Commonly Probed Ports
| Service | Port | Protocol | Hostility | Explanation |
| reserved | 0 | TCP/UDP | Hi | source port - no good reason for this |
| sscan signature | 0-5 | TCP | Hi | source ports - no good reason for this |
| ttymux | 1 | TCP | Hi | possibly part of an sscan probe |
| echo | 7 | TCP/UDP | Hi | potential UDP attack |
| systat | 11 | TCP | Hi | system/user information (ps) |
| unassigned | 15 | TCP | Hi | was netstat: open connections, routing tables, etc. |
| chargen | 19 | TCP/UDP | Hi | potential UDP attack |
| ftp | 21, 20 | TCP | Lo | famous file transfer service |
| ssh | 22 | TCP | Med | secure shell service |
| ssh | 22 | UDP | Lo | old version of PC Anywhere |
| telnet | 23 | TCP | Med | remote login |
| smtp | 25 | TCP | Hi | looking for spam relay |
| DNS | 53 | TCP | Hi | compromising a DNS server via TCP zone transfers |
| dhcpc | 67 | UDP | Lo | probably a mistake |
| tftpd | 69 | UDP | Med | very insecure ftp alternative |
| finger | 79 | TCP | Lo | user account information |
| link | 87 | TCP | Hi | terminal link - commonly used by intruders |
| pop | 110, 109 | TCP | Hi | looking for a mail or news spam relay |
| sunrpc | 111 | TCP/UDP | Hi | NFS, NIS, any rpc-based service |
| nntp | 119 | TCP | Med | free/public news feed or spam relay |
| ntp | 123 | UDP | Lo | network time synchroniztion; ok, but impolite |
| netbios | 137 | TCP/UDP | Hi | Windows Name Service |
| netbios | 138 | TCP/UDP | Hi | Windows Datagram Service |
| netbios | 139 | TCP | Hi | Windows Session Service |
| imap | 143 | TCP | Hi | famous security hole |
| NeWS | 144 | TCP | Hi | Sun windowing management system |
| snmp | 161, 162 | UDP | Hi | remote network administration |
| xdmcp | 177 | UDP | Hi | xdm: XDMCP, X Display Manager |
| rexec | 512 | TCP | Hi | intended for intranet use |
| biff | 512 | UDP | Hi | intended for intranet use |
| rlogin | 513 | TCP | Med | intended for intranet use |
| who | 513 | UDP | Hi | intended for intranet use |
| rsh | 514 | TCP | Med | intended for intranet use |
| syslog | 514 | UDP | Hi | intended for intranet use |
| printer | 515 | TCP | Hi | intended for intranet use |
| talk | 517 | UDP | Med | intended for intranet use |
| ntalk | 518 | UDP | Med | intended for intranet use |
| route | 520 | UDP | Hi | routed |
| uucp | 540 | TCP | Med | a "famous" file transfer service |
| mount | 635 | UDP | Hi | NFS mount service |
| socks | 1080 | TCP | Hi | potential spam relay point |
| SQL | 1114 | TCP | Hi | part of an sscan signature |
| openwin | 2000 | TCP | Hi | OpenWindows windowing system |
| NFS | 2049 | TCP/UDP | Hi | remote filesystem access |
| pcanywherestat | 5632 | UDP | Lo | PC Anywhere |
| X11 | 6000+n | TCP | Hi | X Windows |
| NetBus | 12345, 12346, 20034 | TCP | Hi | If you have this on your system, and you didn't put it there, your computer is WIDE OPEN to anyone. |
| Back Orifice | 31337 | UDP | Hi | Back Orifice trojan horse (system access) |
| Hack'a'Tack | 31790, 31789 | UDP | Hi | Windows Hack'a'Tack trojan |
| traceroute | 33434-33523 | UDP | Lo | incoming traceroute |
| ping | 8 | ICMP | Lo | incoming ping |
| redirect | 5 | ICMP | Hi | incoming routing redirect bomb |
| traceroute | 11 | ICMP | Lo | outgoing response to traceroute |
| OS type probe | 0 | TCP/UDP | Hi | broadcasts to destination address 0.0.0.0/0 |
Hostility ratings are gross estimates. Any probe can be motivated by innocent curiosity. The ratings are guesses based on a combination of their potential danger to the system and their likelihood of being hostile if that port was the only port probed as an isolated incident.
Base Line Internet Security Service (BLISS) PDF
Gramm Leach Bliley Act - GLBA Compliance PDF
Health Insurance Portability and Accountability Act - HIPAA