Cyber criminals will set up their services on individual ports. Attackers use TCP port 1080, which the industry has designated for socket secure “SOCKS” proxies, in support of malicious software and activity. Trojan horses and worms such as Mydoom and Bugbear have historically used port 1080 in attacks. “If a network admin did not set up the SOCKS proxy, its existence might indicate malicious activity,” says Norby.
When hackers get lackadaisical, they use port numbers they can easily remember, such as sequences of numbers like 234 or 6789, or the same number repeatedly, such as 666 or 8888. Some backdoor and Trojan horse software opens and uses TCP port 4444 to listen in, communicate, forward malicious traffic from the outside, and send malicious payloads. Some malicious software that has used this port includes Prosiak, Swift Remote, and CrackDown.
Web traffic doesn’t use port 80 alone. HTTP traffic also uses TCP ports 8080, 8088, and 8888. The servers attached to these ports are largely legacy boxes that have been left unmanaged and unprotected, gathering increasing vulnerabilities over time. “Servers on these ports can also be HTTP proxies, which, if network administrators did not install them, could represent a security concern within the system,” says Norby.
Supposedly elite attackers have used TCP and UDP ports 31337 for the famed Back Orifice backdoor and some other malicious software programs. On the TCP port, these include Sockdmini, Back Fire, icmp_pipe.c, Back Orifice Russian, Freak88, Baron Night, and BO client to name several; examples on the UDP port include Deep BO. In "leetspeak", which uses letters and numbers, 31337 spells "eleet," meaning elite.
Weak passwords can make SSH and port 22 easy targets. Port 22, the designated Secure Shell port that enables access to remote shells on physical server hardware is vulnerable where the credentials include default or easily guessed user names and passwords, according to David Widen, systems engineer at BoxBoat Technologies. Short passwords of less than eight characters using a familiar phrase together with a sequence of numbers are far too easy for attackers to guess.
Criminal hackers are still attacking IRC, which runs on ports 6660 through 6669. “There have been many IRC vulnerabilities, such as Unreal IRCD that allow for trivial remote execution by attackers,” says Widen.
Some ports and protocols can give attackers a lot of reach. Case in point, UDP port 161 is enticing to attackers because the SNMP protocol, which is useful for managing networked machines and polling information, sends traffic through this port. “SNMP allows you to query the server for usernames, network shares, and other information. SNMP often comes with default strings that act like passwords,” explains Muhl.
Sign up for CIO Asia eNewsletters.