SANS Intrusion Detection FAQ: What port numbers do well-known trojan horses use?

Reading Room

Internet Storm Center

GIAC Certification

S.C.O.R.E.

Free Webcast - April 7: Steganography: Creating and Detecting Hidden Messages

Computer Security News

Intrusion Detection FAQ
What port numbers do well-known trojan horses use?

After seeing several questions about trojan traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on.

If you find probes direct against ports normally not used, it may be someone trying to connect to a trojan inside your network. I hope this list will be of some help for you. The problem with Remote Access trojans or trojans trying to steal passwords is a new one. Today there are no program, either anti virus or anti trojan programmes, who can detect unknown trojan horses. And the programmes claiming to defend you can only find a fraction of all the several hundred trojans out there – 17 written in 1997, 81 constructed the following year, and at least 156 new trojans thus far in 1999.

This list was last (at last) updated 1999–11–01 and includes more than 75 new entries compared with the June list. I am sorry for the delay, but it is really time consuming digging out all this information.

Default ports used by some known trojan horses (updated 2/9/01):

port 2 Death
port 20 Senna Spy FTP server
port 21 Back Construction, Blade Runner, Doly Trojan, Fore, Invisible FTP, Juggernaut 42 , Larva, MotIv FTP, Net Administrator, Senna Spy FTP server, Traitor 21,
WebEx, WinCrash
port 22 Shaft
port 23 Fire HacKer, Tiny Telnet Server - TTS, Truva Atl
port 25 Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan),
Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
port 31 Agent 31, Hackers Paradise, Masters Paradise
port 41 Deep Throat, Foreplay or Reduced Foreplay
port 48 DRAT
port 50 DRAT
port 59 DMSetup
port 79 CDK, Firehotcker
port 80 AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
port 81 RemoConChubo
port 99 Hidden Port
port 110 ProMail trojan
port 113 Identd Invisible Deamon, Kazimas
port 119 Happy99
port 121 JammerKillah
port 123 Net Controller
port 133 Farnaz
port 142 NetTaxi
port 146 Infector
port 146 (UDP) - Infector
port 170 A-trojan
port 180 (TCP/UDP)amanda
port 334 Backage
port 420 Breach
port 421 TCP Wrappers trojan
port 456 Hackers Paradise
port 513 Grlogin
port 514 RPC Backdoor
port 531 Rasmin
port 555 Ini-Killer , Net Administrator, Phase Zero, Phase-0, Stealth Spy
port 559 (TCP/UDP)teedtap
port 605 Secret Service
port 666 Attack FTP, Back Construction, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre
port 667 SniperNet
port 669 DP trojan
port 692 GayOL
port 777 AimSpy, Undetected
port 808 WinHole
port 911 Dark Shadow
port 999 Deep Throat, Foreplay or Reduced Foreplay, WinSatan
port 1000 Der Späher / Der Spaeher
port 1001 Der Späher / Der Spaeher, Le Guardien, Silencer, WebEx
port 1010 Doly Trojan
port 1011 Doly Trojan
port 1012 Doly Trojan
port 1015 Doly Trojan
port 1016 Doly Trojan
port 1020 Vampire
port 1024 NetSpy
port 1026 nterm
port 1042 BLA trojan
port 1045 Rasmin
port 1049 /sbin/initd
port 1050 MiniCommand
port 1054 AckCmd
port 1080 WinHole
port 1081 WinHole
port 1082 WinHole
port 1083 WinHole
port 1090 Xtreme
port 1095 Remote Administration Tool - RAT
port 1097 Remote Administration Tool - RAT
port 1098 Remote Administration Tool - RAT
port 1099 Blood Fest Evolution, Remote Administration Tool - RAT
port 1170 Psyber Stream Server - PSS, Streaming Audio Server, Voice
port 1200 (UDP) - NoBackO
port 1201 (UDP) - NoBackO
port 1207 SoftWAR
port 1212 Kaos
port 1234 Ultors Trojan
port 1243 BackDoor-G, SubSeven , SubSeven Apocalypse, Tiles
port 1245 VooDoo Doll
port 1255 Scarab
port 1256 Project nEXT
port 1269 Matrix
port 1313 NETrojan
port 1338 Millenium Worm
port 1349 Bo dll
port 1434 (UDP) MS-SQL
port 1492 FTP99CMP
port 1524 Trinoo
port 1600 Shivka-Burka
port 1777 Scarab
port 1807 SpySender
port 1966 Fake FTP
port 1969 OpC BO
port 1981 Bowl, Shockrave
port 1999 Back Door, TransScout
port 2000 Der Späher / Der Spaeher, Insane Network
port 2001 Der Späher / Der Spaeher, Trojan Cow
port 2023 Ripper Pro
port 2080 WinHole
port 2115 Bugs
port 2140 The Invasor
port 2140 (UDP) - Deep Throat, Foreplay or Reduced Foreplay
port 2155 Illusion Mailer
port 2234 (TCP/UDP)directplay
port 2255 Nirvana
port 2283 Hvl RAT
port 2300 Xplorer
port 2339 Voice Spy - OBS!!! namnen har bytt plats
port 2339 (UDP) - Voice Spy - OBS!!! namnen har bytt plats
port 2345 Doly Trojan
port 2565 Striker trojan
port 2583 WinCrash
port 2600 Digital RootBeer
port 2716 The Prayer
port 2773 SubSeven , SubSeven 2.1 Gold
port 2801 Phineas Phucker
port 2989 (UDP) - Remote Administration Tool - RAT
port 3000 Remote Shut
port 3024 WinCrash
port 3127 mydoom
port 3128 Squid Proxy
port 3129 Masters Paradise
port 3150 The Invasor
port 3150 (UDP) - Deep Throat, Foreplay or Reduced Foreplay
port 3456 Terror trojan
port 3459 Eclipse 2000, Sanctuary
port 3700 Portal of Doom - POD
port 3791 Total Solar Eclypse
port 3801 Total Solar Eclypse
port 4000 Skydance
port 4092 WinCrash
port 4242 Virtual Hacking Machine - VHM
port 4321 BoBo
port 4444 Prosiak, Swift Remote
port 4567 File Nail
port 4590 ICQ Trojan
port 4950 ICQ Trogen (Lm)
port 5000 Back Door Setup, Blazer5, Bubbel, ICKiller, Sockets des Troie
port 5001 Back Door Setup, Sockets des Troie
port 5002 cd00r, Shaft
port 5010 Solo
port 5011 One of the Last Trojans - OOTLT, One of the Last Trojans - OOTLT, modified
port 5025 WM Remote KeyLogger
port 5031 Net Metropolitan
port 5032 Net Metropolitan
port 5321 Firehotcker
port 5343 wCrat - WC Remote Administration Tool
port 5400 Back Construction, Blade Runner
port 5401 Back Construction, Blade Runner
port 5402 Back Construction, Blade Runner
port 5512 Illusion Mailer
port 5550 Xtcp
port 5555 ServeMe
port 5556 BO Facil
port 5557 BO Facil
port 5569 Robo-Hack
port 5637 PC Crasher
port 5638 PC Crasher
port 5742 WinCrash
port 5760 Portmap Remote Root Linux Exploit
port 5882 (UDP) - Y3K RAT
port 5888 Y3K RAT
port 6000 The Thing
port 6006 Bad Blood
port 6272 Secret Service
port 6346 (TCP/UDP)BearShare
port 6400 The Thing
port 6666 Dark Connection Inside, NetBus worm
port 6667 ScheduleAgent, Trinity, WinSatan
port 6669 Host Control, Vampire
port 6670 BackWeb Server, Deep Throat, Foreplay or Reduced Foreplay, WinNuke eXtreame
port 6711 BackDoor-G, SubSeven , VP Killer
port 6712 Funny trojan, SubSeven
port 6713 SubSeven
port 6723 Mstream
port 6771 Deep Throat, Foreplay or Reduced Foreplay
port 6776 2000 Cracks, BackDoor-G, SubSeven , VP Killer
port 6838 (UDP) - Mstream
port 6883 Delta Source DarkStar (??)
port 6912 Shit Heep
port 6939 Indoctrination
port 6969 GateCrasher, IRC 3, Net Controller, Priority
port 6970 GateCrasher
port 7000 Exploit Translation Server, Kazimas, Remote Grab, SubSeven 2.1 Gold
port 7001 Freak88
port 7215 SubSeven , SubSeven 2.1 Gold
port 7300 NetMonitor
port 7301 NetMonitor
port 7306 NetMonitor
port 7307 NetMonitor
port 7308 NetMonitor
port 7424 Host Control
port 7424 (UDP) - Host Control
port 7597 Qaz
port 7777 Tini
port 7789 Back Door Setup, ICKiller
port 7983 Mstream
port 8080 Brown Orifice , RemoConChubo, RingZero
port 8787 Back Orifice 2000
port 8988 BacHack
port 8989 Rcon, Recon, Xcon
port 9000 Netministrator
port 9325 (UDP) - Mstream
port 9400 InCommand
port 9872 Portal of Doom - POD
port 9873 Portal of Doom - POD
port 9874 Portal of Doom - POD
port 9875 Portal of Doom - POD
port 9876 Cyber Attacker, Rux
port 9878 TransScout
port 9989 Ini-Killer
port 9999 The Prayer
port 10067 (UDP) - Portal of Doom - POD
port 10085 Syphillis
port 10086 Syphillis
port 10101 BrainSpy
port 10167 (UDP) - Portal of Doom - POD
port 10520 Acid Shivers
port 10528 Host Control
port 10607 Coma
port 10666 (UDP) - Ambush
port 11000 Senna Spy Trojan Generator
port 11050 Host Control
port 11051 Host Control
port 11223 Progenic trojan, Secret Agent
port 12076 Gjamer
port 12223 Hack´99 KeyLogger
port 12345 cron / crontab, Fat Bitch trojan, GabanBus, icmp_pipe.c, Mypic , NetBus , NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill
port 12346 Fat Bitch trojan, GabanBus, NetBus , X-bill
port 12349 BioNet
port 12361 Whack-a-mole
port 12362 Whack-a-mole
port 12623 (UDP) - DUN Control
port 12624 ButtMan
port 12631 Whack Job
port 12754 Mstream
port 13000 Senna Spy Trojan Generator
port 13010 Hacker Brasil - HBR
port 14500 PC Invader
port 15092 Host Control
port 15104 Mstream
port 15858 CDK
port 16484 Mosucker
port 16660 Stacheldraht
port 16772 ICQ Revenge
port 16969 Priority
port 17166 Mosaic
port 17300 Kuang2 the virus
port 17449 Kid Terror
port 17499 CrazzyNet
port 17777 Nephron
port 18753 (UDP) - Shaft
port 19864 ICQ Revenge
port 20000 Millenium
port 20001 Millenium, Millenium (Lm)
port 20002 AcidkoR
port 20023 VP Killer
port 20034 NetBus 2.0 Pro, NetRex, Whack Job
port 20203 Chupacabra
port 20331 BLA trojan
port 20432 Shaft
port 20433 (UDP) - Shaft
port 21544 GirlFriend, Kid Terror
port 21554 Exploiter, Kid Terror, Schwindler, Winsp00fer
port 22222 Donald Dick, Prosiak
port 23005 NetTrash
port 23023 Logged
port 23032 Amanda
port 23432 Asylum
port 23456 Evil FTP, Ugly FTP, Whack Job
port 23476 Donald Dick
port 23476 (UDP) - Donald Dick
port 23477 Donald Dick
port 26274 (UDP) - Delta Source
port 26681 Voice Spy - OBS!!! namnen har bytt plats
port 27374 Bad Blood, SubSeven , SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8
port 27444 (UDP) - Trinoo
port 27573 SubSeven
port 27665 Trinoo
port 29104 NetTrojan
port 29891 The Unexplained
port 30001 ErrOr32
port 30003 Lamers Death
port 30029 AOL trojan
port 30100 NetSphere
port 30101 NetSphere
port 30102 NetSphere
port 30103 NetSphere
port 30103 (UDP) - NetSphere
port 30133 NetSphere
port 30303 Sockets des Troie
port 30947 Intruse
port 30999 Kuang2
port 31335 Trinoo
port 31336 Bo Whack , Butt Funnel
port 31337 Back Fire, Back Orifice (Lm), Back Orifice russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, icmp_pipe.c,
Sockdmini
port 31337 (UDP) - Back Orifice, Deep BO
port 31338 Back Orifice, Butt Funnel, NetSpy (DK)
port 31338 (UDP) - Deep BO
port 31339 NetSpy (DK)
port 31666 BOWhack
port 31785 Hack´a´Tack
port 31788 Hack´a´Tack
port 31789 (UDP) - Hack´a´Tack
port 31790 Hack´a´Tack
port 31791 (UDP) - Hack´a´Tack
port 31792 Hack´a´Tack
port 32001 Donald Dick
port 32100 Peanut Brittle, Project nEXT
port 32418 Acid Battery
port 33270 Trinity
port 33333 Blakharaz, Prosiak
port 33577 PsychWard
port 33777 PsychWard
port 33911 Spirit 2000, Spirit 2001
port 34324 Big Gluck, TN
port 34444 Donald Dick
port 34555 (UDP) - Trinoo (for Windows)
port 35555 (UDP) - Trinoo (for Windows)
port 37651 Yet Another Trojan - YAT
port 40412 The Spy
port 40421 Agent 40421, Masters Paradise
port 40422 Masters Paradise
port 40423 Masters Paradise
port 40426 Masters Paradise
port 41666 Remote Boot Tool - RBT, Remote Boot Tool - RBT
port 44444 Prosiak
port 47262 (UDP) - Delta Source
port 50505 Sockets des Troie
port 50766 Fore, Schwindler
port 51966 Cafeini
port 52317 Acid Battery 2000
port 53001 Remote Windows Shutdown - RWS
port 54283 SubSeven , SubSeven 2.1 Gold
port 54320 Back Orifice 2000
port 54321 Back Orifice 2000, School Bus
port 57341 NetRaider
port 58339 Butt Funnel
port 60000 Deep Throat, Foreplay or Reduced Foreplay, Sockets des Troie
port 60068 Xzip 6000068
port 60411 Connection
port 61348 Bunker-Hill
port 61466 TeleCommando
port 61603 Bunker-Hill
port 63485 Bunker-Hill
port 64101 Taskman / Task Manager
port 65000 Devil, Sockets des Troie, Stacheldraht
port 65432 The Traitor (= th3tr41t0r)
port 65432 (UDP) - The Traitor (= th3tr41t0r)
port 65534 /sbin/initd
port 65535 RC1 trojan

In due time we will try to publish lists of known trojan files and disply them in alphabetical order and by size to help scan through your computers. At this moment I am reconstructing my database to make the work possible. We will also put up a couple of programmes to help you detect and unmask all those hostile files.

Do you have information about ports used by trojans not listed above, please contact me. And if you have any questions, do not hesitate to mail me.

Joakim von Braun

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >