port vs attack name information source?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View

This is not -exactly- on topic for comp.security.firewalls, but
comp.security.misc was given over to spam years ago, and
news.admin.net-abuse.sightings was re-organized out of existence
earlier this year. Please feel free to redirect me to a more
appropriate (and still active) newsgroup.

I would like to inquire as to good sites in which I can look up port
numbers and see which attacks (trojan/virus) they are associated with.
For example, my firewall logs show that since
late on October 19, I've had over 155000 attempts to reach tcp 15057
on my residential connection, but I cannot find any non-trivial
information about what the port is used for.

(It is within the realm of possibility that what I'm seeing is a
randomly chosen port that got registered as an end-point by a
distributed-processing program such as Skype; it's never easy to track
such things without packet captures at the time of the original port

One way or another, it would be easier if there were sites known to
have fairly up-to-date information about port usage. For example, if
it turns out to be a random distributed port, then *not* finding the
port on the list of known attack ports would also give me information
about what I was seeing in the logs.

   Thank you,
          Walter Roberson

Re: port vs attack name information source?

Thu, 29 Oct 2009 08:31:39 -0700 wrote Walter Roberson:
Quoted text here. Click to load it

It looks like the port is unassigned at:

Port 23399 is the default port number for Skype, but there is no law that
say it have to be.

I did Google a little (mumbling something over people that can't do there
own... ;-) ) and came up empty handed nor www.sans.org or www.iana.org
seems to have the info you looking for.
At least Wikipedia has a non complete list over port numbers and some
references and somewhat useful links.

Re: port vs attack name information source?

Quoted text here. Click to load it

If you're on Linux, see /usr/share/nmap/nmap-services -- but the only
extra info there is open frequency:

~$ grep 15057 /usr/share/nmap/nmap-services
unknown 15057/udp       0.000330

In any case being hit at a particluar port that you're not providing
a service on simply means you drop or reject the probe.  Knowing what
the port is used for doesn't change your response to it :)


Site Timeline