HIGH RISK PORTS


Sign-Up For Threat Alerts!

LIVE THREATS MENU

- Overview Home

Country Filtering

- Company Filtering

- High Risk Ports Filtered

- Spam Reduction & Performance 

- Threat List Performance

- Ports and Risks


GET MORE PACKETVIPER INFO

Let us show you how PacketViper can immediately improve performance, reduce and identify threats faster, lessen logging and alerting burdens, without replacing anything.  No risk or commitment required!


Description:

The graphs presented here display high risk networks ports which have been identified and dropped on Packetviper contributors or our global honeypots.

Port Risks Explained:

RDP Could Allow Remote Code Execution Port 3389 

The RDP vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with the Remote Desktop Protocol (RDP) server service enabled. Systems that do not have the RDP server service enabled are not at risk.

SQL Injection Port 1433:

SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.

Portmapper Port 111

Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.

Proxy Port 8080 (Read More @ Speed Guide)

Some broadband routers run a web server on port 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.

If you're not running web services, keep in mind that some trojans also use these ports:
Reverse WWW Tunnel Backdoor - remote access/tunneling software coded in Perl, uses ports 80, 3128, 8080. Works on Unix, Linux, Solaris, AIX and OpenBSD. RingZero (a.k.a. Ring0, Trojan.PSW.Ring, RingZero.gen, Ring) - uses ports 80, 3128, 8080. Affects Windows 9x. Screen Cutter (a.k.a. Backdoor.Screencut) - uses ports 80, 8080.
Mydoom.B (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.

Telnet Port 23 (Read More @ Speed Guide)

Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities [RFC 854]

Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variantsBackdoor.Dagonit (109.26.2005)

Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23.
References: [CVE-2012-1222] [BID-52061]

SIP port 5060 (Read More @ Speed Guide)

Session Initiation Protocol (SIP) (official) - SIP VoIP phones and providers use this port. Asterisk server, X-ten Lite/Pro, Ooma, Vonage (ports 5060,5061,10000-20000), Apple iChat, iTalkBB, Motorola Ojo, OpenWengo, TalkSwitch, IConnectHere, Lingo VoIP (ports 5060-5065)

Memory leak in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (memory consumption or device reload) by sending crafted SIP packets to UDP port 5060, aka Bug ID CSCtj04672.
References: [CVE-2011-3280]

MySQL Port 3306 (Read More @ Speed Guide)

MySQL database server connections - http://www.mysql.com

Caesar IV uses this port.

Port also used by Nemog backdoor (discovered 2004.08.16) - a backdoor trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4646,4661,6565,8080

Worms using this port: W32.Spybot.IVQ

MySQL 5.5.8, when running on Windows, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted packet to TCP port 3306. 
References: [CVE-2011-5049]