Remote Login via Telnet, RAT: Grlogin
514:SHELL - Automatic Remote Process Execution, cmd, RAT: RPC Backdoor, Whacky
515:PRINTER - Printer Spooler
516:videotex
517:TALK - like tenex link, but across
518:NTALK
519:UTIME - Unix Time
520:EFS - Extended File Server, RIP
521:RIPNG
522:ULP
523:IBM-DB2
523:IBM-DB2
524:NCP
525:TIMED - Time Server
526:TEMPO - newdate
527:Stock IXChange
528:Customer IXChange
529:IRC-SERV
529:IRC-SERV
530:COURIER - rpc
531:CONFERENCE - chat, RAT: Trojan.SemiSoft, Net.666, Rasmin
532:NETNEWS - readnews
533:NETWALL - Emergency Broadcasts
534:MM-ADMIN - MegaMedia Admin
535:IIOP
536:OPALIS-RDV
537:NMSP - Networked Media Streaming Protocol
538:GDOMAP
539:APERTUS-LDP - Apertus Technologies Load Determination
540:UUCP - UUCP Daemon
541:UUCP - UUCP-RLOGIN - uucp (Unix to Unix Copy) - rlogin (Remote Login)
542:COMMERCE
543:KLOGIN - Kerberos Authenticated Login, RAT: Cang
544:KSHELL - krcmd
545:APPLEQTCSRVR - Apple qtcsrvr
546:DHCP-CLIENT - DHCP (Dynamic Host Configuration Protocol) Client
547:DHCP-SERVER - DHCP (Dynamic Host Configuration Protocol) Server
548:AFPOVERTCP - AFP over TCP
549:IDFP
550:NEW-RWHO
551:CYBERCASH
552:DEVICESHARE
553:PIRP
554:RTSP - Real Time Stream Control Protocol
555:DSF - DSF, RAT: Net Administrator, Phase Zero, Phase-0, Stealth Spy
556:REMOTEFS - rfs (Remote File System) server
557:OPENVMS-SYSIPC - openvms-sysipc
558:SDNSKMP
559:TEEDTAP
560:RMONITOR
561:MONITOR
562:CHSHELL
563:NNTPS - NNTP Protocol over TLS/SSL (was snntp)
564:9PFS - plan 9 file service, RAT: Oracle
565:WHOAMI
566:STREETTALK
567:BANYAN-RPC, RAT: hRat
568:Microsoft Shuttle
569:Microsoft Rome
570:demon
571:udemon
572:sonar
573:Banyan-VIP
574:FTP-AGENT - FTP Software Agent System
575:VEMMI
576:IPCD
577:VNAS
578:IPDD
579:DECBSRV
580:SNTP-HEARTBEAT
581:BDP - Bundle Discovery Protocol (RFC 2701)
582:SCC-Security
583:Philips-VC - Philips Video-Conferencing
584:KeyServer
585:IMAP4-SSL
586:PASSWORD-CHG - Password Change
587:SUBMISSION
600:IPCSERVER - Sun IPC server
605:RAT: Secret Service
606:URM - Cray Unified Resource Manager
607:NQS
608:SIFT-UFT - Sender-Initiated/Unsolicited File Transfer
609:NPMP-TRAP
610:NPMP-LOCAL
611:NPMP-GUI
612:HMMP-IND
613:HMMP-OP
614:SSLSHELL
615:SCO-INETMGR - Internet Configuration Manager
616:SCO-SYSMGR - SCO System Administration Server
617:SCO-DTMGR - SCO Desktop Administration Server
618:DEI-ICDA
619:DIGITAL-EVM
620:SCO-WEBSRVRMGR - SCO WebServer Manager
621:ESCP-IP
623:RAT: RTB666
633:SERVSTAT - Service Status update (Sterling Software)
634:GINAD
635:RLZDBASE - RLZ DBase
636:LDAPS - ldap Protocol over TLS/SSL (was sldap)
637:LANSERVER
650:RAT: Assasin
654:RAT: HoaVeLu
660:RAT: Zaratustra
661:RAT: NokNok
665:RAT: Cyn
666:Doom (Id Software), RAT: Peur de Rien FTP, Attack FTP, Back Construction, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, F-BackDoor, Worm.Grifin Remote Control, Uprising, Dimbus, TiVedo, MAD, Storm, Ulysses, Beast, Plateau, MaLPaYo, Dracula, Cyn, Dark Sill, InetWatch, DXM SMTP, Slawek
667:DISCLOSURE - campaign contribution disclosures, RAT: SniperNet, Slawek
668:MECOMM
669:MEREGISTER - MeRegister, RAT: DP trojan
670:VACDSM-SWS
671:VACDSM-APP
672:VPPS-QUA
673:CIMPLEX, RAT: Hornet
674:ACAP
680:RAT: RTB666
692:RAT: GayOL, Lightning
693:RAT: Lightning
704:ELCSD - errlog copy/server daemon
705:AGENTX - AgentX
709:ENTRUST-KMSH - EntrustManager
710:ENTRUST-ASH - Entrust Administration Service Handler
715:RAT: Anal Rape
717:RAT: DDoS.RAT.HLHSI
729:NETVIEWDM1 - IBM NetView DM/6000 Server/Client
730:NETVIEWDM2 - IBM NetView DM/6000 send/tcp, RAT: Keylog.typ0
731:NETVIEWDM3 - IBM NetView DM/6000 receive/tcp
741:NETGW
742:NETRCS - Network based Rev. Cont. Sys.
744:FLEXLM - Flexible License Manager
747:FUJITSU-DEV - Fujitsu Device Control
748:RIS-CM - Russell Info Sci Calendar Manager
749:KERBEROS-ADM - kerberos administration
750:RFILE - RFILE
751:PUMP - PUMP
752:QRH - QRH
753:RRH - RRH
754:TELL - SEND, RAT: DTCold
758:NLOGIN - NLOGIN
759:CON - CON
760:NS - NS
761:RXE - RXE
762:QUOTAD - QUOTAD
763:CYCLESERV - CYCLESERV
764:OMSERV - OMSERV
765:WEBSTER - WEBSTER
767:PHONEBOOK - phone
769:VID - VID
770:CADLOCK - CADLOCK
771:RTIP - RTIP
772:CYCLESERV2 - CYCLESERV2
773:SUBMIT - SUBMIT
774:RPASSWD - RPASSWD
775:ENTOMB - ENTOMB
776:WPAGES - WPAGES
777:RAT: AimSpy, Undetected, Tiny, CS Trojan
780:WPGS - WPGS
786:CONCERT - Concert
789:RAT: AIM Robber
798:RAT: Oracle
800:MDBS_DAEMON - MDBS_DAEMON, RAT: NeuroticKitten, Pilot
801:DEVICE - DEVICE
808:RAT: WinHole
831:RAT: NeuroticKat
886:ICLCNET-LOCATE - ICL coNETion locate server
887:ICLCNET_SVINFO - ICL coNETion server info
888:ACCESSBUILDER - AccessBuilder, CDDATABASE - CDDataBase, RAT: LANfiltrator
890:RAT: DSK Lite
891:RAT: DSK Lite
901:RAT: Net-Devil
902:RAT: Net-Devil
903:RAT: Net-Devil
910:RAT: DTCold
911:XACT-BACKUP - xact-backup, RAT: Dark Shadow, NetCrack, Keylog.Dreamscape, Dua ti choi, Mind Control
912:RAT: NetCrack
929:RAT: Avone
939:RAT: Avone
954:RAT: Hydroleak
963:RAT: Splitter
989:FTPS-DATA - FTP Protocol, data, over TLS/SSL
990:FTPS - FTP Protocol, control, over TLS/SSL
991:NAS - Netnews Administration System, RAT: Snape
992:TELNETS - telnet Protocol over TLS/SSL, RAT: Snape
993:IMAPS - Imap4 Protocol over TLS/SSL
994:IRCS - irc Protocol over TLS/SSL
995:POP3S - Pop3 (Post Office Protocol) over TLS/SSL
996:VSINET - vsinet
997:MAITRD - MAITRD, RAT: Matrix
998:BUSBOY - BUSBOY
999:PUPROUTER - PUPROUTER, RAT: Deep Throat, Foreplay or Reduced Foreplay, WinSatan, LANfiltrator
1000:CADLOCK - CADLOCK, RAT: Der Spaeher 3, Theef, U321, Destruktor, Nucker
1001:RAT: Der Spaeher 3, Le Guardien, Silencer, WebEx, Theef, One, Priority, Lula, Eljefe, Havoc, Darkscan, RFM, Winsock Commander, Keylog.RemoteCon, Jinmozhe, Yello, Adele
1002:RAT: XQDoor
1003:RAT: Darkscan, FTP.Avanzado, Jinmozhe
1005:RAT: Theef
1010:RAT: Doly Trojan
1011:RAT: Doly Trojan, Arturik, Inclined
1012:RAT: Doly Trojan
1015:RAT: Doly Trojan, JoTroj
1016:RAT: Doly Trojan
1020:RAT: Vampire
1023:RESERVED - Reserved
1024:OLD_FINGER - old_finger, RAT: Psyber Streaming Server, NetSpy, R.A.T, Alex
1025:BLACKJACK - network blackjack, LISTEN - listen, RAT: Gaura
1026:NTERM - nterm
1027:RAT: Latinus, FTS
1028:RAT: HacKErZ
1029:ICQ Instant Messenger, RAT: Latinus
1030:IAD1 - BBN IAD, RAT: Clandestine, Igloo
1031:IAD2 - BBN IAD, RAT: UltimateRAT
1032:IAD3 - BBN IAD, RAT: G.R.O.B
1033:RAT: Netspy
1036:RAT: Way 2002
1037:RAT: MoSucker
1039:RAT: Happy
1040:RAT: Infiltration
1042:RAT: Bla, Rasmin
1045:RAT: Rasmin
1046:RAT: Quetnek
1047:NEOD1 - Sun's NEO Object Request Broker
1048:NEOD2 - Sun's NEO Object Request Broker
1049:/sbin/initd, RAT: NewFuture
1050:RAT: MiniCommand
1052:RAT: NK
1054:RAT: AckCmd
1058:NIM - nim
1059:NIMREG - nimreg
1062:RAT: Newon
1067:INSTL_BOOTS - Installation Bootstrap Proto. Serv.
1068:INSTL_BOOTC - Installation Bootstrap Proto. Cli.
1080:SOCKS - Proxy, RAT: WinHole, Broser
1081:RAT: WinHole
1082:RAT: WinHole
1083:ANSOFT-LM-1 - Anasoft License Manager, RAT: WinHole
1084:ANSOFT-LM-2 - Anasoft License Manager
1090:RAT: Xtreme
1095:RAT: RAT
1097:RAT: RAT
1098:RAT: RAT
1099:RAT: Blood Fest Evolution, RAT
1101:RAT: Rths
1102:RAT: Rths
1103:RAT: Rths
1104:RAT: Rths
1105:RAT: Rths
1106:RAT: Rths
1107:RAT: Rths
1108:RAT: Rths
1109:KPOP - kpop, RAT: Rths
1110:NFSD-STATUS - Cluster status info, RAT: Rths
1111:LMSOCIALSERVER - LM Social Server, RAT: RemoteXS, Nemesis, X-Filer, NetSpy II, Way, Rths, Dzyckz
1112:RAT: Rths
1113:RAT: Rths
1114:RAT: TransScout, Way, Rths
1115:RAT: TransScout, Lurker, Rths
1116:RAT: TransScout, Lurker
1117:RAT: TransScout
1119:RAT: CNGhost
1122:RAT: Last2000
1123:MURRAY - Murray
1130:RAT: NokNok
1133:RAT: Dindang
1134:RAT: Dindang
1155:NFA - Network File Access
1158:RAT: Stang
1170:RAT: Psyber Stream Server - PSS, Streaming Audio Server, Voice
1180:MC-CLIENT - Millicent Client Proxy
1182:RAT: Dobol
1183:RAT: GirlBoy, PSW.Remote Fake Login
1190:RAT: Ojo
1200:RAT: NoBackO, TMS
1201:RAT: NoBackO
1207:RAT: SoftWar
1212:LUPA - lupa, RAT: Kaos, NeoPets, Red-Spy
1214:KaZaA - KaZaA P2P File Sharing, RAT: RemoteControl, Muniu, Hawk
1215:RAT: Force, RemoteControl, Muniu
1216:RAT: RemoteControl, Muniu, Hawk
1217:RAT: RemoteControl, Muniu, Hawk
1218:RAT:Schneckenkorn
1219:RAT:Schneckenkorn, x2a
1221:RAT: Spy, FLB, RVC
1222:NERV - SNI R&D network, FLB
1234:RAT: Ultors Trojan, HackIT (Holzpferd), Kilo, Fade, Remote Operations, NetAmine, NuclearScan, FeRAT, PWD
1243:RAT: BackDoor-G, SubSeven , SubSeven Apocalypse, Tiles, Mainline, HackWorld
1245:RAT: VooDoo Doll, Ultors Trojan
1248:HERMES - hermes
1254:RAT: Monk
1255:RAT: Scarab, Happy, Global Killer
1256:RAT: Project nEXT, RexxRave
1257:RAT: Sub Seven 2.1, Frenzy
1263:RAT: Rewind
1266:RAT: Global Killer, Rewind
1269:RAT: Mavericks Matrix
1274:RAT: Mavericks Matrix
1275:RAT: Fredisoft
1276:RAT: Mavericks Matrix
1309:RAT: Jittar
1313:BMC_PATROLDB - BMC_PATROLDB, RAT: NETrojan
1314:PDPS - Photoscript Distributed Printing System
1324:RAT: Shador
1337:RAT: Joker DDoS, rSocks
1338:RAT: Millenium Worm
1342:VMOTELNET - VMODEM telnet redirect
1345:VPJP - VPJP
1346:ALTA-ANA-LM - Alta Analytics License Manager
1347:BBN-MMC - Multi Media Conferencing
1348:BBN-MMX - Multi Media Conferencing
1349:SBOOK - Registration Network Protocol, RAT: Back Orifice DLL
1350:EDITBENCH - Registration Network Protocol
1351:EQUATIONBUILDER - Digital Tool Works (MIT)
1352:LOTUSNOTE - Lotus Note
1353:RELIEF - Relief Consulting
1354:RIGHTBRAIN - RightBrain Software, RAT: SkullBurrow Proxy
1355:INTUITIVE EDGE - Intuitive Edge
1356:CUILLAMARTIN - CuillaMartin Company
1357:PEGBOARD - Electronic PegBoard
1358:CONNLCLI - CONNLCLI
1359:FTSRV - FTSRV
1360:MIMER - MIMER
1361:LINX - LinX
1362:TIMEFLIES - TimeFlies
1363:NDM-REQUESTER - Network DataMover Requester
1364:NDM-SERVER - Network DataMover Server
1365:ADAPT-SNA - Network Software Associates
1366:NETWARE-CSP - Novell NetWare Comm Service Platform
1367:DCS - DCS
1368:SCREENCAST - ScreenCast
1369:GV-US - GlobalView to Unix Shell
1370:US-GV - Unix Shell to GlobalView
1371:FC-CLI - Fujitsu Config Protocol
1372:FC-SER - Fujitsu Config Protocol
1373:CHROMAGRAFX - Chromagrafx
1374:MOLLY - EPI Software Systems
1375:BYTEX - Bytex
1376:IBM-PPS - IBM Person to Person Software
1377:CICHLID - Cichlid License Manager
1378:ELAN - Elan License Manager
1379:DBREPORTER - Integrity Solutions
1380:TELESIS-LICMAN - Telesis Network License Manager
1381:APPLE-LICMAN - Apple Network License Manager
1382:UDT_OS - UDT_OS
1383:GWHA - GW Hannaway Network License Manager
1384:OS-LICMAN - Objective Solutions License Manager
1385:ATEX_ELMD - Atex Publishing License Manager
1386:CHECKSUM - CheckSum License Manager
1387:CADSI-LM - Computer Aided Design Software Inc LM
1388:OBJECTIVE-DBC - Objective Solutions DataBase Cache
1389:ICLPV-DM - Document Manager
1390:ICLPV-SC - Storage Controller
1391:ICLPV-SAS - Storage Access Server
1392:ICLPV-PM - Print Manager
1393:ICLPV-NLS - Network Log Server
1394:ICLPV-NLC - Network Log Client, RAT: Gofriller, BackDoor
1395:ICLPV-WSM - PC Workstation Manager software
1396:DVL-ACTIVEMAIL - DVL Active Mail
1397:AUDIO-ACTIVMAIL - Audio Active Mail
1398:VIDEO-ACTIVMAIL - Video Active Mail
1399:CADKEY-LICMAN - Cadkey License Manager
1400:CADKEY-TABLET - Cadkey Tablet Daemon, RAT: Remote Hack
1401:GOLDLEAF-LICMAN - Goldleaf License Manager
1402:PRM-SM-NP - Prospero Resource Manager
1403:PRM-NM-NP - Prospero Resource Manager
1404:IGI-LM - Infinite Graphics License Manager
1405:IBM-RES - IBM Remote Execution Starter
1406:NETLABS-LM - NetLabs License Manager
1407:DBSA-LM - DBSA License Manager
1408:SOPHIA-LM - Sophia License Manager
1409:HERE-LM - Here License Manager
1410:HIQ - HiQ License Manager, RAT: Destruktor
1411:AF - AudioFile
1412:INNOSYS - InnoSys, RAT: RemoteControl, Hawk
1413:INNOSYS-ACL - Innosys-ACL
1414:IBM-MQSERIES - IBM MQSeries
1415:DBSTAR - DBStar
1416:NOVELL-LU6.2 - Novell LU6.2
1417:TIMBUKTU-SRV1 - Timbuktu Service 1 Port
1418:TIMBUKTU-SRV2 - Timbuktu Service 2 Port
1419:TIMBUKTU-SRV3 - Timbuktu Service 3 Port
1420:TIMBUKTU-SRV4 - Timbuktu Service 4 Port, RAT: SubRoot
1421:GANDALF-LM - Gandalf License Manager
1422:AUTODESK-LM - Autodesk License Manager
1423:ESSBASE - Essbase Arbor Software
1424:HYBRID - Hybrid Encryption Protocol
1425:ZION-LM - Zion Software License Manager
1426:SAIS - Satellite-data Acquisition System 1
1427:MLOADD - mloadd monitoring tool
1428:INFORMATIK-LM - Informatik License Manager
1429:NMS - Hypercom NMS
1430:TPDU - Hypercom TPDU
1431:RGTP - Reverse Gossip Transport
1432:BLUEBERRY-LM - Blueberry Software License Manager
1433:MS-SQL-S - Microsoft-SQL-Server
1434:MS-SQL-M - Microsoft-SQL-Monitor
1435:IBM-CICS - IBM CICS
1436:SAISM - Satellite-data Acquisition System 2
1437:TABULA - Tabula
1438:EICON-SERVER - Eicon Security Agent/Server
1439:EICON-X25 - Eicon X25/SNA Gateway
1440:EICON-SLP - Eicon Service Location Protocol (RFC 2165)
1441:CADIS-1 - Cadis License Management
1442:CADIS-2 - Cadis License Management
1443:IES-LM - Integrated Engineering Software
1444:MARCAM-LM - Marcam License Management
1445:PROXIMA-LM - Proxima License Manager
1446:ORA-LM - Optical Research Associates License Manager
1447:APRI-LM - Applied Parallel Research LM
1448:OC-LM - OpenConnect License Manager
1449:PEPORT - PEport
1450:DWF - Tandem Distributed Workbench Facility
1451:INFOMAN - IBM Information Management
1452:GTEGSC-LM - GTE Government Systems License Manager
1453:GENIE-LM - Genie License Manager
1454:INTERHDL_ELMD - interHDL License Manager
1455:ESL-LM - ESL License Manager
1456:DCA - DCA
1457:VALISYS-LM - Valisys License Manager
1458:NRCABQ-LM - Nichols Research Corp.
1459:PROSHARE1 - Proshare Notebook Application
1460:PROSHARE2 - Proshare Notebook Application
1461:IBM_WRLESS_LAN - IBM Wireless LAN
1462:WORLD-LM - World License Manager
1463:NUCLEUS - Nucleus
1464:MSL_LMD - MSL License Manager
1465:PIPES - Pipes Platform
1466:OCEANSOFT-LM - Ocean Software License Manager
1467:CSDMBASE - CSDMBASE
1468:CSDM - CSDM
1469:AAL-LM - Active Analysis Limited License Manager, RAT: VC
1470:UAIACT - Universal Analytics
1471:CSDMBASE - csdmbase
1472:CSDM - csdm
1473:OPENMATH - OpenMath
1474:TELEFINDER - Telefinder
1475:TALIGENT-LM - Taligent License Manager
1476:CLVM-CFG - clvm-cfg
1477:MS-SNA-SERVER - ms-sna-server
1478:MS-SNA-BASE - ms-sna-base
1479:DBEREGISTER - dberegister
1480:PACERFORUM - PacerForum
1481:AIRS - AIRS
1482:MITEKSYS-LM - Miteksys License Manager, RAT: Syskbot
1483:AFS - AFS License Manager, RAT: Syskbot
1484:CONFLUENT - Confluent License Manager, RAT: Syskbot
1485:LANSOURCE - LANSource, RAT: Syskbot
1486:NMS_TOPO_SERV - nms_topo_serv
1487:LOCALINFOSRVR - LocalInfoSrvr
1488:DOCSTOR - DocStor
1489:DMDOCBROKER - dmdocbroker
1490:INSITU-CONF - insitu-conf
1491:ANYNETGATEWAY - anynetgateway
1492:STONE-DESIGN-1 - stone-design-1, RAT: FTP99CMP
1493:NETMAP_LM - netmap_lm
1494:ICA - ica
1495:CVC - cvc
1496:LIBERTY-LM - liberty-lm
1497:RFX-LM - rfx-lm
1498:WATCOM-SQL - Watcom-SQL
1499:FHC - Federico Heinz Consultora
1500:VLSI-LM - VLSI License Manager
1501:SAISCM - Satellite-data Acquisition System 3
1502:SHIVADISCOVERY - Shiva
1503:IMTC-MCS - Databeam
1504:EVB-ELM - EVB Software Engineering License Manager
1505:FUNKPROXY - Funk Software Inc.
1506:UTCD - Universal Time daemon (utcd)
1507:SYMPLEX - symplex
1508:DIAGMOND - diagmond
1509:ROBCAD-LM - Robcad Ltd. License Manager, RAT: Psyber Streaming Server
1510:MVX-LM - Midland Valley Exploration Ltd. Lic. Man.
1511:3L-L1 - 3l-l1
1512:WINS - Microsoft's Windows Internet Name Service
1513:FUJITSU-DTC - Fujitsu Systems Business of America Inc
1514:FUJITSU-DTCNS - Fujitsu Systems Business of America Inc
1515:IFOR-PROTOCOL - ifor-Protocol
1516:VPAD - Virtual Places Audio data
1517:VPAC - Virtual Places Audio control
1518:VPVD - Virtual Places Video data
1519:VPVC - Virtual Places Video control
1520:ATM-ZIP-OFFICE - atm zip office
1521:NCUBE-LM - nCube License Manager
1522:RNA-LM - Ricardo North America License Manager
1523:CICHILD-LM - cichild
1524:INGRESLOCK - ingres, RAT: Trinoo
1525:ORASRV - Oracle, PROSPERO-NP - Prospero Directory Service
1526:PDAP-NP - Prospero Data Access Prot non-priv
1527:TLISRV - Oracle
1528:MCIAUTOREG
1529:COAUTHOR - Oracle, RAT: Sky Rat, Sky Rat [Show]
1530:RAP-SERVICE
1531:RAP-LISTEN
1532:MIROCONNECT
1533:Virtual Places Software, RAT: Back Atack
1534:MICROMUSE-LM
1535:AMPR-INFO
1536:AMPR-INTER
1537:SDSC-LM
1538:3DS-LM
1539:Intellistor License Manager
1540:RDS
1541:RDS2
1542:GRIDGEN-ELMD
1543:SIMBA-CS
1544:ASPECLMD
1545:VISTIUM-SHARE
1546:ABBACCURAY
1547:LAPLINK
1548:Axon License Manager
1549:Shiva Hose
1550:3M-IMAGE-LM - Image Storage license manager 3M Company
1551:HECMTL-DB
1552:PCIARRAY, RAT: Uprising
1553:SNA-CS
1554:CACI-LM - CACI Products Company License Manager
1555:LIVELAN
1556:ASHWIN - AshWin CI Tecnologies
1557:ARBORTEXT-LM - ArborText License Manager
1558:XINGMPEG
1559:WEB2HOST
1560:ASCI-VAL - asci-val, RAT: Duddie
1561:FACILITYVIEW
1562:PCONNECTMGR
1563:CADABRA-LM - Cadabra License Manager
1564:PAY-PER-VIEW
1565:WINDDLB
1566:CORELVIDEO
1567:JLICELMD
1568:TSSPMAP
1569:ETS
1570:ORBIXD
1571:RDB-DBS-DISP - Oracle Remote Data Base
1572:Chipcom License Manager
1573:ITSCOMM-NS
1574:MVEL-LM
1575:ORACLENAMES
1576:MOLDFLOW-LM
1577:HYPERCUBE-LM
1578:Jacobus License Manager, RAT: Shadow Phyre
1579:IOC-SEA-LM
1580:TN-TL-R1
1581:VMF-MSG-PORT
1582:MSIMS, TAMS-LM - Toshiba America Medical Systems
1583:SIMBAEXPRESS
1584:TN-TL-FD2
1585:INTV
1586:IBM-ABTACT
1587:PRA_ELMD
1588:TRIQUEST-LM
1589:VQP
1590:GEMINI-LM
1591:NCPM-PM
1592:COMMONSPACE
1593:MAINSOFT-LM
1594:SIXTRAK
1595:RADIO
1596:RADIO-SM
1597:ORBPLUS-IIOP
1598:PICKNFS
1599:SIMBASERVICES
1600:ISSD, RAT: Shivka-Burka, Direct Connection
1601:AAS, RAT: Direct Connection
1602:INSPECT, RAT: Direct Connection
1603:PICODBC
1604:ICABROWSER
1605:SLP - Salutation Manager (Salutation Protocol)
1606:SLM-API - Salutation Manager (SLM-API)
1607:STT
1608:SMART-LM - Smart Corp. License Manager
1609:ISYSG-LM
1610:TAURUS-WH
1611:ILL - Inter Library Loan
1612:NETBILL-TRANS - NetBill Transaction Server
1613:NETBILL-KEYREP - NetBill Key Repository
1614:NETBILL-CRED - NetBill Credential Server
1615:NETBILL-AUTH - NetBill Authorization Server
1616:NETBILL-PROD - NetBill Product Server
1617:NIMROD-AGENT - Nimrod Inter-Agent Communication
1618:SKYTELNET - skyt
1619:XS-OPENSTORAGE - xs-openstorage
1620:FAXPORTWINPORT - faxportwinport
1621:SOFTDATAPORT - softdataphone
1622:ONTIME - ontime
1623:JALEOSND - jaleosnd
1624:UDP-SR-PORT - udp-sr-port
1625:SVS-OMAGENT - svs-omagent
1634:RAT: NetCrack
1636:CNCP - CableNet Control Protocol
1637:CNAP - CableNet Admin Protocol
1638:CNIP - CableNet Info Protocol
1639:CERT-INITIATOR - cert-initiator
1640:CERT-RESPONDER - cert-responder
1641:INVISION
1642:ISIS-AM
1643:ISIS-AMBC
1644:SAISEH - Satellite-data Acquisition System 4
1645:DATAMETRICS
1646:SA-MSG-PORT
1647:RSAP
1648:CONCURRENT-LM
1649:INSPECT
1650:NDK
1651:SHIVA_CONFSRVR
1652:XNMP
1653:ALPHATECH - alphatech-lm
1654:STARGATEALERTS - stargatealerts
1655:DEC-MBADMIN - dec-mbadmin
1656:DEC-MBADMIN-H - dec-mbadmin-h
1657:FUJITSU-MMPDC - fujitsu-mmpdc
1658:SIXNETUDR - sixnetudr
1659:SM-LG - Silicon Grail License Manager
1660:SKIP-MC-GIKREQ - skip-mc-gikreq
1661:NETVIEW-AIX-1, RAT: d0ped
1662:NETVIEW-AIX-2
1663:NETVIEW-AIX-3
1664:NETVIEW-AIX-4
1665:NETVIEW-AIX-5
1666:NETVIEW-AIX-6
1667:NETVIEW-AIX-7, RAT: Jerwin
1668:NETVIEW-AIX-8, RAT: Jerwin
1669:NETVIEW-AIX-9
1670:NETVIEW-AIX-10
1671:NETVIEW-AIX-11
1672:NETVIEW-AIX-12
1673:PROSHARE-MC-1 - Intel Proshare Multicast
1674:PROSHARE-MC-2 - Intel Proshare Multicast
1675:PDP - Pacific Data Products
1676:NETCOMM1
1677:GROUPWISE
1678:PROLINK
1679:DARCORP-LM
1680:MICROCOM-SBP
1681:SD-ELMD
1682:LANYON-LANTERN
1683:NCMP-HIP
1684:SNARESECURE
1685:N2NREMOTE
1686:CVMON
1687:NSJTP-CTRL
1688:NSJTP-DATA
1689:FIREFOX
1690:NG-UMDS
1691:EMPIRE-EMPUMA - empire-empuma
1692:SSTSYS-LM - sstsys-lm
1693:RRITR
1694:RRIMWM
1695:RRILWM
1696:RRIFMM
1697:RRISAT
1698:RSVP-ENCAP-1 - RSVP-ENCAPSULATION-1
1699:RSVP-ENCAP-2 - RSVP-ENCAPSULATION-2
1700:MPS-RAFT, RAT: Udps, SubRoot
1701:L2F
1702:DESKSHARE
1703:HB-ENGINE
1704:BCS-BROKER
1705:SLINGSHOT
1706:JETFORM
1707:VDMPLAY
1708:GAT-LMD
1709:CENTRA
1710:IMPERA
1711:PPTCONFERENCE - pptconference
1712:REGISTRAR - resource monitoring service
1713:ConferenceTalk
1714:SESI-LM
1715:HOUDINI-LM
1716:XMSG
1717:FJ-HDNET
1718:H323GATEDISC - h323gatedisc
1719:H323GATESTAT - h323gatestat
1720:H323HOSTCALL - h323hostcall
1721:CAICCI
1722:HKS-LM - HKS License Manager
1723:PPTP
1724:CSBPHONEMASTER - csbphonemaster
1725:IDEN-RALP - iden-ralp
1726:IBERIAGAMES - IBERIAGAMES
1727:WINDDX - winddx
1728:TELINDUS - TELINDUS
1729:CITYNL - CityNL License Management
1730:ROKETZ - roketz
1731:MSICCP - MSICCP
1732:PROXIM - proxim
1733:SIPAT - sipat
1734:CAMBERTX-LM - Camber Corporation License Management
1735:PRIVATECHAT - PrivateChat
1736:STREETSTREAM - street-stream
1737:ULTIMAD - ultimad
1738:GAMEGEN1 - GameGen1
1739:WEBACCESS - webaccess
1740:ENCORE - encore
1741:CISCO-NET-MGMT - cisco-net-mgmt
1742:3COM-NSD - 3Com-nsd
1743:CINEGRFX-LM - Cinema Graphics License Manager
1744:NCPM-FT - ncpm-ft
1745:REMOTE-WINSOCK - remote-winsock
1746:FTRAPID-1 - ftrapid-1
1747:FTRAPID-2 - ftrapid-2
1748:ORACLE-EM1 - Oracle-em1
1749:ASPEN-SERVICES - aspen-services
1750:SSLP - Simple Socket Library's PortMaster
1751:SWIFTNET - SwiftNet
1752:LOFR-LM - Leap of Faith Research License Manager
1753:TRANSLOGIC-LM - Translogic License Manager
1754:ORACLE-EM2 - Oracle-em2
1755:MS-STREAMING - ms-streaming
1756:CAPFAST-LMD - capfast-lmd
1757:CNHRP - cnhrp
1758:TFTP-MCAST - tftp-mcast
1759:SPSS-LM - SPSS License Manager
1760:WWW-LDAP-GW - www-ldap-gw
1761:CFT-0 - cft-0
1762:CFT-1 - cft-1
1763:CFT-2 - cft-2
1764:CFT-3 - cft-3
1765:CFT-4 - cft-4
1766:CFT-5 - cft-5
1767:CFT-6 - cft-6
1768:CFT-7 - cft-7
1769:BMC-NET-ADM - bmc-net-adm
1770:BMC-NET-SVC - bmc-net-svc
1771:VAULTBASE - vaultbase
1772:ESSWEB-GW - EssWeb Gateway
1773:KMSCONTROL - KMSControl
1774:GLOBAL-DTSERV - global-dtserv
1776:FEMIS - Federal Emergency Management Information System
1777:POWERGUARDIAN - powerguardian, RAT: Scarab
1778:PRODIGY-INTERNET - prodigy-internet
1779:PHARMASOFT - pharmasoft
1780:DPKEYSERV - dpkeyserv
1781:ANSWERSOFT-LM - answersoft-lm
1782:HP-HCIP - hp-hcip
1783:FJRIS - Fujitsu Remote Install Service
1784:FINLE-LM - Finle License Manager
1785:WINDLM - Wind River Systems License Manager
1786:FUNK-LOGGER - funk-logger
1787:FUNK-LICENSE - funk-license
1788:PSMOND - psmond
1789:HELLO - hello
1790:NMSP - Narrative Media Streaming Protocol
1791:EA1 - EA1
1792:IBM-DT-2 - ibm-dt-2
1793:RSC-ROBOT - rsc-robot
1794:CERA-BCM - cera-bcm
1795:DPI-PROXY - dpi-proxy
1796:VOCALTEC-ADMIN - Vocaltec Server Administration
1797:UMA - UMA
1798:ETP - Event Transfer Protocol
1799:NETRISK - NETRISK
1800:ANSYS-LM - ANSYS-License manager
1801:MSMQ - Microsoft Message Que
1802:CONCOMP1 - ConComp1
1803:HP-HCIP-GWY - HP-HCIP-GWY
1804:ENL - ENL
1805:ENL-NAME - ENL-Name
1806:MUSICONLINE - Musiconline
1807:FHSP - Fujitsu Hot Standby Protocol, RAT: SpySender, Sysroot
1808:ORACLE-VP2 - Oracle-VP2
1809:ORACLE-VP1 - Oracle-VP1
1810:JERAND-LM - Jerand License Manager
1811:SCIENTIA-SDB - Scientia-SDB
1812:RADIUS - RADIUS
1813:RADIUS-ACCT - RADIUS Accounting
1814:TDP-SUITE - TDP Suite
1815:MMPFT - MMPFT
1818:ETFTP - Enhanced Trivial File Transfer Protocol
1819:PLATO-LM - Plato License Manager
1820:MCAGENT - mcagent
1821:DONNYWORLD - donnyworld
1822:ES-ELMD - es-elmd
1823:UNISYS-LM - Unisys Natural Language License Manager
1824:METRICS-PAS - metrics-pas
1833:RAT: Tcc
1834:RAT: Tcc
1835:RAT: Tcc
1836:RAT: Tcc
1837:RAT: Tcc
1850:RAT: Black Angel
1863:MSN Messenger - MSN Messenger Application
1871:RAT: Serpa, SerialPager
1900:SSDP - SSDP (UDP)
1901:FJICL-TEP-A - Fujitsu ICL Terminal Emulator Program A
1902:FJICL-TEP-B - Fujitsu ICL Terminal Emulator Program B, RAT: XQDoor
1903:LINKNAME - Local Link Name Resolution
1904:FJICL-TEP-C - Fujitsu ICL Terminal Emulator Program C
1905:SUGP - Secure UP.Link Gateway Protocol
1906:TPMD - TPortMapperReq
1907:INTRASTAR - IntraSTAR, RAT: hRat
1908:DAWN - Dawn
1909:GLOBAL-WLINK - Global World Link
1911:MTP - Starlight Networks Multimedia Transport Protocol, RAT: AWD
1913:ARMADP - armadp
1914:ELM-MOMENTUM - Elm-Momentum
1915:FACELINK - FACELINK
1916:PERSOFT - Persoft Persona
1917:NOAGENT - nOAgent
1918:CAN-NDS - Candle Directory Service - NDS
1919:CAN-DCH - Candle Directory Service - DCH
1920:CAN-FERRET - Candle Directory Service - FERRET
1941:RAT: Hanky Panky
1944:CLOSE-COMBAT - close-combat
1945:DIALOGIC-ELMD - dialogic-elmd
1946:TEKPLS - tekpls
1947:HLSERVER - hlserver
1948:EYE2EYE - eye2eye
1949:ISMAEASDAQLIVE - ISMA Easdaq Live
1950:ISMAEASDAQTEST - ISMA Easdaq Test
1951:BCS-LMSERVER - bcs-lmserver
1966:RAT: Fake FTP
1967:RAT: FYEO, WM FTP
1969:RAT: OpC BO
1973:DLSRAP - Data Link Switching Remote Access Protocol
1978:RAT: HideDoor, Feri, Deadcow
1979:RAT: ZSpyII, Mima, HideDoor, SpyServer
1980:RAT: ZSpyII
1981:RAT: Bowl, Shockrave, Ullysse, Habibti, Infinaeon
1983:RAT: Q-taz, Leszcz, T.O.D
1984:RAT: Q-taz, BDMania
1985:FOLIOCORP - Folio Remote Server, HSRP - Cisco Hot Standby Router Protocol (RFC 2281), RAT: Skun
1986:LICENSEDAEMON - cisco license management, RAT: Muska52, Akosch, Prosty, Snurzi
1987:TR-RSRB-P1 - cisco RSRB Priority 1 port, RAT: DNS
1988:TR-RSRB-P2 - cisco RSRB Priority 2 port
1989:TR-RSRB-P3 - cisco RSRB Priority 3 port
1989:MHSNET - MHSnet system
1990:STUN-P1 - cisco STUN Priority 1 port
1991:STUN-P2 - cisco STUN Priority 2 port
1992:STUN-P3 - cisco STUN Priority 3 port
1992:IPSENDMSG - IPsendmsg
1993:SNMP-TCP-PORT - cisco SNMP TCP port, RAT: TrojanProxy.Win32.WinProxy
1994:STUN-PORT - cisco serial tunnel port
1995:PERF-PORT - cisco perf port
1996:TR-RSRB-PORT - cisco Remote SRB port
1997:GDP-PORT - cisco Gateway Discovery Protocol
1998:X25-SVC-PORT - cisco X.25 service (XOT)
1999:TCP-ID-PORT - cisco identification port, RAT: BackDoor (Default), Transcout
2000:CALLBROOK - callbook, SEAGATE - Seagate Crystal Reports, RAT: Der Spaeher 3, Insane Network, Transscout, Froggys Trojan, Last2000, HAW, RE2000, Fear, Force, Evoloution, Winsock Commander, CS, Amitis, Adele
2001:DC - dc, SEAGATE - Seagate Crystal Reports, RAT: Der Spaeher 3, TrojanCow, TransScout, Senna Spy 2001 Trojan, Protoss, XQDoor, Codex Data Systems D.I.R.T., OIcqsearch
2002:GLOBE - globe, RAT: TransScout, Duddie, Sensive
2003:RAT: TransScout, Tech
2004:MAILBOX - mailbox, RAT: TransScout, OIcqsearch
2005:BERKNET - berknet, RAT: TransScout, Sequel, OIcqsearch
2006:INVOKATOR - invokator
2007:DECTALK - dectalk, RAT: OIcqsearch
2008:CONF - conf, RAT: OIcqsearch
2009:News, RAT: OIcqsearch
2010:Search, RAT: OIcqsearch
2011:RAID-CC, RAT: OIcqsearch
2012:TTYINFO, RAT: Net Control, OIcqsearch
2013:RAID-AM
2014:TROFF
2015:CYPRESS
2016:BOOTSERVER
2017:CYPRESS-STAT - cypress-stat
2018:TERMINALDB
2019:WHOSOCKAMI
2020:XINUPAGESERVER - xinupageserver, RAT: WRS
2021:SERVEXEC
2022:DOWN - down
2023:XINUEXPANSION3 - xinuexpansion3, RAT: Pass Ripper, Hack City Ripper Pro
2024:XINUEXPANSION4 - xinuexpansion4
2025:ELLPACK - ell pack, RAT: Shadow Phyre, KS Rain
2026:SCRABBLE - scrabble
2027:SHADOWSERVER - shadow server
2028:SUBMITSERVER - submit server
2030:DEVICE2 - device2
2032:BLACKBOARD - blackboard
2033:GLOGGER - glogger
2034:SCOREMANAGER - score manager
2035:IMSLDOC - imsldoc
2038:OBJECTMANAGER - object manager
2040:LAM - lab, RAT: Inferno Uploader, JackTrojan
2041:INTERBASE
2042:ISIS
2043:ISIS-BCAST
2044:RIMSL
2045:CDFUNC
2046:SDFUNC
2047:DLS
2048:DLS-MONITOR - dls-monitor
2049:SHILP, NFS - Sun Microsystems Network File System Protocol (RFC 1813)
2060:RAT: Protoss
2065:DLSRPN - Data Link Switch Read Port Number
2067:DLSWPN - Data Link Switch Write Port Number
2078:RAT: ZalivatoR
2080:RAT: WinHole
2086:Netscape/Corba Exploit
2102:ZEPHYR-SRV - Zephyr server
2103:ZEPHYR-CLT - Zephyr serv-hm connection
2104:ZEPHYR-HM - Zephyr hostmanager
2105:MINIPAY - MiniPay
2115:RAT: Bugs, Feap
2121:RAT: Burbulatorheads
2140:RAT: Deep Throat, The Invasor, Foreplay or Reduced Foreplay
2155:RAT: Illusion Mailer, Nirvana
2172:RAT: SubSeven
2177:RAT: Phantom FTP
2180:MC-GT-SRV - Millicent Vendor Gateway Server
2189:RAT: Mowang
2201:ATS - Advanced Training System Program
2202:IMTC-MAP - Int. Multimedia Teleconferencing Cosortium
2208:RAT: Screen Control
2213:KALI - Kali, RAT: Screen Control
2214:RAT: Screen Control
2215:RAT: Screen Control
2216:RAT: Screen Control
2221:UNREG-AB1 - Allen-Bradley unregistered port
2222:UNREG-AB2 - Allen-Bradley unregistered port
2223:UNREG-AB3 - Allen-Bradley unregistered port
2232:IVS-VIDEO - IVS Video default
2233:INFOCRYPT - INFOCRYPT
2234:DIRECTPLAY - DirectPlay
2235:SERCOMM-WLINK - Sercomm-WLink
2236:NANI
2237:OPTECH-PORT1-LM - Optech Port1 License Manager
2238:AVIVA-SNA - AVIVA SNA SERVER
2239:IMAGEQUERY - Image Query
2241:IVSD - IVS Daemon
2255:RAT: Nirvana
2279:XMQUERY
2280:LNVPOLLER
2281:LNVCONSOLE
2282:LNVALARM
2283:LNVSTATUS RAT: HVL Rat5
2284:LNVMAPS
2285:LNVMAILMON
2286:NAS-METERING
2287:DNA
2288:NETML
2299:RAT: Back Atack
2300:RAT: Xplorer
2307:PEHELP - pehelp
2308:SDHELP - sdhelp
2312:RAT: Izram
2332:RAT: Silent Spy
2337:RAT: Hobbit
2339:OBS!!! namnen har bytt plats, RAT: Voice Spy
2345:RAT: Doly Trojan
2376:RAT: Remote Control
2400:RAT: PortD
2401:CVSPSERVER - cvspserver
2421:RAT: x2a
2425:RAT: Madfind
2444:RAT: Earthquake
2500:RTSSERV - Resource Tracking system server
2501:RTSCLIENT - Resource Tracking system client
2525:RAT: RemoteKit
2527:RAT: BLHouse
2564:HP-3000-TELNET - HP 3000 NS/VT block mode telnet
2565:RAT: Striker
2583:RAT: Wincrash 2
2584:RAT: Spie
2585:RAT: Nethack
2592:NETREK - netrek
2600:RAT: Digital RootBeer
2610:RAT: IP+
2684:RAT: Red-Spy, Slawek
2685:RAT: Red-Spy, Slawek
2699:RAT: Jittar
2700:TQDATA - tqdata
2702:SMS-XFER - SMS XFER, RAT: Black Diver
2707:RAT: Bigfoot
2716:RAT: The Prayer
2721:RAT: Phase Zero
2727:RAT: Hackers Heaven
2773:RAT: SubSeven , SubSeven 2.1 Gold
2784:WWW-DEV - world wide web - development
2785:AIC-NP - aic-np
2786:AIC-ONCRPC - Destiny MCD database
2787:PICCOLO - Cornerstone Software
2788:FRYESERV - NetWare Loadable Module - Seagate Software
2789:MEDIA-AGENT - Media Agent
2801:RAT: Phineas Phucker
2864:RAT: Denial
2904:RAT: VB Troyen
2908:MAO - mao
2909:FUNK-DIALOUT - Funk Dialout
2910:TDACCESS - TDAccess
2911:BLOCKADE - Blockade
2912:EPICON - Epicon
2945:RAT: Majesty
2968:RAT: Theef
2989:RAT: RAT
3000:HBCI - HBCI, RAT: Remote Shut, Theef, Xuegi, Izram
3001:REDWOOD-BROKER - Redwood Broker
3002:EXLM-AGENT - EXLM Agent
3010:GW - Telerate Workstation
3011:TRUSTED-WEB - Trusted Web
3024:RAT: WinCrash
3030:RAT: Tomato
3031:RAT: MicroSpy
3047:HLSERVER - Fast Security HL Server
3048:PCTRADER - Sierra Net PC Trader
3049:NSWS - NSWS
3065:RAT: Ice Storm Killerz
3082:RAT: Amoeba
3100:RAT: Brain Wiper
3128:Proxy, RAT: RingZero, Command Center
3129:RAT: Masters Paradise
3131:RAT: Subsari
3133:RAT: Yet Another
3134:RAT: Yet Another
3141:VMODEM - VMODEM
3142:RDC-WH-EOS - RDC WH EOS
3143:SEAVIEW - Sea View
3144:TARANTELLA - Tarantella
3145:CSI-LFAP - CSI-LFAP
3150:RAT: Deep Throat, The Invasor
3169:RAT: Turkojan
3180:MS-BRK-SRV - Millicent Broker Server
3215:RAT: XHX
3256:RAT: Worm.Dax
3264:CCMAIL - cc:mail/lotus
3265:ALTAV-TUNNEL - Altav Tunnel
3266:NS-CFG-SERVER - NS CFG Server
3267:IBM-DIAL-OUT - IBM Dial Out
3268:MSFT-GC - Microsoft Global Catalog
3269:MSFT-GC-SSL - Microsoft Global Catalog with LDAP/SSL
3270:VERISMART - Verismart
3271:CSOFT-PREV - CSoft Prev Port
3272:USER-MANAGER - Fujitsu User Manager
3273:SXMP - Simple Experimental Multiplexed Protocol
3274:ORDINOX-SERVER - Ordinox Server
3275:SAMD - SAMD
3276:MAXIM-ASICS - Maxim ASICs
3306:SQL Server
3330:RAT: Worm.Randex
3331:RAT: Delf, Worm.Randex
3332:RAT: Delf, Worm.Randex
3333:EGGDROP - Common for eggdrop bot, DEC-NOTES - DEC Notes, RAT: Delf, Hanuman, Laodai
3344:RAT: Matrix
3347:RAT: Control-it!
3355:RAT: Matrix, Hogle
3359:RAT: URCS
3410:RAT: Optix Pro
3416:RAT: SpySender
3417:RAT: SpySender
3418:RAT: XPosure
3421:BMAP - Bull Apprise portmapper
3427:RAT: FireBird
3454:MIRA - Apple Remote Access Protocol
3455:PRSVP - RSVP Port
3456:VAT - VAT default data, RAT: Terror trojan, Fear, Evoloution, Force
3457:VAT-CONTROL - VAT default control
3458:D3WINOSFI - D3WinOsfi
3459:INTEGRAL - Integral, RAT: Eclipse 2000, Sanctuary
3465:RAT: FireBird
3500:RAT: Servidor.e
3505:RAT: AutoSpY
3527:RAT: BLHouse
3547:RAT: Amitis
3587:RAT: ****Head trojan
3627:RAT: Delta Remote Access
3700:RAT: Portal of Doom
3721:RAT: Whirlpool
3723:RAT: Mantis
3737:RAT: HelioS
3791:RAT: Total Eclypse 1.0
3800:RAT: TrojanProxy.Win32.Small.a
3801:RAT: Total Solar Eclypse, TrojanProxy.Win32.Small.a
3802:RAT: TrojanProxy.Win32.Small.a
3900:UDT_OS - Unidata UDT OS
3984:MAPPER-NODEMGR - MAPPER network node manager
3985:MAPPER-MAPETHD - MAPPER TCP/IP server
3986:MAPPER-WS_ETHD - MAPPER workstation server
4000:TERABASE - Terabase,iChat Communications Hub, RAT: Psyber Streaming Server, SkyDance, Remote Anything, Zzmm, Silent Trigger
4001:iChat Rooms
4004:RAT: KBL FWB
4008:NETCHEQUE - NetCheque accounting
4009:CHIMERA-HWM - Chimera HWM
4010:SAMSUNG-UNIDEX - Samsung Unidex, RAT: Fearless Lite
4011:ALTSERVICEBOOT - Alternate Service Boot
4012:PDA-GATE - PDA Gate
4013:ACL-MANAGER - ACL Manager
4080:iChat Webserver
4092:RAT: WinCrash
4128:RAT: Infector II, Shadow Remote, RedShad
4132:NUTS_DEM - NUTS Daemon
4133:NUTS_BOOTP - NUTS Bootp Server
4134:NIFTY-HMI - NIFTY-Serve HMI Protocol
4141:OIRTGSVC - Workflow Server, RAT: rada-tat-RAT
4142:OIDOCSVC - Document Server
4143:OIDSR - Document Replication
4201:RAT: War Trojan
4210:RAT: Muska52, NetKey
4220:RAT: G-Hack
4225:RAT: Silent Spy
4242:RAT: Virtual Hacking Machine - VHM
4288:RAT: MoSucker
4300:RAT: Smokodoor
4321:RWHOIS - Remote Who Is, RAT: BoBo, Schoolbus 1.0
4343:UNICALL - UNICALL
4344:VINAINSTALL - VinaInstall
4369:RAT: Boiling
4420:RAT: G-Hack
4429:RAT: WINSF
4430:RAT: WINSF
4431:RAT: WINSF
4432:RAT: WINSF
4423:RAT: WINSF
4432:RAT: Acid, Black Dream
4433:RAT: Acid, Black Dream
4442:RAT: Oracle
4444:EGGDROP - Common for eggdrop bot, KRB524 - KRB524, NV-VIDEO - NV Video default, ADSUBTRACT - Ad-Subtract Pro, RAT: Prosiak, Swift Remote, AlexMessoMalex, Avone, Oracle, Controlmachine, Snake
4445:UPNOTIFYP - UPNOTIFYP, RAT: Oracle
4446:N1-FWP - N1-FWP
4447:N1-RMGMT - N1-RMGMT, RAT: Oracle
4448:ASC-SLMD - ASC Licence Manager
4449:ARCRYPTOIP - ARCrypto IP, RAT: Oracle
4450:CAMP - Camp
4451:CTISYSTEMMSG - CTI System Msg, RAT: Oracle
4452:CTIPROGRAMLOAD - CTI Program Load
4453:NSSALERTMGR - NSS Alert Manager
4454:NSSAGENTMGR - NSS Agent Manager
4481:RAT: Backstabb LITE
4500:SAE-URN - sae-urn
4501:URN-X-CDCHOICE - urn-x-cdchoice
4523:RAT: Celine
4527:RAT: BLHouse
4545:RAT: Remote Revise
4563:RAT: Clandestine
4567:RAT: FileNail, J4Y
4590:RAT: ICQ Trojan
4625:RAT: NiuNio-bek
4666:RAT: Mneah
4672:RFA - remote file access server
4714:RAT: Muska52
4747:RAT: Fosen, Symes
4748:RAT: Symes
4836:RAT: Buttman
4837:RAT: Buttman
4865:RAT: Backfire
4881:RAT: AIMVision
4950:RAT: ICQ Trojan(Lm)
4999:RAT: MaLPaYo, Ripjac, Remote Access
5000:COMMPLEX-MAIN - Complex Main, SSDP - Web-XML Parser for Universal Plug & Play, RAT: Back Door Setup, Blazer5, Bubbel, ICKiller, Sockets des Troie, Bionet Lite, Raid, Angel
5001:COMMPLEX-LINK - Complex Link, RAT: Back Door Setup, Sockets des Troie, Pinkle
5002:RFE - radio free ethernet, RAT: cd00r, Shaft
5003:CLARIS-FMPRO - Claris FileMaker Pro
5004:AVT-PROFILE-1 - avt-profile-1
5005:AVT-PROFILE-1 - avt-profile-2, RAT: Aladino
5010:TELELPATHSTART - TelepathStart, RAT: Solo
5011:TELELPATHATTACK - TelepathAttack, RAT: OOTLT, OOTLT modified
5020:ZENGINKYO-1 - zenginkyo-1
5021:ZENGINKYO-2 - zenginkyo-2
5025:RAT: WM Remote KeyLogger
5028:RAT: Shadow Phyre
5031:RAT: NetMetropolitan
5032:RAT: NetMetropolitan
5050:MMCC - multimedia conference control tool, RAT: R0xR4t
5051:RAT: Minicli
5060:SIP - Session Initiation Protocol (RFC 2543)
5145:RMONITOR_SECURE - rmonitor secure
5150:ATMP - Ascend Tunnel Management Protocol
5151:RAT: Optix Lite
5152:RAT: Institution
5155:RAT: Oracle
5180:RAT: Peeper
5190:AOL - America-Online, ICQ
5191:AOL-1 - AmericaOnline1
5192:AOL-2 - AmericaOnline2
5193:AOL-3 - AmericaOnline3
5236:PADL2SIM
5277:RAT:Winshell
5295:RAT: Gate Hell
5296:RAT: Gate Hell
5297:RAT: Gate Hell
5298:RAT: Gate Hell
5299:RAT: Gate Hell
5300:HA cluster heartbeat, RAT: Gate Hell
5301:HA cluster general services, RAT: Gate Hell
5302:HA cluster configuration
5303:HA cluster probing
5304:HA Cluster Commands
5305:HA Cluster Test
5306:Sun MC Group
5307:SCO AIP
5308:CFengine
5309:J Printer
5310:OUTLAWS - Outlaws
5311:TM Login
5321:RAT: Firehotcker
5328:RAT: Snow, Fx
5343:RAT: wCrat - WC Remote Administration Tool
5377:RAT: Iani
5400:EXCERPT - Excerpt Search, RAT: Blade Runner, Back Construction, Digital Spy
5401:EXCERPTS - Excerpt Search Secure, RAT: Blade Runner, Back Construction, Mneah, Digital Spy
5402:MFTP, RAT: Blade Runner, Back Construction, Mneah, Digital Spy
5403:HPOMS-CI-LSTN
5404:HPOMS-DPS-LSTN
5405:NetSupport
5406:Systemics Sox
5407:Foresyte-Clear
5408:Foresyte-Sec
5409:Salient Data Server
5410:Salient User Manager
5411:ACTNET - ActNet
5412:CONTINUUS
5413:WWIOTALK
5414:STATUSD
5415:NS Server
5416:SNS Gateway
5417:SNS Agent
5418:MCNTP - MCNTP, RAT: Darksky
5419:DJ-ICE - DJ-ICE, RAT: Darksky, Eagle Boy
5420:CYLINK-C - Cylink-C
5430:RAT: NetAdvance
5432:RAT: Gate Hell
5512:RAT: Illusion Mailer, Xtcp
5521:RAT: Illusion Mailer
5535:RAT: DarkNova
5550:RAT: Xtcp
5553:RAT: Keylog.XLog
5555:EGGDROP - Common for eggdrop bot, PERSONAL-AGENT - Personal Agent, RAT: ServeMe, NoXcape, ReMod, Sonitro, Stinky, Jeemp, Hale, Optix Pro, Sysbug
5556:RAT: BO Facil
5557:RAT: BO Facil
5558:RAT: easyServ, WildThing
5569:RAT: Robo-Hack
5597:RAT: Shadow Phyre
5600:ESMMANAGER - Enterprise Security Manager
5601:ESMAGENT - Enterprise Security Agent
5602:A1-MSC
5603:A1-BS
5604:A3-SDUNODE - A3-SDUNode
5605:A4-SDUNODEODE - A4-SDUNode
5631:PCANYWHEREDATA
5632:PCANYWHERESTAT
5637:RAT: PC Crasher
5638:RAT: PC Crasher
5639:RAT: PC Crasher
5651:RAT: Jeemp
5666:RAT: PC Crasher
5678:RRAC - Remote Replication Agent Connection
5679:DCCM - Direct Cable Connect Manager
5695:RAT: Assasin
5696:RAT: Assasin
5697:RAT: Assasin
5713:PROSHAREAUDIO - proshare conf audio
5714:PROSHAREVIDEO - proshare conf video, RAT: WinCrash
5715:PROSHAREDATA - proshare conf data
5716:PROSHAREREQUEST - proshare conf request
5717:PROSHARENOTIFY - proshare conf notify
5725:RAT: Stang
5729:OPENMAIL - Openmail User Agent Layer
5741:RAT: WinCrash
5742:RAT: WinCrash
5745:FCOPY-SERVER - fcopy-server
5755:OPENMAILG - OpenMail Desk Gateway server
5757:X500MS - OpenMail X.500 Directory Server
5760:RAT: Portmap Remote Root Linux Exploit
5766:OPENMAILNS - OpenMail NewMail Server
5767:S-OPENMAIL - OpenMail Suer Agent Layer (Secure)
5800:VNC - Virtual Network Computing
5802:RAT: Y3K RAT
5803:RAT: Y3K RAT
5838:RAT: Y3K RAT
5880:RAT: Y3K RAT
5882:RAT: Y3K RAT
5884:RAT: Y3K RAT
5885:RAT: AIMVision
5888:RAT: Y3K RAT, CIA
5889:RAT: Y3K RAT
5890:RAT: Y3K RAT
5902:RAT: XQDoor
5933:RAT: NOSecure
6000:X11 - X Window System, RAT: The tHing 1.6, RServer, Divux
6001:X11 - X Window System, RAT: Trojan Killer 2.2
6002:X11 - X Window System
6003:X11 - X Window System
6004:X11 - X Window System
6005:X11 - X Window System
6006:X11 - X Window System, RAT: Bad Blood
6007:X11 - X Window System
6008:X11 - X Window System
6009:X11 - X Window System
6010:X11 - X Window System
6011:X11 - X Window System
6012:X11 - X Window System
6013:X11 - X Window System
6014:X11 - X Window System
6015:X11 - X Window System
6016:X11 - X Window System, RAT: Shadow Phyre
6017:X11 - X Window System
6018:X11 - X Window System
6019:X11 - X Window System
6020:X11 - X Window System
6021:X11 - X Window System
6022:X11 - X Window System
6023:X11 - X Window System
6024:X11 - X Window System
6025:X11 - X Window System
6026:X11 - X Window System
6027:X11 - X Window System
6028:X11 - X Window System
6029:X11 - X Window System
6030:X11 - X Window System
6031:X11 - X Window System
6032:X11 - X Window System
6033:X11 - X Window System
6034:X11 - X Window System
6035:X11 - X Window System
6036:X11 - X Window System
6037:X11 - X Window System
6038:X11 - X Window System
6039:X11 - X Window System
6040:X11 - X Window System
6041:X11 - X Window System
6042:X11 - X Window System
6043:X11 - X Window System
6044:X11 - X Window System
6045:X11 - X Window System
6046:X11 - X Window System
6046:X11 - X Window System
6048:X11 - X Window System
6049:X11 - X Window System
6050:X11 - X Window System
6051:X11 - X Window System, RAT: Z-dem0n
6052:X11 - X Window System
6053:X11 - X Window System
6054:X11 - X Window System
6055:X11 - X Window System
6056:X11 - X Window Syst

6942:RAT: FTP.Alicia
6966:RAT: Sinister
6968:RAT: Piper
6969:ACMSODA - acmsoda, RAT: GateCrasher, IRC 3, Net Controller, Priority, Danton, Vagr, Cookie Monster, Bigorna, SpArTa, BlueAdeptz, UPIN
6970:RealPlayer Time Protocol, RAT: Gatecrasher, BlueAdeptz
6971:RAT: BlueAdeptz, UPIN
6974:RAT: Danton
7000:AFS3-FILESERVER - file server itself, RAT: Exploit Translation Server, Kazimas, Remote Grab, SubSeven 2.1 Gold, MiniCommand, Theef, Grab
7001:AFS3-CALLBACK - callbacks to cache managers, RAT: Freak88
7002:AFS3-PRSERVER - users & groups database
7003:AFS3-VLSERVER - volume location database
7004:AFS3-KASERVER - AFS/Kerberos authentication service
7005:AFS3-VOLSER - volume managment server
7006:AFS3-ERRORS - error interpretation service
7007:AFS3-BOS - basic overseer process, RAT: Silent Spy
7008:AFS3-UPDATE - server-to-server updater
7009:AFS3-RMTSYS - remote cache manager service
7010:UPS-ONLINET - onlinet uninterruptable power supplies
7016:RAT: Cheng
7020:RAT: Hoaxer
7028:RAT: Unknown Trojan
7030:RAT: Hoaxer
7070:ARCP
7099:LAZY-PTOP
7100:FONT-SERVICE - X Font Service, RAT: MATRIX Chat
7119:RAT: Massaker
7121:VIRPROT - Virtual Prototypes License Manager
7134:RAT: Remote Operations
7158:RAT:Lohoboyshik
7174:CLUTILD
7200:FODMS FLIP
7201:DLIP
7215:RAT: SubSeven , SubSeven 2.1 Gold
7253:RAT: Jinmozhe, GlobalPatrol
7273:RAT: XLBH
7300:RAT: NetMonitor
7301:RAT: NetMonitor
7302:RAT: NetMonitor
7303:RAT: NetMonitor
7304:RAT: NetMonitor
7305:RAT: NetMonitor
7306:RAT: NetMonitor
7307:RAT: NetMonitor
7308:RAT: NetMonitor, X Spy
7309:RAT: NetMonitor
7312:RAT: Yajing
7323:RAT: Sygate Backdoor
7332:RAT: J3
7395:WINQEDIT
7410:RAT: Phoenix II
7413:RAT: Medusa
7424:RAT: Host Control
7426:PMDMGR - OpenView DM Postmaster Manager
7427:OVEADMGR - OpenView DM Event Agent Manager
7428:OVLADMGR - OpenView DM Log Agent Manager
7429:OPI-SOCK - OpenView DM rqt communication
7430:XMPV7 - OpenView DM xmpv7 api pipe
7431:PMD - OpenView DM ovc/xmpv3 api pipe
7441:RAT: MeteorShell
7491:TELOPS-LMD
7509:RAT: School
7511:PAFEC-LM - pafec-lm, RAT: Genue
7597:RAT: QAZ
7614:RAT: Wolff, Galaxy
7626:RAT: Glacier
7648:Video Conferencing, RAT: XHX
7649:Video Conferencing
7673:RAT: Neoturk
7677:RAT: Neoturk
7700:RAT: Sub-Mariner
7714:RAT: TrojanProxy.Win32.Webber
7721:RAT: Cabronator
7724:RAT: Cabronator
7776:RAT: RemoteCtrol, Iniquity
7777:EGGDROP - Common for eggdrop bot, CBT - cbt, RAT: Tini, Snoopy, Jodeitor, Hak0r
7781:ACCU-LMGR
7788:RAT: Last2000
7789:RAT: Back Door Setup, ICKiller, Mozilla, Muska52
7800:RAT: Ai
7810:RAT: Spook
7811:RAT: RemoteSOB
7823:RAT: Amitis
7826:RAT: Oblivion, MiniOblivion
7839:RAT: GreekHackers
7850:RAT: Ai
7878:RAT: Ai, My Socket
7879:RAT: Ai
7888:RAT: CIA
7891:RAT: LaMeRi, David
7980:QUEST-VISTA
7983:RAT: Mstream
7999:IRDMI2 - iRDMI2
8000:IRDMI - iRDMI - Proxy, RAT: NeuroticKat, Seqrat
8011:RAT: Way
8012:RAT: PtAkkS
8023:RAT: Xel
8032:PRO-ED
8059:RAT: Shadow Phyre
8088:Proxy
8080:Proxy, RAT: Brown Orifice , RemoConChubo, RingZero, HacKErZ, C.A.N.C.E.R
8081:RAT: HacKErZ
8083:RAT: NeoNet
8089:FTGATE - FTGate Web Admin, tinc Virtual Private Network daemon
8090:RAT: Remote Packet Sniffer
8108:RAT: LYB
8110:RAT: LoseLove
8111:RAT: LoseLove
8127:RAT:Simply Hack
8130:RAT:Simply Hack
8210:RAT: China
8225:RAT: Way 2002
8255:RAT: Pilot
8301:RAT: LoseLove
8302:RAT: LoseLove
8311:RAT: GirlBoy, Sweetheart
8372:RAT: Netboy
8450:NPMP
8489:RAT: Kilo
8502:RAT: The[X]
8508:RAT: The[X]
8509:RAT: Jeemp
8536:RAT: DDoS.RAT.Autocrat
8546:RAT: TrojanProxy.Win32.Webber
8623:RAT: HeiYing
8663:RAT: Shadow Phyre
8681:RAT: Psycho Derek
8682:RAT: Psycho Derek
8683:RAT: Psycho Derek
8684:RAT: Psycho Derek
8686:RAT: Freak
8787:RAT: Back Orifice 2000, Freak
8794:RAT: Shadow Phyre
8798:RAT: RACS
8799:RAT: FunFactory
8811:RAT: Sphere Trojan, Fear, Force
8812:RAT: Fraggle Rock Lite, Fear
8813:RAT: Fraggle Rock Lite
8820:RAT: ZKT
8821:RAT: FTP.Alicia
8879:RAT: Hack Office Armageddon
8888:DDI-TCP-1 - NewsEDGE server TCP (TCP 1), RAT: RMF, DDoS.RAT.DarkIRC
8889:DDI-TCP-2 - Desktop Data TCP 1, RAT: Luzak
8890:DDI-TCP-3 - Desktop Data TCP 2
8891:DDI-TCP-4 - Desktop Data TCP 3: NESS application
8892:DDI-TCP-5 - Desktop Data TCP 4: FARM product
8893:DDI-TCP-6 - Desktop Data TCP 5: NewsEDGE/Web application
8894:DDI-TCP-7 - Desktop Data TCP 6: COAL application
8943:RAT: iSpyNow
8976:RAT: Connect4
8988:RAT: BacHack
8989:RAT: Rcon, Recon, Xcon
9000:CLISTENER - CSlistener, RAT: Netministrator, NeuroticKat, Glacier, Way, Predator, Inderpal, Spy.Stealth Eye
9001:RAT: NeuroticKat
9002:RAT: NeuroticKat
9005:RAT: Spy.Stealth Eye
9090:WEBSM - IBM Web Based Systems Manager, VQSERVER - Free Web Server, SUN - Sun Java Web Administrator, RAT: Spy.Remote Packet Sniffer, MiniCommand
9301:RAT: LoseLove
9325:RAT: Mstream
9400:RAT: InCommand
9408:RAT: Shang Quan
9414:RAT: NTHacker, Dujian
9535:MAN - man
9536:RAT: Lula, StealthPort
9561:RAT: CRAT Pro
9563:RAT: CRAT Pro
9580:RAT: TheefLE
9696:RAT: Ghost
9697:RAT: Ghost
9777:RAT: Spy.Stealth Eye
9778:RAT: Spy.Stealth Eye
9846:RAT: Shador
9870:RAT: R3C
9872:RAT: Portal of Doom
9873:RAT: Portal of Doom
9874:RAT: Portal of Doom
9875:RAT: Portal of Doom
9876:SD - Session Director, RAT: Cyber Attacker, Rux
9878:RAT: TransScout
9889:RAT: Snakdos
9898:RAT: CrashCool
9932:RAT: Dude
9933:RAT: Dude
9989:RAT: iNi-Killer
9992:PALACE - Palace
9993:PALACE - Palace
9994:PALACE - Palace
9995:PALACE - Palace
9996:PALACE - Palace
9997:PALACE - Palace
9998:PIRC - Possible for IRCD, DISTINCT32 - Distinct32
9999:DISTINCT - distinct, RAT: The Prayer, Infra, NetControl, Sub-Mariner, Spadeace, Oracle, Vagr
10000:NDMP - Network Data Management Protocol, RAT: Oracle, Ojo
10001:RAT: Lula, Eljefe, DTr
10002:RAT: Lula, Eljefe
10003:RAT: Lula, Eljefe, Network Controler
10008:LiveGate Web Server, Apache Web Server, /bin/sh, BIND
10067:RAT: Portal of Doom
10085:RAT: Syphillis
10086:RAT: Syphillis
10100:RAT: Gift
10101:RAT: BrainSpy, Mini Gift
10111:RAT: Mini Gift
10150:RAT: Laodai
10167:RAT: Portal of Doom
10168:RAT: Worm.Lovgate
10203:RAT: Jinmozhe
10240:RAT: Digital Hand
10520:RAT: Acid Shivers
10528:RAT: Host Control
10539:RAT: Back Attack
10564:RAT: MiniCommand
10607:RAT: Coma Danny
10666:RAT: Ambush, R0xR4t
11000:RAT: Senna Spy Trojan Generator, Datarape, Comando
11050:RAT: Host Control
11051:RAT: Host Control
11171:RAT: DDoS.RAT.Zombot
11223:RAT: Progenic trojan, Secret Agent
11225:RAT: Cyn
11228:RAT: DarkSky
11264:RAT: Remote Control
11306:RAT: NokNok
11568:RAT: Remote Hack
11666:RAT: H04x3r Telnet
11777:RAT: Delf.cc
11831:RAT: Latinus (or variant), Backlash
12000:RAT: Reverse Trojan
12001:RAT: Poltergeist
12002:RAT: Poltergeist
12003:RAT: Poltergeist
12004:RAT: Poltergeist
12005:RAT: Poltergeist
12007:RAT: Poltergeist
12008:RAT: Poltergeist
12010:RAT: Poltergeist
12016:RAT: Poltergeist
12076:RAT: Gjamer, MSH
12122:RAT: HellzAddiction
12129:RAT: VisualBackdoor
12223:RAT: Hack'99 KeyLogger
12310:RAT: Precursor
12321:RAT: Protoss, Cyber-Hazard
12333:RAT: GMF
12345:cron / crontab, RAT: Fat Bitch trojan, GabanBus, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill, Q-taz, Snape, Fade, Musdie, Vagr, Neoturk, Sequel
12346:RAT: Fat Bitch trojan, GabanBus, NetBus , X-bill
12349:RAT: BioNet
12361:RAT: Whack-a-mole
12362:RAT: Whack-a-mole
12369:RAT: Prior
12378:RAT: Gibe Worm
12389:RAT: Khe Sanh
12471:RAT: Back Attack
12486:RAT: Muska52
12504:RAT: Back Attack
12550:RAT: Back Orifice 2000
12560:RAT: Alo
12575:RAT: Mainline
12623:RAT: DUN Control, ButtMan
12624:RAT: ButtMan
12625:RAT: ButtMan
12631:RAT: Whack Job
12701:RAT: Eclypse 2000
12753:TSAF
12754:RAT: Mstream
12764:RAT: Remote Control
12884:RAT: Anthena
13000:RAT: Senna Spy Trojan Generator, wh-crew Spy
13010:RAT: Hacker Brasil - HBR, Bitch Controller
13013:RAT: Psychward, P_Spy
13014:RAT: FTP.ftppw
13128:RAT: Sinique
13173:RAT: Amitis
13254:RAT: Injector
13401:RAT: Spy Program
13700:RAT: Kuang2 The Virus
13753:RAT: Anal FTP
13818:DSMCC-CONFIG - DSMCC Config
13819:DSMCC-SESSION - DSMCC Session Messages
13820:DSMCC-PASSTHRU - DSMCC Pass-Thru Messages
13821:DSMCC - DOWNLOAD - DSMCC Download Protocol
13822:DSMCC-CCP - DSMCC Channel Change Protocol
13830:This portlist by www.DiamondCS.com.au
14194:RAT: CyberSpy
14285:RAT: Hell-Driver, Laocoon
14286:RAT: Hell-Driver, Laocoon
14287:RAT: Laocoon
14500:RAT: PC Invader
14501:RAT: PC Invader
14502:RAT: PC Invader
14503:RAT: PC Invader
14504:RAT: PC Invader
14728:RAT: Zinx
15000:RAT: Lookspy, IRTTH
15092:RAT: Host Control
15104:RAT: Mstream
15333:RAT: Nethero, Screen Thief
15368:RAT: Bionet
15432:RAT: Cyn
15485:RAT: Kilo
15500:RAT: IRTTH
15512:RAT: Iani
15551:RAT: IRTTH
15555:RAT: ICMIBS
15858:RAT: CDK
15888:RAT: Delf.cc
15963:RAT: XZone
16322:RAT: Last Door
16484:RAT: Mosucker
16514:RAT: Kilo
16660:RAT: Stacheldraht
16661:RAT: NetGrisch, DFchGrisch, A-311 Death
16772:RAT: ICQ Revenge
16780:RAT: Vector
16959:RAT: SubSeven
16969:RAT: Priority
16999:RAT: MSN Log Thief
17007:ISODE-DUA
17012:RAT: Back Orifice 2000
17166:RAT: Mosaic
17171:RAT: RemoteCmd
17300:RAT: Kuang2 The Virus
17449:RAT: Kid Terror
17499:RAT: CrazzyNet
17569:RAT: Infector
17777:RAT: Nephron
18000:BIIMENU - Beckman Instruments, Inc.
18713:RAT: Hatred-Fiend
18714:RAT: Hatred-Fiend
18753:RAT: Shaft
19116:RAT: Parasite
19191:RAT: Bluefire
19604:RAT: Metal Trojan
19605:RAT: Metal Trojan
19730:RAT: Muniu
19864:RAT: ICQ Revenge
19949:RAT: Avone
19991:RAT: DFchGrisch
20000:RAT: Millenium, Predator, Brouser, SystemSecure, Spook
20001:RAT: Millennium, Millennium(Lm), Insect, Psychofiles
20002:RAT: AcidkoR, Psychofiles, NinjaSpy
20003:RAT: NinjaSpy
20005:RAT: MoSucker
20023:RAT: VP Killer
20034:RAT: NetBus 2.0 Pro, NetRex, Whack Job
20226:RAT: NAT
20203:RAT: Chupacabra, Logged!
20331:RAT: Bla
20432:RAT: Shaft
20433:RAT: Shaft
20480:RAT: Adnap
21000:RAT: FTP.c400s FTP Server
21163:RAT: Back Attack
21183:RAT: R.A.D
21212:RAT: Sensive
21300:RAT: Diego
21544:RAT: Girlfriend, Kid Terror, Katux Girlfriend
21554:RAT: Exploiter, GirlFriend, Kid Terror, Schwindler, Winsp00fer, Sensive
21579:RAT: Breach 2001
21584:RAT: Breach 2001
21845:WEBPHONE
21846:NETSPEAK-IS - NetSpeak Corp. Directory Services
21847:NETSPEAK-CS - NetSpeak Corp. Connection Services
21848:NETSPEAK-ACD - NetSpeak Corp. Automatic Call Distribution
21849:NETSPEAK-CPS - NetSpeak Corp. Credit Processing System
22076:RAT: Back Attack
22115:RAT:Cyn
22179:RAT: Diomedes
22180:RAT: Diomedes
22181:RAT: Diomedes
22200:RAT: RuX The TIcK
22220:RAT: RuX The TIcK
22222:RAT: Donald Dick, Prosiak, RuX The TIcK, G.R.O.B
22223:RAT: Rux The TIcK
22273:WNN6
22311:RAT: ProRat
22365:RAT: Back Attack
22554:RAT: Anthena
22555:VOCALTEC-WCONF - Vocaltec Web Conference
22784:RAT: Intruzzo 2002
22800:AWS-BRF - Telerate Information Platform LAN
22951:BRF-GW - Telerate Information Platform WAN
23000:RAT: RWins
23001:RAT: RWins
23002:RAT: RWins
23005:RAT: NetTrash, Sky Rat, Oxon, Winrat, Scorpina
23006:RAT: NetTrash, EZ KiLLA, Scorpina
23023:RAT: Logged
23032:RAT: Amanda
23145:RAT: REA2
23232:RAT: Psychward
23321:RAT: Konik
23432:RAT: Asylum, Psychward
23433:RAT: ASD
23435:RAT: Frango, Framar
23456:RAT: Evil FTP, Ugly FTP, Whack Job, Vagr, Keylog.Clandestine
23476:RAT: Donald Dick
23477:RAT: Donald Dick
23812:RAT: Back Attack
24000:RAT: Infector
24032:RTP Audio/Video
24307:RAT: Wildek
24464:RAT: FTP.Resoil
24759:RAT: Zinx
25000:ICL-TWOBASE1
25001:ICL-TWOBASE2
25002:ICL-TWOBASE3, RAT: CRS-Gate, MOTD
25003:ICL-TWOBASE4
25004:ICL-TWOBASE5
25005:ICL-TWOBASE6
25006:ICL-TWOBASE7
25007:ICL-TWOBASE8
25008:ICL-TWOBASE9
25009:ICL-TWOBASE10
25025:RAT: Kodalo
25026:RAT: Kodalo
25044:RAT: Kodalo
25226:RAT: LMR
25386:RAT: Moonpie
25486:RAT: Moonpie
25555:RAT: FreddyK
25678:RAT: TLPilon
25680:RAT: TLPilon
25685:RAT: Moonpie
25686:RAT: Moonpie
25758:RAT: Dewin
25793:VOCALTEC-HOS - Vocaltec Address Server
25885:RAT: CRS-Gate, MOTD
26000:QUAKE - quake
26208:WNN6-DS
26274:RAT: Delta Source
26681:RAT: Voice Spy - OBS!!! namnen har bytt plats
26744:RAT: PaSzCzuS
26745:RAT: PaSzCzuS
26746:RAT: PaSzCzuS
26747:RAT: PaSzCzuS
26969:RAT: Mini-Glitch
27015:3D Internet Game Servers
27016:3D Internet Game Servers
27017:3D Internet Game Servers
27184:RAT: Alvgus (UDP)
27374:RAT: BadBlood, SubSeven 2.1+, Diems Mutter
27444:RAT: WinTrinoo
27499:RAT: Pornu, Sinf
27500:RAT: Rulezadmin
27551:RAT: Amitis
27573:RAT: SubSeven
27665:RAT: WinTrinoo
27878:RAT: KPSULE
27910:QUAKE - Quake 2
28000:RAT: Infector
28034:RAT: Invisible Hunter
28072:RAT: JustJoke Pro
28218:RAT: Oracle
28384:RAT: EZ KiLLA
28428:RAT: Hack'A'Tack
28429:RAT: Hack'A'Tack
28431:RAT: Hack'A'Tack
28433:RAT: Hack'A'Tack
28500:RAT: Remote Saucer
28678:RAT: Exploiter 1.4
29104:RAT: NetTrojan
29559:RAT: Latinus (or variant), Sky Rat [Show], Cyber-Hazard, Ducktoy, Anti-Lamer, Backlash
29589:RAT: Kilo
29891:RAT: The Unexplained
29976:RAT: Trojan Spirit 2001a
29980:RAT: Trojan Spirit 2001a
29984:RAT: Trojan Spirit 2001a
29999:RAT: Anti-Lamer
30000:RAT: Infector, Datarape, Motalases
30001:RAT: ErrOr32, AntiPC
30002:RAT: DDoS.RAT.Litmus
30003:RAT: Lamers Death
30029:RAT: AOLTrojan
30072:RAT: Tasks
30100:RAT: NetSphere
30101:RAT: NetSphere
30102:RAT: NetSphere
30104:RAT: BlueAdeptz
30133:RAT: Trojan Spirit 2001a, Netsphere Final
30201:RAT: DDoS.RAT.TankEd
30303:RAT: Sockets de Troie 25, Socket23, Rulezadmin
30700:RAT: Mantis
30947:RAT: Intruse
30999:RAT: Kuang, MoSucker
31027:RAT: MDM
31145:RAT: Frapes
31163:RAT: Back Attack
31320:RAT: LittleWitch, LittleWitch Mini
31332:RAT: G.R.O.B
31335:RAT: WinTrinoo
31336:RAT: Bo Whack , Butt Funnel
31337:PIRC - Possible for IRCD, RAT: Back Fire, Back Orifice, Deep BO, Back Orifice (Lm), Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, icmp_pipe.c, Sockdmini, Igloo
31338:RAT: Back Orifice, Butt Funnel, DK32 NetSpy, DeepBO
31339:RAT: DK32 NetSpy, LittleWitch, Kiss
31340:RAT: LittleWitch
31341:RAT: Igloo
31415:RAT: Lithium
31416:RAT: Lithium
31556:RAT: Z-dem0n
31631:RAT: Cleptomania
31666:RAT: BOWhack
31693:RAT: Turkojan
31745:RAT: Buschtrommel
31785:RAT: Hack'a'tack
31787:RAT: Hack'a'tack
31788:RAT: Hack'a'tack
31789:RAT: Hack'a'tack
31790:RAT: Hack'a'tack
31791:RAT: Hack'a'tack
31792:RAT: Hack'a'tack
31887:RAT: BDDT
31900:RAT: Afonso
31979:RAT: Mima
32001:RAT: Donald Dick
32076:RAT: Back Attack
32100:RAT: Peanut Brittle, Project nEXT
32123:RAT: Huy
32222:RAT: Remoter
32365:RAT: Back Attack
32418:RAT: Acid Battery 1.0
32456:RAT: Clandestine Screen Capture
32791:RAT: Acropolis
33156:RAT: Poltergeist
33229:RAT: Amitis
33270:RAT: Trinity
33291:RAT: RemoteHAK
33333:RAT: Blakharaz, Prosiak, Psyber Streaming Server
33545:RAT: G.R.O.B
33555:RAT: G.R.O.B
33577:RAT: Psychward
33600:RAT: LazyAdmin
33777:RAT: Psychward
33812:RAT: Back Attack
33911:RAT: Trojan Spirit 2000, Trojan Spirit 2001
34031:RAT: Remote Control System
34033:RAT: Remote Control System
34324:RAT: Tiny Telnet Server, BigGluck, TN
34444:RAT: Donald Dick
34462:RAT: Delf.cc
34555:RAT: Win Trinoo Server
34567:RAT: Mill, Back Orifice
34763:RAT: Infector
35000:RAT: Infector
35555:RAT: Win Trinoo Client
36663:RAT: Rathead
36665:RAT: Rathead
36794:RAT: Worm.Tanatos
36926:RAT: Remscan
37237:RAT: The Mantis
37418:RAT: Taladrator
37546:RAT: Taladrator
37651:RAT: Yet Another Trojan - YAT
38742:RAT: CyberSpy
39122:RAT: UpF
39398:RAT: BirdSpy
39529:RAT: Taladrator
39872:RAT: Taladrator, Inferno
40000:RAT: Infector
40123:RAT: MoSucker
40412:RAT: The Spy
40421:RAT: Masters Paradise (Primary), Agent 40421
40422:RAT: Masters Paradise (Data)
40423:RAT: Masters Paradise
40426:RAT: Masters Paradise
40999:RAT: Diems Mutter
41666:RAT: Remote Boot Tool - RBT
41934:RAT: Ranck
42012:RAT: Net Control
43192:RAT: Invisible Socks4
43210:RAT: Schoolbus 1.6 & 2.0
44280:RAT: Amitis
44333:Winroute
44334:Kerio Firewall (Tiny Firewall)
44390:RAT: Amitis
44444:RAT: Prosiak
45632:RAT: LittleWitch
45654:RAT: Little Busters
45672:RAT: LMR
45673:RAT: Acropolis
45836:RAT: Worm.Graps
47221:RAT: 3x
47262:RAT: Delta Source
47387:RAT: Amitis
47557:DBBROWSE - Databeam Corporation
47806:AP - ALC Protocol
47808:BACNET - Building Automation and Control Networks
47878:RAT: BirdSpy
47891:RAT: Anti-Lamer
47899:RAT: Anti-Lamer
48512:RAT: Arctic
48522:RAT: Hale
49301:RAT: Online Keylogger
49683:RAT: HackIT (Holzpferd)
49684:RAT: HackIT (Holzpferd)
50000:RAT: Infector, Starline
50005:RAT: FLB
50505:RAT: Sockets de Troie
50766:RAT: Fore, Schwindler
50829:RAT: BirdSpy
51234:RAT: MoSucker, Cyn, Fearless Lite
51966:RAT: Cafeini
51985:RAT: Remote Hack
52317:RAT: Acid Battery 2000
52371:RAT: Alcatraz
52978:RAT: G-Spot Tight
53001:RAT: Remote Windows Shutdown
53201:RAT: Ranck
53559:RAT: NAT
54283:RAT: SubSeven , SubSeven 2.1 Gold
54312:RAT: Nova
54320:RAT: Back Orifice 2000, MasterU
54321:RAT: Back Orifice 2000, Schoolbus, MasterU
54541:RAT: CCCP
54896:RAT: Omega
55165:RAT: Poltergeist
55166:RAT: Poltergeist
55555:RAT: Delf.cc
55665:RAT: Pinochet
55666:RAT: Pinochet
56309:RAT: NK
56565:RAT: Osiris
57123:RAT: Mprox
57319:RAT: Nullbnc
57341:RAT: NetRaider
57785:RAT: G.R.O.B
58339:RAT: Butt Funnel
58343:RAT: ProRat
58666:RAT: Redkod
59090:RAT: Mantice
59211:RAT: Ducktoy
60000:RAT: DeepThroat 2.0 & 3.0, Foreplay or Reduced Foreplay, Sockets des Troie
60006:RAT: FLB
60014:RAT: Igloo
60068:RAT: Xzip 6000068
60101:RAT: MSN Log Thief
60411:RAT: Connection
60551:RAT: R0xR4t
60606:RAT: Cucum
60666:RAT: BasicHell
60757:RAT: UPIN
61337:RAT: Nota
61348:RAT: Bunker-Hill
61440:RAT: Dynod
61466:RAT: Telecommando
61603:RAT: Bunker-Hill
61822:RAT: LMR
62011:RAT: Ducktoy
62488:RAT: gosocks
62616:RAT: UPIN
62884:RAT: R.A.S 2002
63485:RAT: Bunker-Hill
63536:RAT: Insane Network 5
63878:RAT: Aphex FTP
63879:RAT: Aphex FTP
64000:RAT: Pitbul
64101:RAT: Taskman / Task Manager
64241:RAT: LANfiltrator
64275:RAT: Parasite
64666:RAT: RSM
65000:RAT: Devil, Sockets des Troie, Stacheldraht, R0xR4t
65008:RAT: Lanbyte
65010:RAT: R0xR4t
65124:RAT: LAN Hacker
65301:pcAnywhere
65390:RAT: Eclypse
65420:RAT: ZKT
65421:RAT: FTP.Alicia
65422:RAT: FTP.Alicia
65432:RAT: The Traitor (= th3tr41t0r)
65534:/sbin/initd
65535:HIPORT: up port telnet, RAT: RC1 trojan, Shit Heep, Peeper, Iddono

#############################################################################

Main TCP/UDP ports
0
Commonly used to help determine the operating system. This works because on some systems, port 0 is "invalid" and will generate a different response when you connect to it vs. a normal closed port. One typical scan uses a destination IP address of 0.0.0.0 and sets the ACK bit, with broadcast at the Ethernet layer.

1
tcpmux Indicates someone searching for SGI Irix machines. Irix is the only major vendor that has implemented tcpmux, and it is enabled by default on Irix machines. Irix machines ship with several default passwordless accounts, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to close these accounts after installation. Therefore, hackers scan the Internet looking first for tcpmux, then these accounts. [ CA-1995-15 RFC 1078 ]

7
Echo You will see lots of these from people looking for fraggle amplifiers sent to addresses of x.x.x.0 and x.x.x.255.
A common DoS attack is an echo-loop, where the attacker forges a UDP from one machine and sends it to the other, then both machines bounce packets off each other as fast as they can (see also chargen). [CA-96.01]

Another common thing seen is TCP connections to this port by DoubleClick. They use a product called "Resonate Global Dispatch" that connects to this port on DNS servers in order to locate the closest one.

Harvest/squid caches will send tbese UDP echoes from port 3130. To quote their document: If the cache is configured with source_ping on, it also bounces a HIT reply off the original host's UDP echo port. It can generate a lot of these packets.

11
sysstat This is a UNIX service that will list all the running processes on a machine and who started them. This gives an intruder a huge amount of information that might be used to compromise the machine, such as indicating programs with known vulnerabilities or user accounts. It is similar the contents that can be displayed with the UNIX "ps" command. This service is usually disabled, scans for this don't expect to actually succeed most of the time.
Some people come here looking for ICMP port 11. To repeat: firewall logs are confusing, ICMP doesn't have ports; if you see something that says "ICMP port 11", you probably want ICMP type=11.

19
chargen This is a service that simply spits out characters for testing purposes. The UDP version will respond with a packet containing garbage characters whenever a UDP packet is received. On a TCP connection, it spits out a stream of garbage characters until the connection is closed. Hackers can take advantage of IP spoofing for denial of service attacks. Forging UDP packets between two chargen servers, or a chargen and echo can overload links as the two servers attempt to infinitely bounce the traffic back and forth. Likewise, the "fraggle" DoS attack broadcasts a packet destined to this port with a forged victim address, and the victim gets overloaded with all the responses. [CA-96.01]

21
FTP The most common attack you will see are hackers/crackers looking for "open anonymous" FTP servers. These are servers with directories that can be written to and read from. Hackers/crackers use these machines as way-points for transferring warez (pirated programs) and pr0n (intentionally misspelled word to avoid search engines classifying this document).
In early 2003, I occasionally see people trying to exploit the FTP server using a wide sprectrum of vulnerabilities. For example, I see them try several kinds of buffer-overflows.

22 ssh
pcAnywhere SSH is a popular way to remotely run a command-prompt on systems, primarily UNIX systems. It provides secure authentication and encryption, so it is especially popular among security professionals. There is a commercial version by the company that originally created it, a popular open-source OpenSSH alternative, and many other compatible versions.
In 2002, numerous vulnerabilities in most all versions were discovered, exploited, and routinely scanned for. Many security professionals had their boxes compromised through SSH -- in many cases, SSH was the only service they had remotely reachable.

Also note that the ssh package comes with a program called make-ssh-known-hosts that will scan a domain for ssh hosts. You will sometimes be scanned from innocent people running this utility.

UDP (rather than TCP) packets directed at this port along with port 5632 indicate a scan for pcAnywhere.
The number 5632 is (hex) 0x1600, which byte-swapped is 0x0016, which is 22 decimal.

[CA-2002-36] [CA-2002-18] [CA-2001-35] [CA-1999-15]

23 Telnet
Telnet is the most popular protocol for getting a remote command line.
The most common use by scanners is to get the "banner" that prompts the user for a login name. The banner tells a lot about system -- often the attacker isn't interested in actually exploiting Telnet as to figure out more about the system when attacking other ports.

As of 2002, most attackers are interested in finding network equipment such as switches and routers, especially Cisco equipment. When my honeypot gives them a command prompt, they spend more time trying out Cisco commands than they do things like "uname" to figure out what system they are running on.

Historically (and still common as of 2002), hackers look for Unix systems with default accounts. They will try a series of logon names and empty passwords. Since Unix systems have largely fixed this problem of default accounts, this has become a less popular attack.

25 SMTP
SMTP (Simple Mail Transfer Protocol) is the protocol that transfers virtuall all the world's e-mail.
Scans against this port are almost certain coming from spammers (and occasionally anti-spammers) looking for "open relays". An open relay is a mail server that will accept e-mail from anyone and forward it on. This allows the spammer to hide behind the relay, as well as take advantage of the fact that they can submit one e-mail with 20 recipients -- and the relay will do the job of sending copies to each recipient. This lowers the spammer's bandwidth costs.

Note that there continue to be vulnerabilities in mail servers themselves.

53 DNS
DNS (Domain Name Service) is a core Internet protocol; it translates names into Internet addresses (like a phonebook translates names into phone numbers). It is so important that when DNS servers go down, users usually think the Internet itself has gone down.
Ways of breaking into DNS servers are frequently discovered, such as the BIND exploit in 2002. The BIND (Berkeley Internet Name Daemon) is the most popular DNS server. Many UDP packets you see rejected by the firewall are looking for the name "version.bind", which will tell the hacker what version of BIND you are (hopefully) running, and therefore which exploits they can run to break into your service. If you put a vulnerable version of BIND on the Internet, it will likely be compromised in a few days.

DNS information tells the hacker a lot of about the intended victim. Rejected TCP attempts probably reflect a desire by the hacker to do a "zone transfer", which will list all the computers in your domain. Victims often name systems in ways that help hackers figure out what is going on, such as "cisco-rtr.example.com" or "payroll.example.com".

Since DNS is such an important protocol to the Internet, firewall administrators often allow port 53 when they shouldn't. They sacrifice security in order to get ease-of-use and reliability. This allows hackers to use port 53 for protocols other than DNS. An important thing to note is that you will frequently see port 53 used as the source UDP port. Stateless firewalls frequently allow such traffic on the assumption that it is a response to a DNS query. Hackers are increasingly exploiting this to pierce firewalls.

67 and 68 bootp DHCP
DHCP (and the older version, BOOTP) are the protocols that assign your desktop computer an IP address.
Firewalls will see (and reject) a lot of DHCP requests from your local network. This is an interesting problem with cable and DSL modems, because they create "virtual" local networks including people in your nearby physical neighborhood. You can identify these local requests because they are not sent to you, but are are instead to what's called the "local broadcast" address: 255.255.255.255. These machines are asking to for an address assignment from a DHCP server. You could probably hack into them by giving them such an assignment and specifying yourself as the local router, then execute a wide range of man-in-the-middle attacks. The client requests configuration on a broadcast to port 68 (bootps). The server broadcasts back the response to port 67 (bootpc). The response uses some type of broadcast because the client doesn't yet have an IP address that can be sent to.

You rarely see attackers from remote parts of the Internet trying to exploit DHCP vulnerabilities.

As of 2003, an important exploit has been found in a DHCP service, so remote hackers may start scanning for this. [CA-2003-01]

69 TFTP (over UDP). Many servers support this protocol in conjunction with BOOTP in order to download boot code to the system. However, they are frequently misconfigured to provide any file from the system, such as password files. They can also be used to write files to the system.
79 finger Hackers are trying to:
discover user information
fingerprint the operating system
exploit known buffer-overflow bugs
bounce finger scans through your machine to other machines.

80 http Prior to 2003, I did not include an entry for this port. Presumably, you would know what port 80 meant without this guide having to tell you. However, a enormous number of worms infecting Windows and Unix systems are now using this port, so I am including it for worm discussion.
98 linuxconf The utility "linuxconf" provide easy administration of Linux boxen. It includes a web-enabled interface at port 98 through an integrated HTTP server. It has had a number of security issues. Some versions are setuid root, trust the local network, create world-accessible files in /tmp, and a buffer overflow in the LANG environment variable. Also, because it contains an integrated web server, it may be vulnerable to many of the typical HTTP exploits (buffer overruns, directory traversal using ../.., etc.).
109 POP2 POP2 is not nearly as popular as POP3 (see below), but many servers support both (for backwards compatibility). Many of the holes that can be exploited on POP3 can also be exploited via the POP2 port on the same server.
110 POP3 POP3 is used by clients accessing e-mail on their servers. POP3 services have many well-known vulnerabilities. At least 20 implementations are vulnerable to a buffer overflow in the username or password exchange (meaning that hackers can break in at this stage before really logging in). There are other buffer overflows that can be executed after successfully logging in.
111 sunrpc
portmap
rpcbind Sun RPC PortMapper/RPCBIND. Access to portmapper is the first step in scanning a system looking for all the RPC services enabled, such as rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. If the intruder finds the appropriate service enabled, s/he will then run an exploit against the port where the service is running.
Note that by putting a logging daemon, IDS, or sniffer on the wire, you can find out what programs the intruder is attempting to access in order to figure out exactly what is going on.

113 identd
auth This is a protocol that runs on many machines that identifies the user of a TCP connection. In standard usage this reveals a LOT of information about a machine that hackers can exploit. However, it used by a lot of services by loggers, especially FTP, POP, IMAP, SMTP, and IRC servers. In general, if you have any clients accessing these services through a firewall, you will see incoming connection attempts on this port. Note that if you block this port, clients will perceive slow connections to e-mail servers on the other side of the firewall. Many firewalls support sending back a RST on the TCP connection as part of the blocking procedure, which will stop these slow connections.
119 NNTP
news Network News Transfer Protocol, carries USENET traffic. This is the port used when you have a URL like news://comp.security.firewalls. Attempts on this port are usually by people hunting for open USENET servers. Most ISPs restrict access to their news servers to only their customers. Open news servers allow posting and reading from anybody, and are used to access newsgroups blocked by someone's ISP, to post anonymously, or to post spam.
Update: @Home has started scanning their subscribers to see if they are running USENET servers. They are doing this in order to find these servers and close them before spammers can take advantage of them.

135 loc-serv
MS RPC end-point mapper As of 2003, the most common reason you see port 135/udp is because of WinPopup/Messenger spam. This is a feature in Windows that allows system administrators to notify employees of unusual events, such as the network or file servers about to be rebooted. However, spammers have found a way to subvert this and use this mechanism to send popup messages on the victim's desktop.
Microsoft runs its DCE RPC end-point mapper for its DCOM services at this port. This has much the same functionality as port 111 for UNIX systems. Services that use DCOM and/or RPC register their location with the end-point mapper on the machine. When clients remotely connect to the machine, they query the end-point mapper to find out where the service is. Likewise, hackers can scan the machine on this port in order to find out such things as "is Exchange Server running on this machine, and which version?".

This port is often hit in order to scan for services (for example, using the "epdump" utility), but this port may also be attacked directly. Currently, there are a few denial-of-service attacks that can be directed at this port.

No RPC service except the endpoint mapper runs on this port, except that "broadcast" messages intended for other RPC services can be forwarded through this port.

137 NetBIOS
name service
nbtstat (UDP) This is the most common item seen by firewall administrators and is perfectly normal. Please read the NetBIOS section below for more details.
139 NetBIOS
File and Print Sharing Incoming connections to this port are trying to reach NetBIOS/SMB, the protocols used for Windows "File and Print Sharing" as well as SAMBA. People sharing their hard disks on this port are probably the most common vulnerability on the Internet.
2000
Attempts on this port were common at the beginning of 1999, but tapered off near the end. Now at the start of year 2000, attempts on this port have picked up again. Several VBS (IE5 VisualBasic Scripting) worms have appeared that attempt to copy themselves on this port. Therefore, it may be worms attempting to propagate on this port.
2001
In late 2001 and early 2002, the Nimda worm would share the C$ drive when it infected a machine. Many attempts against this port are from people scanning for drives left open by Nimda.
2002
In late 2002, the ALEVIR worm is propagating heavily throughout the Internet infecting Win95/Win98/WinMe machines. These have a bug that allows a hacker to connect to a password-protected share by using only the first character of a password, which is easy to guess. Most connection attempts to port 139 are from this worm.
future
WinXP is moving away from using port 139, more and more ISPs are blocking it.
143 IMAP4 Same security idea as POP3 above, numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when RedHat enabled the service by default on its distributions. In fact, this may have been the first widely scanned for exploit since the Morris Worm.
This port is also used for IMAP2, but that version wasn't very popular.

Several people have noted attacks from port 0 to port 143, which appears to be from some attack script.

161 SNMP (UDP) A very common port that intruders probe for. SNMP allows for remote management of devices. All the configuration and performance information is stored in a database that can be retrieved or set via SNMP. Many managers mistakeningly leave this available on the Internet. Crackers will first attempt to use the default passwords "public" and "private" to access the system; they may then attempt to "crack" the password by trying all combinations.
SNMP packets may be mistakenly directed at your network. Windows machines running HP JetDirect remote management software uses SNMP, and misconfigured machines are frequent. HP OBJECT IDENTIFIERs will be seen in the packets. Newer versions of Win98 will use SNMP for name resolution; you will see packets broadcast on local subnets (cable modem, DSL) looking up sysName and other info.

In early 2002, a university in Finland released its "PROTOS" tool that demonstrated many flaws in popular SNMP implementations. These flaws had been known for more than a decade, but this was the first time security implications were shown for these flaws.

162 SNMP trap Probably a misconfiguration.
177 xdmcp Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed.
445 NetBIOS
File and Print Sharing See port 139 for more information.
In Windows 2000 and Windows XP, port 445 is essentially a duplicate of port 139. These ports are used for Micrsoft's file and printer sharing, remote registry access, named pipes services, and many MS-RPC services. The difference is that port 139 supports these services on top of NetBIOS, whereas port 445 gets rid of this middleman, supporting these services directly over TCP/IP.

Whereas many ISPs now filter port 139, many do not filter port 445. As of mid-2002, we are seeing more scans for port 445 as hackers learn to get around port 139 filters. In late 2002, we are seeing worms propogate via this port.

513 rwho Probably from UNIX machines on your DSL/cable-modem segment broadcasting who is logged into their servers. These people are kindly giving you really interesting information that you can use to hack into their systems.
515 lp
printer This is the standard protocol for remote printing on UNIX systems. Virtually every UNIX system from Sun Solaris to Linux will listen on this port. In addition, most laster printers support this protocol as well. There are widespread vulnerabilities on this port, due either to vulnerabilities in the protocol itself, or vulnerabilities in printer-specific drivers behind this port. The RedHat 7 LPRng bug was exploited by the Ramen worm in early 2001.
As of late 2002, this is one of the more common ports probed, both because of Linux worms propogating, but also from hackers looking for well-know vulnerabilities.

535 CORBA
IIOP (UDP) If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA is an object-oriented remote procedure call (RPC) system. It is highly likely that when you see these broadcasts, you can use the information to hack back into the systems generating these broadcasts. There are many exploits possible against this port, but as of August 2002, they haven't been reported to Bugtraq yet.
600 pcserver
backdoor See port 1524 for more info.
Some script kiddies feel they're contributing substantially to the exploit programs by making a minor change from ingreslock to pcserver in constant text... -- Alan J. Rosenthal.

635 mountd Linux mountd bug. This is a popular bug that people are scanning for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it's just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049.
1024 ----- Many people ask the question what this port is used for. The answer is that this is the first port number in the dynamic range of ports. Many applications don't care what port they use for a network connection, so they ask the operating system to assign the "next freely available port". In point of fact, they as for port 0, but are assigned one starting with port 1024. This means the first application on your system that requests a dynamic port will be assigned port 1024. You can test this fact by booting your computer, then in one window open a Telnet session, and in another window run "netstat -a". You will see that the Telnet application has been assigned port 1024 for its end of the connection. As more applications request more and more dynamic ports, the operating system will assign increasingly higher port numbers. Again, you can watch this effect with 'netstat' as your browse the Internet with your web browser, as each web-page requires a new connection.
1025 ----- See port 1024.
1026 ----- See port 1024.
1027 ----- See port 1024.
1080 SOCKS This protocol tunnels traffic through firewalls, allowing many people behind the firewall access to the Internet through a single IP address. In theory, it should only tunnel inside traffic out towards the Internet. However, it is frequently misconfigured and allows hackers/crackers to tunnel their attacks inwards, or simply bounce through the system to other Internet machines, masking their attacks as if they were coming from you. WinGate, a popular Windows personal firewall, is frequently misconfigured this way.
In the year 2000, much activity on this port was for the purpose of connecting to IRC chatrooms. Usually the goal was DoS the chatroom. For this reason, most IRC servers will not scan your machine for SOCKS out of self-defense: they want to make sure that you are a legitimate user and now somebody who left the SOCKS service running that a hacker is tunneling through.

In the year 2003, most of this activity is now by spammers. They are looking for SOCKS servers in order to funnel spam through. This hides the original source of the spam.

There are several websites that maintain lists of open SOCKS servers. In 2002, most of the scans I see were from people who maintain these lists.

1114 SQL This is rarely probed by itself, but is almost always seen as part of the sscan script.
1243 Sub-7 Trojan Horse (TCP). See the section on SubSeven for more details.
1433 MS SQL Microsoft runs its SQL database server on this port.
In the year 2002, several worms started exploiting this port. See section 11.2 for more information.

1434 MS SQL Service Discovery Protocol worm Microsoft's SQL server uses this port for discovery of SQL services on the local LAN.
On January 26, 2003, the SQLslammer worm took down parts of the Internet in the early hours of the morning. It took advantage of a buffer overflow on this service. Administrators quickly respond by widely configuring packet filters throughout the Internet, so by the time many people woke up in the morning in the U.S., much of the problem had gone away. See section 11.3 for more info.

1524 ingreslock
backdoor Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). If you've just installed your firewall and are seeing connection attempts on this port, then this may be the cause. Try telnetting to the attempted machine in order to see if it indeed comes up with a shell. Connections to port 600/pcserver also have this problem. [IN-99-04]
2049 NFS The NFS program usually runs at this port. Normally, access to portmapper is needed to find which port this service runs on, but since most installations run NFS on this port, hackers/crackers can bypass portmapper and try this port directly.
2766 listen
npls Used by Sun Solaris boxes as a printer service, alternative to the standard printer on port 515. Exploit scripts against Solaris machines will frequently bind a shell to this port, similar to the ingreslock port. In particular, a well-known exploit against the snmpXdmid vulnerability left behind a shell on this port.
3128 squid This is the default port for the "squid" HTTP proxy. An attacker scanning for this port is likely searching for a proxy server they can use to surf the Internet anonymously. You may see scans for other proxies at the same time, such as at port 8000/8001/8080/8888. Another cause of scans at this port, for a similar reason, is when users enter chatrooms. Others users (or the servers themselves) will attempt to check this port to see if the user's machines supports proxying. See section 5.3 for more info.

5632 pcAnywhere You may see lots of these, depending on the sort of segment you are on. When a user opens pcAnywhere, it scans the local Class C range looking for potential agents. Hackers/crackers also scan looking for open machines, so look at the source address to see which it is. Some scans for pcAnywhere frequently also include a UDP packet to port 22. See dialup probes for more info.

6776 Sub7 artifact This port is used separately from the SubSeven main port to transfer data. One example where you might see this is when a master is controling a slave on a dialup line, then the slave machine hangs up. Therefore, when someone else dials-in at that IP address, they will see a continuous stream of connection attempts at this port. more on dialups

6970 RealAudio Clients receive incoming audio streams from servers on UDP ports in the range 6970-7170. This is setup by the outgoing control connection on TCP port 7070.

13223 PowWow The "PowWow" chat program from Tribal Voice. It allows users to open up private chat connections with each other on this port. The program is very aggressive at trying to establish the connection and will "camp" on the TCP port waiting for a response. This causes a connection attempt at regular intervals like a heartbeat. This can be seen by dial-up users who inherit IP addresses from somebody who was chatting with other people: it will appear as if many different people are probing that port. The protocol uses the letters "OPNG" as the first four bytes of its connection attempt. more

17027 Conducent Outbound: This is seen on outbound connections. It is caused by users inside the corporation who have installed shareware programs using the Conducent "adbot" wrapper. This wrapper shows advertisements to users of the shareware. A popular shareware program that uses this is PKware. Bill Royds mentions that in his experience, you can block this outbound connection with no problem, but if you block the IP addresses themselves, then the adbots can overload the link trying to reach the servers by continually connecting many times per second.
The machines will attempt to resolve the DNS name "ads.conducent.com", which resolve to the IP addresses:

216.33.210.40
216.33.199.77
216.33.199.80
216.33.199.81
216.33.210.41
These addresses are hosted by Exodus.

27374 Sub-7 Trojan Horse (TCP). See the section on SubSeven for more details.
Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.

30100 NetSphere Trojan Horse (TCP). This is a commonly seen scan looking for systems compromised by this trojan.

31337 Back Orifice
"elite" This number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T). Lots of hacker/cracker backdoors run at this port, but the most important is Back Orifice. At one time, this was by far the most popular scan on the Internet. These days, it's popularity is waning and other remote access trojans are becoming popular.

31789 Hack-a-tack UDP traffic on this port is currently being seen due to the "Hack-a-tack" RAT (Remote Access Trojan). This trojan includes a built-in scanner that scans from port 31790, so any packets FROM 31789 TO 317890 indicate a possible intrusion. (Port 31789 is the control connection; port 31790 is the file transfer connection).

32770 ~ 32900 RPC services Sun Solaris puts most of its RPC services in this range. In particular, older versions of Solaris (pre-2.5.1) put a portmapper in this range, allowing hackers access to this even when low ports are blocked by a firewall. Probes in this range might either be for this portmapper, or for known RPC services that can be exploited.
33434 - 33600 traceroute If you see a series of UDP packets within this port range (and only within thisrange), then it is probably indicative of traceroute. See traceroute for more info.
41508 Inoculan Inoculan on UDP. Older versions of Inoculan apparently generate huge quantities of UDP traffic directed at subnets in order to discover each other.

More info can be found at http://www.circlemud.org/~jelson/software/udpsend.html and http://www.ccd.bnl.gov/nss/tips/inoculan/index.html. Thanks to Jerry Leslie, NeoNET < leslie at clio dot rice dot edu>

################################################################################

w00t now i dont have to download it .
lol