Discover Non-Standard Ports To Detect Compromised Services

Anyone who has used Linux long enough will look at numbers such as 22 and 80 in a totally different light than everyone else. Default port numbers are expected to be hammered with tons of packets day to day, from legitimate user requests to probes sent by nmap scans. Changing services such as SSH and FTP to non-default numbers are not only a tactic for securing your server - they're a tactic for malicious users to hide these services as backdoors once a system is compromised. Read on to see how scanning tools such as Passive Vulnerability Scanner and Nessus can be used to scan for these "off port" services.

If you are attempting to perform network security monitoring in a large, unmanaged environment that has "poor" security, you are most likely dealing with botnets, phishing attempts, worms and Trojans. Many of these threats install some sort of FTP, SSH or Web server as a backdoor or drop point on a port other than the typical default port. Discovering these on your network may help you find compromised servers, or even administrators who are trying to bypass firewall rules. This blog entry discusses how to find these "off port" services with the Passive Vulnerability Scanner (PVS), Nessus scanner and through log analysis.

The link for this article located at Tenable Network Security is no longer available.