Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

comp.security.unix and comp.security.misc frequently asked questions
Section - What does port number [whatever] mean?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Airports ]


Top Document: comp.security.unix and comp.security.misc frequently asked questions
Previous Document: I just noticed that [something]. Has my machine been compromised?
Next Document: Here's new, unbreakable encryption software.
See reader questions & answers on this topic! - Help others by sharing your knowledge
RFC 1700 is obsolete.  The standard current reference is
http://www.iana.org/assignments/port-numbers

However, you can write a program which uses any port number, whether it has a
standard meaning or not; and similarly you can write a program which uses a
port number in a way contrary to its standard meaning.

If you notice an attempted connection to a weird port number on your machine,
the connection might have been meant for some other machine running an
idiosyncratic service (perhaps someone typoed the IP address or hostname),
it might be a probe for a widely-spread trojan horse program, it might be
part of some kind of portscan, or plenty of other possibilities.  Some notes
about what a particular port access might mean in practical terms (as opposed
to the intended purpose of that port number assignment) can be found at
http://www.robertgraham.com/pubs/firewall-seen.html
And a list of some non-standard ports used by various strange programs is at
http://www.chebucto.ns.ca/~rakerman/port-table.html

If you notice your machine listening on an unexpected port, you may have
been broken into, or it may be a "feature" of your OS distribution or some
third-party software you're running.  In unix, most ports your OS distribution
will use will be listed in /etc/services, along with MANY you don't use.
/etc/inetd.conf lists services whose daemons are started on demand by inetd,
the internet "super-server" (see the man page).  (/etc/inetd.conf entries
cause services to be offered; /etc/services entries basically just map names
to and from numbers.)  In different ways depending on OS version, /etc/rc*
specifies some standalone daemons to be started up on boot (or initlevel
change); see man pages (including man init).  These are conventional ways to
start services but any program can listen on a port (unprivileged processes
can only listen on port numbers >=1024 in most multiuser OSes).

Some port numbers are not fixed.  There are several possibilities here, but
in unix these most notably include port numbers bearing services registered
under the "portmapper", which listens on port 111.  Type "rpcinfo -p hostname"
for a list of services for which the portmapper is serving as a directory.
(Some of these port numbers may in fact be fixed, in which case client
programs have two different ways to find the port number (hardcode the port
number or use the portmapper).)

To see what listeners you have running (open ports), the canonical incantation
is "netstat -an".  But doing a portscan from a remote machine might be more
reliable if you suspect your machine has been compromised, because the netstat
program could have been replaced.  (But do keep in mind the tricky "malware"
technique of only accepting connections with certain *source* port numbers.)
To find out what process is doing the listening, try something like lsof.
Again, once your machine has been compromised, this might report the
wrong answer; the purpose of using lsof would be to investigate the normal
behaviour of your machine, not to check whether it's been compromised.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: comp.security.unix and comp.security.misc frequently asked questions
Previous Document: I just noticed that [something]. Has my machine been compromised?
Next Document: Here's new, unbreakable encryption software.

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
flaps@dgp.toronto.edu (Alan J Rosenthal)





Last Update March 27 2014 @ 02:11 PM