From: Joakim von Braun [joakim.von.braun@risab.se] Sent: Wednesday, May 12, 1999 6:08 AM To: ntsecurity@iss.net Cc: firewalls@lists.gnac.com; PacketStorm@genocide2600.com; flashback@flashback.se Subject: [NTSEC] Default trojan ports TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- After seeing several questions about traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on. port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash port 23 - Tiny Telnet Server port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy port 31 - Hackers Paradise port 80 - Executor port 456 - Hackers Paradise port 555 - Ini-Killer, Phase Zero, Stealth Spy port 666 - Satanz Backdoor port 1001 - Silencer, WebEx port 1011 - Doly Trojan port 1170 - Psyber Stream Server, Voice port 1234 - Ultors Trojan port 1245 - VooDoo Doll port 1492 - FTP99CMP port 1600 - Shivka-Burka port 1807 - SpySender port 1981 - Shockrave port 1999 - BackDoor port 2001 - Trojan Cow port 2023 - Ripper port 2115 - Bugs port 2140 - Deep Throat, The Invasor port 2801 - Phineas Phucker port 3024 - WinCrash port 3129 - Masters Paradise port 3150 - Deep Throat, The Invasor port 3700 - Portal of Doom port 4092 - WinCrash port 4590 - ICQTrojan port 5000 - Sockets de Troie port 5001 - Sockets de Troie port 5321 - Firehotcker port 5400 - Blade Runner port 5401 - Blade Runner port 5402 - Blade Runner port 5569 - Robo-Hack port 5742 - WinCrash port 6670 - DeepThroat port 6771 - DeepThroat port 6969 - GateCrasher, Priority port 7000 - Remote Grab port 7300 - NetMonitor port 7301 - NetMonitor port 7306 - NetMonitor port 7307 - NetMonitor port 7308 - NetMonitor port 7789 - ICKiller port 9872 - Portal of Doom port 9873 - Portal of Doom port 9874 - Portal of Doom port 9875 - Portal of Doom port 9989 - iNi-Killer port 10067 - Portal of Doom port 10167 - Portal of Doom port 11000 - Senna Spy port 11223 - Progenic trojan port 12223 - Hack´99 KeyLogger port 12345 - GabanBus, NetBus port 12346 - GabanBus, NetBus port 12361 - Whack-a-mole port 12362 - Whack-a-mole port 16969 - Priority port 20001 - Millennium port 20034 - NetBus 2 Pro port 21544 - GirlFriend port 22222 - Prosiak port 23456 - Evil FTP, Ugly FTP port 26274 - Delta port 31337 - Back Orifice port 31338 - Back Orifice, DeepBO port 31339 - NetSpy DK port 31666 - BOWhack port 33333 - Prosiak port 34324 - BigGluck, TN port 40412 - The Spy port 40421 - Masters Paradise port 40422 - Masters Paradise port 40423 - Masters Paradise port 40426 - Masters Paradise port 47262 - Delta port 50505 - Sockets de Troie port 50766 - Fore port 53001 - Remote Windows Shutdown port 61466 - Telecommando port 65000 - Devil You'll find the list on the following address: http://www.simovits.com/nyheter9902.html (still in Swedish but it will be translated in the near future). To help anyone to detect trojan attacks, I´m planning to add information about the original names of the executables, their size, where they usually are hiding, and the names of any helpfiles they may use. I will also add tools or links to tools that may be of your assistance. Feel free to get back to me with any comments or suggestions. If you find new trojans I´ll love to get my hands on them, but please mail me first, as I don´t need more than one copy. If you have live experiance of trojan attacks I´m interested to read about your findings. Joakim joakim.von.braun@risab.se