The Broadband Guide
search advanced
 forgot password?

Port 21 Details

known port assignments and vulnerabilities
threat/application/port search:
Port(s) Protocol Service Details Source
21 tcp FTP File Transfer Protocol [RFC 959]

List of some trojan horses/backdoors that also use this port: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm, W32.Sober.N@mm.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C (01.11.2006)

FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service (network connectivity loss) via a connection to port 21 with a large amount of random data.
References: [CVE-2002-0779]

TURCK BL20 / BL67 could allow a remote attacker to bypass security restrictions, caused by the use of hardcoded credentials for the FTP service. An attacker could exploit this vulnerability using TCP port 21 to gain administrative access to the device.
References: [CVE-2012-4697], [XFDB-84351]

The FTP service in QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, has hardcoded credentials, which makes it easier for remote attackers to obtain access via a session on TCP port 21.
References: [CVE-2015-7261]

The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices has a default password, which makes it easier for remote attackers to read or write to files via a session on TCP port 21.
References: [CVE-2015-3968]
21 udp FSP FSP/FTP [RFC959] SG
21 tcp FTP - control (command) (official) Wikipedia
21 tcp trojan ADM worm, Back Construction, Blade Runner, BlueFire, Bmail, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, FreddyK, Invisible FTP, KWM, MscanWorm, NerTe, NokNok, Pinochet, Ramen, Reverse Trojan, RTB 666, The Flu, WinCrash, Voyager Alpha Force Trojans
21 tcp,udp ftp File Transfer [Control] [RFC4960] IANA
21 tcp,udp ftp File Transfer [Control] SANS
21 tcp applications GeoVision DMIP Portforward
21, 80, 3389, 4550, 5550, 6550, 9650 tcp applications GeoVision TwinDVR with Webcam Portforward
21,80,3389,4550,5550,6550 tcp applications GeoVision Webcam Portforward
21,50000-50004 tcp applications Serv-U Portforward
21,1983 tcp applications Tales of Pirates Portforward
20,21 tcp applications vsftp Portforward
21 tcp,udp ftp File Transfer [Control] Nmap
21 tcp BackConstruction [trojan] Back Construction Neophasis
21 tcp BladeRunner [trojan] BladeRunner Neophasis
21 tcp CattivikFTPServer [trojan] Cattivik FTP Server Neophasis
21 tcp CCInvader [trojan] CC Invader Neophasis
21 tcp DarkFTP [trojan] Dark FTP Neophasis
21 tcp DolyTrojan [trojan] Doly Trojan Neophasis
21 tcp Fore [trojan] Fore Neophasis
21 tcp FreddyK [trojan] FreddyK Neophasis
21 tcp InvisibleFTP [trojan] Invisible FTP Neophasis
21 tcp Juggernaut42 [trojan] Juggernaut 42 Neophasis
21 tcp Larva [trojan] Larva Neophasis
21 tcp MotIvFTP [trojan] MotIv FTP Neophasis
21 tcp NetAdministrator [trojan] Net Administrator Neophasis
21 tcp Ramen [trojan] Ramen Neophasis
21 tcp RTB666 [trojan] RTB 666 Neophasis
21 tcp SennaSpyFTPserver [trojan] Senna Spy FTP server Neophasis
21 tcp Traitor21 [trojan] Traitor 21 Neophasis
21 tcp [trojan]TheFlu [trojan] The Flu Neophasis
21 tcp WebEx [trojan] WebEx Neophasis
21 tcp WinCrash [trojan] WinCrash Neophasis
21 tcp AudioGalaxy AudioGalaxy file sharing app Neophasis
21 tcp threat Back Construction Bekkoame
21 tcp threat Blade Runner Bekkoame
21 tcp threat Cattivik FTP Server Bekkoame
21 tcp threat CC Invader Bekkoame
21 tcp threat Dark FTP Bekkoame
21 tcp threat Doly Trojan Bekkoame
21 tcp threat Fore Bekkoame
21 tcp threat Invisible FTP Bekkoame
21 tcp threat Juggernaut 42 Bekkoame
21 tcp threat Larva Bekkoame
21 tcp threat MotIv FTP Bekkoame
21 tcp threat Net Administrator Bekkoame
21 tcp threat Ramen Bekkoame
21 tcp threat Senna Spy FTP server Bekkoame
21 tcp threat The Flu Bekkoame
21 tcp threat Traitor 21 Bekkoame
21 tcp threat W32.Bobax Bekkoame
21 tcp threat W32.Loxbot Bekkoame
21 tcp threat W32.Mytob Bekkoame
21 tcp threat WebEx Bekkoame
21 tcp threat WinCrash Bekkoame
55 records found
jump to:
previous next

Related ports: 20  1234  1235  1239  

« back to SG Ports

External Resources
SANS Internet Storm Center: port 21

Well Known Ports: 0 through 1023.
Registered Ports: 1024 through 49151.
Dynamic/Private : 49152 through 65535.

TCP ports use the Transmission Control Protocol. TCP is the most commonly used protocol on the Internet and any TCP/IP network. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and that packets will be delivered in the same order in which they were sent. Guaranteed communication/delivery is the key difference between TCP and UDP.

UDP ports use the Datagram Protocol, a communications protocol for the Internet network, transport, and session layers. Like TCP (Transmission Control Protocol), UDP is used with IP (the Internet Protocol) and makes possible the transmission of datagrams from one computer to applications on another computer, but unlike TCP, UDP is connectionless and does not guarantee reliable communication; it's up to the application that received the message to process any errors and verify correct delivery. UDP is often used with time-sensitive applications, such as audio/video streaming, where dropping some packets is preferable to waiting for delayed data.

When troubleshooting unknown open ports, it is useful to find exactly what services/processes are listening to them. This can be accomplished in both Windows command prompt and Linux variants using the "netstat -aon" command. We also recommend runnig multiple anti-virus/anti-malware scans to rule out the possibility of active malicious software. For more detailed and personalized help please use our forums.

Please use the "Add Comment" button below to provide additional information or comments about port 21.
  User Reviews/Comments:
by clairmont32 - 2014-02-18 11:29
Used by the Qakbot worm, which is known to do data exfiltration through FTP. Look for network logs showing seclog*.kcb files to determine if the exfiltration is attempting to take place.
Print this document top
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About