Ports & Infection Vectors
Share this:
Ports are numbers that are used in TCP and UDP protocols for identification of applications. While some applications use well-known port numbers, such as 80 for HTTP, or 443 for HTTPS, some applications use dynamic ports. Open port refers to a port, on which a system is accepting communication.
Open port does not immediately mean a security issue. But, it can provide a pathway for attackers to the application listening on that port. Therefore, attackers can exploit shortcomings like weak credentials, no two-factor authentication, or even vulnerabilities in the application itself.
When open for the Internet, attackers can use open ports as an initial attack vector. Furthermore, listening ports on a local network can be used for lateral movement. It is a good practice to close ports or at least limit them to a local network. If necessary, you can make applications accessible to remote workers via a secure VPN.
Scanning tools used by both attackers and security professionals allow an automated detection of open ports. Many network-based IDS/IPS solutions, and even workstation-based endpoint security solutions can detect port scanning. It is worthwhile to investigate port scanning originating from inside the local network, as it often means a compromised device. However, computers running some security solutions can generate false positives. This is because vendors of security solutions feature a port scanner to detect vulnerable devices inside a home network.
Here are the below list of Infection vectors abusing the respective ports
| Port | Infection Vectors |
| 22 | Shaft, SSH RAT |
| 23 | Tiny Telent Server |
| 25 | Antigen, Email Password Sender |
| 26 | Badpatch |
| 31/456 | Hackers Paradise |
| 53 | Denis Ebury |
| 68 | Mspy |
| 80 | Necurs, NetWire |
| 113 | Shiver |
| 139 | Nuker |
| 421 | TCP Wrappers Trojan |
| 443 | TrickBot,UBoatRAT,Carbanak |
| 445 | Wannacry |
| 456 | Hackers Paradise |
| 555 | Ini-Killer |
| 666 | Satanz Backdoor |
| 1001 | Silencer |
| 1011 | Doly Trojan |
| 1026/64666 | RSM |
| 1095-98 | RAT |
| 1170 | Psyber Stream Server |
| 1177 | njRAT |
| 1234 | Ultors Trojan |
| 1234/12345 | Valvoline |
| 1243 | Sub Seven 1.0-1.8 |
| 1243/6711/6776/27374 | Sub Seven |
| 1245 | VooDoo Doll |
| 1777 | Java RAT |
| 1349 | Back Office DLL |
| 1492 | FTP99CMP |
| 1433 | Misdat |
| 1600 | Shivka-Burka |
| 1604 | DarkComet AT |
| 1807 | SpySender |
| 1863 | XtremeRAT |
| 1981 | Shockrave |
| 1999 | BackDoor 1.00-1.03 |
| 2001 | Trojan Cow |
| 2115 | Bugs |
| 2140 | The Invasor |
| 2140/3150 | Deep Throat |
| 2155 | Illusion Mailer |
| 2801 | Phineas Phucker |
| 3129 | Masters Paradise |
| 3131 | Subsari |
| 3150 | The Invasor |
| 3389 | RDP |
| 3700/9872-9875/10067/10167 | Portal of Doom |
| 4000 | RA |
| 4567 | File Nail 1 |
| 4590 | ICQTrojan |
| 5000 | Bubbel |
| 6267 | GW Giri |
| 6400 | Thing |
| 6666 | KillRat |
| 6667/12349 | Bionet MagicHound |
| 6670-71 | DeepThroat |
| 6969 | GateCrasher, Priority |
| 7000 | Remote Grab |
| 7300-08 | NetMonitor |
| 7300/31338/31339 | Net Spy |
| 7597 | Qaz |
| 7626 | Gdoor |
| 7777 | GodMsg |
| 7789 | ICKiller |
| 8000 | BADCALL,Comnie |
| 8012 | Ptakks |
| 8080 | Zeus, APT 37, FIN 7 |
| 8443 | FelixRoot,Nidiran |
| 8787/54321 | BackOfrice |
| 9989 | Ini-Killer |
| 10048 | Delf |
| 10100 | Gift |
| 10607 | Coma |
| 11000 | Senna Spy |
| 11223 | Progenic Trojan |
| 12223 | Hack’99 Key Logger |
| 12345-46 | GabanBus |
| 12361/12362 | Whack-a-Mole |
| 16969 | Priority |
| 20001 | Millenium |
| 20034/1120 | NetBus |
| 21544 | Girl Friend |
| 22222 | Prosiak |
| 22222 | Rux |
| 23432 | Asylum |
| 23456 | Evil FTP |
| 25685 | Moon Pie |
| 26274 | Delta |
| 30100-02 | NetSphere |
| 31337-38 | Back Orifice |
| 31338 | DeepBO |
| 31339 | NetSpyDK |
| 31666 | BOWhack |
| 33333 | Prosiak |
| 34324 | BigGluck, TN |
| 40412 | The Spy |
| 40421-26 | Masters Paradise |
| 47262 | Delta |
| 50766 | Fore |
| 53001 | Remote Windows Shutdown |
| 54321 | SchoolBus |
| 61466 | Telecommando |
| 65000 | Devil |
