anti-trojan.org home page
what is a trojan ?
Adware ? Spyware ? Trojan ? Virus ?
Protection and Control
Have I Got a Trojan ?
Trojan Removal
Hoaxes
Phishing scams
Why target me ?
10 simple anti-trojan rules
Frequently Asked Questions
Technical Assistance Forums
Software Reviews
Rogue Software
Software Downloads
Internet Security Sites
Link to us
Other Helpful Stuff
About anti-trojan.org
Recommended Reading
Trojan Archives
Trojan Port List
Disclaimer
Contact us









anti-trojan.org

"It's a dangerous business going out your front door."
~ J. R. R. Tolkien

The Fellowship of the Ring




Trojan Port List

HOW YOUR COMPUTER COMMUNICATES WITH THE OUTSIDE WORLD

For your computer to be able to connect to the Internet and surf the web, download information and files, to run software updates and send and receive emails and messages you have to connect to the ‘outside world’.

You already knew that, so pretty simple so far.

Without getting too technical, this connection mechanism in a computer is called an ‘IP Port’ and most of us are aware that our computers have a unique ‘IP address’ so that we can receive information across the internet. Because there are a large number of processes that potentially may need to be running simultaneously, the IP (Internet Protocol) system has some 65535 available ports.

This may seem like an excessively large number but it ensures that channel conflicts are unlikely to arise particularly as new applications, programs and services continue to evolve, and as each process usually requires at least one unique sending and receiving port for each function and more if you are part of a network.

Each port is known by its port number with certain key ports being reserved for particular functions. IANA is the governing body that issues registrations for use of IP ports which are divided into three ranges;


Network Sorcery's IP Port Assignment page is for the real geeks among you to check out what applications or functions, if any, are allocated to which ports.

Actually, it can be a useful reference if a suspicious connection is detected using a certain port and you want to determine if the connection may be part of a valid process.

IP PORT VULNERABILITIES

So an IP port is a gateway from your computer to the outside world and access from the outside world into your computer. These are the ‘city gates’ to your fortress and someone decided that you needed 65000 of them to guard !

With so many trojans and spyware around and so many doors to get thru it is not difficult to see that at some point in time you may potentially be hacked.

If some of your bandwidth ever is hijacked and is being used as a thru-channel to attack other unsuspecting users then the most common symptom will be excessive internet activity that does not appear to correspond to traffic generated by any legitimate processes that you have running.

One tool you use to check this quickly is Microsoft's built-in Task Manager, (Control Alt & Delete then select Task Manager). Use the tabs to navigate to see what processes are running and which ones are using your system resources.


Windows Task Manager


Look at system resources being used and applications running.

Check your internet connection Icon and see what the internet send/receive activity levels are after closing all unnecessary programs. Note any suspicious applications for further investigation.

If a Trojan does penetrate your Firewall/Scanner security shield and attempts to download some spyware to send information back to the hacker host it will need to open two ports on your machine to do so. IP Ports then are a vulnerability but as any traffic must pass thru these they can also become a detection point with the right monitoring software.


Return to top

USEFUL MONITORING AND DETECTION TOOLS

The following are useful detection tools for determining what processes are accessing the internet from your computer.

Process Explorer V11.21 (FREEWARE)

This utility is like a beefed up Task Manager.

Process Explorer can be used to find out program has a particular file or directory open and shows you information about which handles and DLLs processes have opened or loaded.

The top display frame of Process Explorer lists all the active processes, including the master application names and the lower frame shows dependant information for any process selected. Another setting identifies what applications are accessing which DLLs, Dynamic Linked Libraries, - mini program directory lists which are accessed by active applications periodically to allow them run on your computer.

Process Explorer is compatible with Windows 2000 SP4 and Windows XP.



Fport (FREEWARE)

Fport V2.0

Fport identifies unknown open ports and their associated applications. It reports all open TCP/IP and UDP ports and maps them to the owning application.

This is the same information you would see using the 'netstat -a' or 'netstat –n' commands, but it also maps those ports to running processes with the PID, process name and path.

Fport can be used to quickly identify unknown open ports and their associated applications.

Fport is compatible with Windows NT4, Windows 2000 and Windows XP Copyright 2002 (c) by Foundstone, Inc. www.foundstone.com



FreePortScanner V2.7 (FREEWARE)

Free Port Scanner is a small, fast, robust port scanner for the Win32 platform and the display panel is simple but easy to use.

Scans can be done in a few seconds and can be on predefined port ranges. This tool uses TCP packets to determine available hosts, open ports and service associated with the port and other important characteristics.

Copyright by NSAUDITOR.COM

Compatible with Windows2000,WinXP,Windows2003


Return to top

TROJAN PORT ARCHIVE LIST

The following Trojan Port list compiled by Jonathan Read was current circa 2004 before the Trojan/Spyware/Malware explosion. It shows which ports known trojans open to exchange information with the remote hacker host. The information is posted here as an archival list for reference purposes.


Port Opened
Protocol Used
Name of trojan or trojans 
1
UDP
Sockets des Troie
2
TCP
Death
20
TCP
Senna Spy FTP server
21
TCP
Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Freddy beta 2 - beta 3, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash
22
TCP
Shaft
23
TCP
Fire HacKer, Tiny Telnet Server - TTS, Truva Atl, My Very Own Trojan
25
TCP
Ajan, Antigen, Barok, BSE Trojan, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Stukach, Tapiras, Terminator, WinPC, WinSpy
30
TCP
Agent 40421
31
TCP
Agent 31, Hackers Paradise, Masters Paradise
39
TCP
SubSARI
41
TCP
Deep Throat, Foreplay
44
TCP
Arctic Trojan
48
TCP
D.R.A.T
50
TCP
D.R.A.T
58
TCP
DMSetup
59
TCP
DMSetup
79
TCP
CDK, Firehotcker
80
TCP, ACK 
711 Beta, Back End, AckCmd (ack), CGI BackDoor, Exector, Hooker, Ring Zero, Web Serve 2, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
81
TCP
RemoConChubo
99
TCP
Hidden Port, NCX
110
TCP
ProMail 
113
TCP
Invisible Identd Deamon, Kazimas
119
TCP
Happy99
121
TCP, UDP
Attack Bot, God Message, JammerKillah (UDP)
123
TCP
NetController
133
TCP
Farnaz
137
TCP, UDP
Chode, MSinit (UDP)
138
TCP
Chode
139
TCP
Chode, God Message worm, MSinit, Netlog, Network, Qaz
142
TCP
NetTaxi
146
TCP, UDP
The infector
170
TCP
A-Trojan
334
TCP
Backage
411
TCP
Backage
420
TCP
Breach, Incognito
421
TCP
TCP Wrappers trojan
455
TCP
Fatal Connections 2.0
456
TCP
Hackers Paradise 2 beta 3, Masters Paradise 98 beta 2, Masters Paradise 99 beta 9.9d
513
TCP
Grlogin
514
TCP
RPC Backdoor
531
TCP
Net666, Rasmin
555
TCP
711, Ini-Killer, Net Administrator, Phase Zero, Phase-0, Stealth Spy
605
TCP
Secret Service
666
TCP
Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door, ServU, ShadowPhyre, th3r1pp3rz 
667
TCP
SniperNet
669
TCP
DP trojan
692
TCP
GayOL
777
TCP
AimSpy, Undetected
808
TCP
WinHole
911
TCP, UDP
DarkShadow's trojan
999
TCP, UDP
Deep Throat, Foreplay, WinSatan
1000
TCP
DerSpaeher, Direct Connection
1001
TCP
DerSpaeher, Le Guardien, SK Silencer, WebEx
1010
TCP
Doly
1011
TCP
Doly
1012
TCP
Doly
1015
TCP
Doly
1016
TCP
Doly
1020
TCP
Vampire
1024
TCP
Latinus 1.0, Latinus 1.2,  NetSpy, Jade
1025
TCP, UDP
Fraggle Rock, NetSpy, Remote Storm (TCP and UDP)
1031
TCP
Xanadu
1035
TCP
Multidropper
1042
TCP
BLA
1045
TCP
Rasmin
1050
TCP
MiniCommand
1053
TCP
Thief
1054
ACK 
AckCmd
1066
TCP
B.F. Evolution
1080
TCP
WinHole
1081
TCP
WinHole
1082
TCP
WinHole
1083
TCP
WinHole
1090
TCP
Xtreme
1095
TCP
Remote Administration Tool 
1097
TCP
Remote Administration Tool 
1098
TCP
Remote Administration Tool 
1099
TCP
B.F.Evolution
1104
UDP
RexxRave
1150
TCP
Orion
1151
TCP
Orion
1170
TCP
Psyber Stream Server, Streaming Audio Server, VoiceDLL
1200
UDP
NoBackO
1201
UDP
NoBackO
1207
TCP
SoftWAR
1208
TCP
Infector
1212
TCP
Kaos
1234
TCP
Ultor's Telnet Trojan, SubSeven Java client
1243
TCP
 SubSeven, SubSeven, Tiles
1245
TCP
Voodoo Doll
1255
TCP
Scarab
1256
TCP
Project nEXT
1269
TCP
Mavericks Matrix
1272
TCP
The Matrix
1313
TCP
NETrojan
1338
TCP
Millenium Worm
1349
UDP
Back Orifice DLL
1386
TCP
Dagger
1394
TCP
Gofriller
1441
TCP
Remote Storm
1492
TCP
FTP99cmp
1524
TCP
Trinoo (DDoS)
1568
TCP
Remote Hack
1600
TCP
Direct Connection, Shivka-Burka
1703
TCP
Exploiter
1777
TCP
Scarab
1807
TCP
Spy Sender
1966
TCP
Fake FTP
1967
TCP
F.Y.E.O, WM FTP Server
1969
TCP
OpC Back orifice
1981
TCP
Bowl 1.0, ShockRave
1991
TCP
Pitfall
1999
TCP
BackDoor, Transmission Scout
2000
TCP
DerSpaeher, Insane Network, Last 2000, Remote Explorer 2000, Senna Spy Trojan Generator
2001
TCP
DerSpaeher, Trojan Cow
2023
TCP
Ripper Pro
2080
TCP
WinHole
2115
TCP
Bugs
2130
UDP
Mini Backlash
2140
UDP
Invasor, Deep Throat, Foreplay
2155
TCP
Illusion Mailer
2255
TCP
Nirvana
2283
TCP
Hvl RAT
2300
TCP
Xplorer
2311
TCP
Studio 54
2330
TCP
Contact
2331
TCP
Contact
2332
TCP
Contact
2333
TCP
Contact
2334
TCP
Contact
2335
TCP
Contact
2336
TCP
Contact
2337
TCP
Contact
2338
TCP
Contact
2339
TCP, UDP
Voice Spy
2345
TCP
Doly
2565
TCP
Striker
2583
TCP
WinCrash
2589
TCP
Dagger
2600
TCP
Digital Root beer
2716
TCP
The Prayer
2773
TCP
Subseven
2774
TCP
Subseven
2801
TCP
Phineas Phucker
2989
UDP
R.A.T.
3000
TCP
InetSpy beta 1, Remote Shut
3024
TCP
WinCrash
3031
TCP
Microspy
3128
TCP
Reverse WWW Tunnel Backdoor, RingZero
3129
TCP
Masters Paradise
3131
TCP
SubSARI
3150
UDP
Invasor, Mini BackLash, Deep Throat, Foreplay
3456
TCP
Terror trojan
3457
TCP
P.E.T
3459
TCP
Eclipse 2000, Sanctuary
3700
TCP
Portal of Doom
3777
TCP
Psychward
3791
TCP
Total Solar Eclypse
3801
TCP
Total Solar Eclypse
4000
TCP
Skydance
4092
TCP
WinCrash
4201
TCP
WarTrojan
4242 
TCP
Virtual Hacking Machine
4321
TCP
Bobo
4444 
TCP
CrackDown, Prosiak, Swift Remote
4488
TCP
Event Horizon
4567
TCP
File Nail
4590
TCP
ICQ Trojan
4653
TCP
Cero
4666
TCP
Mneah Trojan
4950
TCP
ICQ Trojan
5000
TCP
BioNet lite, Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
5001
TCP
Back Door Setup, Sockets des Troie
5002
TCP
cd00r, Shaft
5010
TCP
Solo
5011
TCP
One of the last trojans
5025
TCP
WM Remote Keylogger
5031
TCP
Net Metropolitan
5032
TCP
Net Metropolitan
5321
TCP
Firehotcker
5333
TCP
Backage, NetDemon
5343
TCP
wCrat
5400
TCP
Back Construction, Blade Runner
5401
TCP
Back Construction, Blade Runner, Mneah Trojan 
5402
TCP
Back Construction, Blade Runner, Mneah Trojan 
5512
TCP
Illusion Mailer
5534
TCP
THE FLU
5550
TCP
Xtcp
5555
TCP
ServeMe
5556
TCP
BO Facil
5557
TCP
BO Facil
5569
TCP
Robo Hack
5637
TCP
PC Crasher
5638
TCP
PC Crasher
5742
TCP
WinCrash
5880
TCP
Y3K
5882
TCP, UDP
Y3K
5888
TCP, UDP
Y3K
5889
TCP, UDP
Y3K
6000
TCP
tHing
6006
TCP
Bad Blood 
6272
TCP
Secret Service
6400
TCP
tHing
6661
TCP
TEMan, Weia-Meia
6666
TCP
Dark Connection Inside, NetBus worm
6667
TCP
Dark FTP, ScheduleAgent, Subseven, Trinity, WinSatan
6669
TCP
Host Control, Vampire
6670
TCP
BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame
6711
TCP
SubSARI, SubSeven, VP Killer
6712
TCP
Funny Trojan, Subseven
6713
TCP
Subseven
6723
TCP
Mstream
6771
TCP
Deep Throat, Foreplay
6776
TCP
2000 Cracks, Subseven, VP Killer
6838
TCP
Mstream (DDoS)
6883
TCP
DELTA Source
6912
TCP
ShitHeep
6939
TCP
Indoctrination
6969
TCP
Gatecrasher, IRC 3, Net Controller, Priority
6970
TCP
Gatecrasher
7000
TCP
Remote Grab
7001
TCP
Freak88, Freak2k (DDoS)
7215
TCP
Subseven
7300
TCP
Net Monitor
7301
TCP
Net Monitor
7306
TCP
Net Monitor
7307
TCP
Net Monitor
7308
TCP
Net Monitor
7424
TCP, UDP
Host Control
7626
TCP
Glacier
7777
TCP
God Message, Tini
8080
TCP
Brown Orifice, RemoConChubo, Reverse WWW Tunnel Backdoor, Ring Zero
8787
TCP
BO2K
8988
TCP
Back Hack
8989
TCP
Rcon, Recon, Xcon
9000
TCP
Netministrator
9325
UDP
Mstream
9400
TCP
Incommand
9872
TCP
Portal of Doom
9873
TCP
Portal of Doom
9874
TCP
Portal of Doom
9875
TCP
Cyber Attacker, RUX
9878
TCP
Trans scout
9989
TCP
INI Killer
9999
TCP
Prayer
10067
UDP
Portal of Doom
10085
TCP
Syphilis
10086
TCP
Syphilis
10100
TCP
Control total beta 4, Gift
10101
TCP
BrainSpy Beta, Silencer
10167
UDP
Portal of Doom
10520
TCP
Acid Shivers
10528
TCP
Host Control
10607
TCP
COMA
10666
UDP
Ambush 1.0
11000
TCP
Senna SPY
11050
TCP
Host Control
11051
TCP
Host Control
11223
TCP
Progenic trojan, Secret Agent
12076
TCP
Gjamer
12223
TCP
Hack´99 KeyLogger
12310
TCP
Precursor
12345
TCP
Ashley, Fat Bitch trojan, Gabanbus, Mypic, Netbus, Netbus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill, ValV-N.E.t
12346
TCP
Fat Bitch trojan, Gabanbus, Mypic, Netbus, Netbus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill, ValV-N.E.t
12349
TCP
Bionet
12361
TCP
Whack-a-Mole
12362
TCP
Whack-a-Mole
12623
UDP
DUN Control
12624
TCP
ButtMan
12631
TCP
Whack job
12754
TCP
Mstream (DDoS)
13000
TCP
Senna SPY
13010
TCP
HBR (Hacker Brazil)
13013
TCP
Psychward
13014
TCP
Psychward
13223
TCP
Hack´99 KeyLogger
13473
TCP
Chupacabra
14500
TCP
PC Invader
14501
TCP
PC Invader
14502
TCP
PC Invader
14503
TCP
PC Invader
15000
TCP
NetDemon
15092
TCP
Host Control
15104
TCP
Mstream (DDoS)
15382
TCP
SubZERO
15858
TCP
CDK
16484
TCP
MoSucker
16660
TCP
Stacheldraht (DDoS)
16772
TCP
ICQ Revenge
16959 
TCP
Subseven
16969
TCP
Priority
17166 
TCP
Mosaic
17300 
TCP
Kuang 2 the Virus 
17449
TCP
Kid Terror
17499
TCP
CrazzyNet
17500
TCP
CrazzyNet
17569 
TCP
The Infector
17593
TCP
AudioDoor 
17777
TCP
Nephron
18753
UDP
SHAFT
19864 
TCP
ICQ Revenge
20000
TCP
Millenium
20001
TCP
Insect, Millenium, Millenium (Lm)
20002
TCP
AcidkoR
20005
TCP
MoSucker
20023
TCP
VP Killer
20034
TCP
NetBus 2.0 Pro, NetBus 2.0 Pro Hidden, NetRex, Whack Job
20203
TCP
Chupacabra
20331
TCP
BLA 
20432
TCP
Shaft
20433
UDP
Shaft
21544
TCP
Girlfriend, Exploiter, Freddy, Kid Terror, Maverick's Matrix
21554
TCP
Exploiter, Kid Terror, Schwindler, Winsp00fer
22222
TCP
Donald Dick, Prosiak, Ruler, RUX The TIc.K
23005
TCP
Nettrash
23006
TCP
Nettrash
23023
TCP
Logged
23032
TCP
Amanda
23432
TCP
Asylum
23456
TCP
Evil FTP, Ugly FTP, Whack Job
23476
TCP, UDP
Donald Dick
23477
TCP
Donald Dick
23777
TCP
InetSpy beta 1
24000
TCP
The Infector
25123
TCP
Goy'Z Trojan
25685
TCP
Moonpie
25686
TCP
Moonpie
25982
TCP
Moonpie
26274
UDP
Delta Source
26681
TCP
Voice Spy
27160
TCP
Moonpie
27374
TCP
Bad Blood, Ramen, Seeker, Subseven, Ttfloader
27444
UDP
TRINOO (DDoS)
27573
TCP
Subseven
27665
TCP
TRINOO (DDoS)
28678
TCP
Exploiter
29104
TCP
NETrojan
29891
UDP
The Unexplained
30000
TCP
Infector ?
30001
TCP
Err0r32
30003
TCP
Lamers Death
30029
TCP
AOL Trojan
30070
TCP
Mantis (shaban)
30101
TCP
NetSphere
30102
TCP
NetSphere
30103
TCP, UDP
NetSphere
30133
TCP
NetSphere
30303
TCP
Sockets des Troie
30947 
TCP
Intruse
30999
TCP
Kuang2
31335
TCP
Trinoo
31336
TCP, UDP
Bo Whack, Butt Funnel
31337
TCP, UDP
Back Fire, Back Orifice, Baron Night, Beeone, BO Facil, BO spy, BO2, Freak88, Freak2k
31338
TCP, UDP
DK NetSpy, Deep BO
31339
TCP, UDP
NetSpy (DK)
31557
TCP
Xanadu
31666
TCP
Bowhack
31785
TCP, UDP
Hack'a'Tack
31787
TCP, UDP
Hack'a'Tack
31788
TCP, UDP
Hack'a'Tack
31789
TCP, UDP
Hack'a'Tack
31790
TCP, UDP
Hack'a'Tack
31791
UDP
Hack'a'Tack
31792
UDP
Hack'a'Tack
32001
TCP
Donald Dick
32100
TCP
Peanut Brittle, Project nEXT
32418
TCP
Acid Battery
33270
TCP
Trinity (DDoS)
33333
TCP
Blakharaz, Prosiak
33577
TCP
Son of Psychward
33777
TCP
Son of Psychward
33911
TCP
Spirit 2000, Spirit 2001
34324
TCP
Big Gluck, TN
34444
TCP
Donald Dick
34555 
UDP
WINTrinoo (DDoS)
35555
UDP
WINTrinoo (DDoS)
37237
TCP
Mantis
37651
TCP
Y.A.T.
40412
TCP
The Spy Beta 1
40421
TCP
Agent 40421, Masters Paradise
40422
TCP
Masters Paradise
40423
TCP
Masters Paradise
40425
TCP
Masters Paradise
40426
TCP
Masters Paradise
41337
TCP
Storm
41666
TCP, UDP
Remote Boot Tool 
44444
TCP
Prosiak
44575
TCP
Exploiter
47262
TCP, UDP
Delta source 
48004
TCP
Fraggle Rock
48006
TCP
Fraggle Rock
49000
TCP
Fraggle Rock
49301
TCP
OnLine KeyLogger
50000
TCP
SubSARI
50130
TCP
Enterprise
50505
TCP
Sockets des Troie
50766
TCP
Fore, Schwindler
51966
TCP
CAFEiNi
52317
TCP
Acid Battery 2000
53001
TCP
Remote Windows Shutdown
54283
TCP
SubSeven
54320
TCP
BO2K
54321
TCP
BO2K, SchoolBus 
55165
TCP
File Manager Trojan
55166
TCP
File Manager Trojan, WM Trojan Generator
57341
TCP
NetRaider
58339
TCP
Butt Funnel
60000
TCP
Deep Throat, Foreplay, Sockets des Troie
60001
TCP
Trinity (DDoS)
60068
TCP
Xzip 6000068
60411
TCP
Connection
61348
TCP
Bunker Hill
61466
TCP
Telecommando
61603
TCP
Bunker Hill
63485
TCP
Bunker Hill
64101
TCP
Taskman
65000
TCP
Devil, Sockets des Troie, Stacheldraht (DDoS)
65390
TCP
Eclypse
65421
TCP
Jade
65432
TCP, UDP
Traitor
65530
TCP
Windows Mite
65535
TCP
RC
copyright 2001 © anti-trojan.org

Return to top