WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 11-06-2000 ]
Category
[ Information Technologies ]
sub-Categoy
[ Science & Technology ]
      [Intrusion Detection - Well known Port Numbers

      What port numbers do well-known trojan horses use?

      After seeing several questions about trojan traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on.
        port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
        port 23 - Tiny Telnet Server
        port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy
        port 31 - Hackers Paradise
        port 80 - Executor
        port 456 - Hackers Paradise
        port 555 - Ini-Killer, Phase Zero, Stealth Spy
        port 666 - Satanz Backdoor
        port 1001 - Silencer, WebEx
        port 1011 - Doly Trojan
        port 1170 - Psyber Stream Server, Voice
        port 1234 - Ultors Trojan
        port 1245 - VooDoo Doll
        port 1492 - FTP99CMP
        port 1600 - Shivka-Burka
        port 1807 - SpySender
        port 1981 - Shockrave
        port 1999 - BackDoor
        port 2001 - Trojan Cow
        port 2023 - Ripper
        port 2115 - Bugs
        port 2140 - Deep Throat, The Invasor
        port 2801 - Phineas Phucker
        port 3024 - WinCrash
        port 3129 - Masters Paradise
        port 3150 - Deep Throat, The Invasor
        port 3700 - Portal of Doom
        port 4092 - WinCrash
        port 4590 - ICQTrojan
        port 5000 - Sockets de Troie
        port 5001 - Sockets de Troie
        port 5321 - Firehotcker
        port 5400 - Blade Runner
        port 5401 - Blade Runner
        port 5402 - Blade Runner
        port 5569 - Robo-Hack
        port 5742 - WinCrash
        port 6670 - DeepThroat
        port 6771 - DeepThroat
        port 6969 - GateCrasher, Priority
        port 7000 - Remote Grab
        port 7300 - NetMonitor
        port 7301 - NetMonitor
        port 7306 - NetMonitor
        port 7307 - NetMonitor
        port 7308 - NetMonitor
        port 7789 - ICKiller
        port 9872 - Portal of Doom
        port 9873 - Portal of Doom
        port 9874 - Portal of Doom
        port 9875 - Portal of Doom
        port 9989 - iNi-Killer
        port 10067 - Portal of Doom
        port 10167 - Portal of Doom
        port 11000 - Senna Spy
        port 11223 - Progenic trojan
        port 12223 - Hack'99 KeyLogger
        port 12345 - GabanBus, NetBus
        port 12346 - GabanBus, NetBus
        port 12361 - Whack-a-mole
        port 12362 - Whack-a-mole
        port 16969 - Priority
        port 20001 - Millennium
        port 20034 - NetBus 2 Pro
        port 21544 - GirlFriend
        port 22222 - Prosiak
        port 23456 - Evil FTP, Ugly FTP
        port 26274 - Delta
        port 31337 - Back Orifice
        port 31338 - Back Orifice, DeepBO
        port 31339 - NetSpy DK
        port 31666 - BOWhack
        port 32100 - "B" [added by C.K.]
        port 33333 - Prosiak
        port 34324 - BigGluck, TN
        port 40412 - The Spy
        port 40421 - Masters Paradise
        port 40422 - Masters Paradise
        port 40423 - Masters Paradise
        port 40426 - Masters Paradise
        port 47262 - Delta
        port 50505 - Sockets de Troie
        port 50766 - Fore
        port 53001 - Remote Windows Shutdown
        port 61466 - Telecommando
        port 65000 - Devil

      You'll find the list at the following address:
      http://www.simovits.com/nyheter9902.html (still in Swedish but it will be translated in the near future).

      To help anyone to detect trojan attacks, I'm planning to add information about the original names of the executables, their size, where they usually are hiding, and the names of any helpfiles they may use. I will also add tools or links to tools that may be of your assistance. Feel free to get back to me with any comments or suggestions. If you find new trojans I'd love to get my hands on them, but please mail me first, as I don't need more than one copy. If you have live experiance of trojan attacks I'm interested to read about your findings.

      Joakim joakim.von.braun@risab.se
      Home | Events | Publications | Security Digests
      Resources | Miscellaneous | Contact SANS

      © 1999 SANS Institute : Office 301.951.0102 : Registration 719.599.4303 : Web Contact scott@sans.org]
      Cross-Indexed:

      New document Icon


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)