|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 0 |
tcp,udp |
|
not scanned |
This port is technically illegal, but possible. It is often used to fingerprint machines, because different operating systems respond to this port in different ways. |
| 1 |
udp |
tcpmux |
not scanned |
IANA assigned to TCP Port Service Multiplexer.
Sockets des Troie remote access trojan uses this port (a.k.a. Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan, TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000. |
| 1 |
tcp |
tcpmux |
not scanned |
Scans against this port are commonly used to test if a machine runs SGI Irix (as SGI is the only system that typically has this enabled). This service is almost never used in practice.
CERT: CA-95.15.SGI.lp.vul
RFC1078 -TCPMUX acts much like Sun's $/Exploits/Ports/111$portmapper$ or Microsoft's $/Exploits/Ports/135$end-point mapper$ in that it allows services to run on abitrary ports. In the case of TCPMUX, however, after the "lookup" phase, all further communication continues to run over that port. |
| 2 |
tcp |
compressnet |
Premium scan |
trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg
Port 2 is also registered with IANA for compressnet management utility. |
| 3 |
tcp,udp |
compressnet |
not scanned |
IANA assigned for: Compression Process
Port also used by: Midnight Commander |
| 4 |
tcp |
sfs |
Basic scan |
Self-Certifying File System(SFS) sfssd acceps connections on TCP port 4 and passes them to the appropriate SFS daemon. SFS is a secure, global file system with completely decentralized control. SFS uses NFS 3 as the underlying protocol for file access.
Midnight Commander sometimes uses port 4/tcp as well. |
| 7 |
tcp |
Echo |
Members scan |
Echo Service, somewhat outdated by ICMP echo. Port just echoes whatever is sent to it. This feature can be used in many attacks, such as fraggle.
See also: [RFC862]
ICP - Internet Caching Protocol - This protocol is used by HTTP caching proxies in order to coordinate working together in a cluster. Part of this implementation includes bouncing packets off the echo port in order to test if the peers are alive. |
| 9 |
tcp,udp |
Discard |
Members scan |
Discard server - this protocol is only installed on machines for test purposes. The service listening at this port (both TCP and UDP) simply discards any input.
See also: [RFC863], CVE-1999-0060
Intrusions: Ascend kill
This exploit kills Ascend routers by sending them a specially formatted malformed TCP packet. On certain versions of the Ascend operating system, the router can be forced to cause an internal error, resulting in the router rebooting. |
| 11 |
tcp,udp |
systat |
Premium scan |
system / active users information.
On some UNIX machines, creating a TCP connection to this port will dump the active processes and who launched them. The original intent for this was to make remote management of UNIX easier. However, intruders will query the systat information in order to map out the system.
This service is rarely available anymore because of these security concerns.
On UNIX, there are also local commands that show this information, such as systat or ps.
See also: [RFC866] |
| 13 |
tcp,udp |
Daytime |
Members scan |
Daytime service [RFC 867] - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines. |
| 15 |
tcp,udp |
netstat |
Premium scan |
Port used by netstat (a variant of systat, see port 11). Rarely available because of security concerns. It can be used to list active processes and who launched them on some UNIX machines.
Port also used by B2 trojan. |
| 17 |
tcp,udp |
qotd |
not scanned |
Responds with Quote of the Day. See [RFC 865] |
| 18 |
tcp,udp |
msp |
not scanned |
Message Send Protocol
Also: Remote Write Protocol (RWP)
Related RFCs: [RFC 1159] [RFC 1312] [RFC 1756] |
| 19 |
tcp,udp |
Chargen |
Members scan |
Generates and replies with a stream of characters (TCP) or a packet containing characters (UDP). Should be disabled if there is no specific need for it, source for potential attacks.
[RFC 864] |
| 20 |
tcp |
FTP - data |
Members scan |
File Transfer Protocol - Data |
| 20 |
udp |
? |
Basic scan |
|
| 21 |
tcp |
FTP |
Basic scan |
File Transfer Protocol.
List of some trojan horses/backdoors that also use this port: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm, W32.Sober.N@mm.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C (01.11.2006) |
| 21 |
udp |
FSP |
Basic scan |
FSP/FTP |
| 22 |
udp |
PC-Anywhere |
Basic scan |
Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22. |
| 22 |
tcp |
SSH |
Basic scan |
Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service.
Some trojans also use this port: InCommand, Shaft, Skun |
| 23 |
tcp |
telnet |
Basic scan |
Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities.
Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (109.26.2005) |
| 24 |
tcp |
priv-mail |
not scanned |
Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port |
| 25 |
tcp |
SMTP |
Basic scan |
SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.
List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock (01.12.2006) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries. |
| 26 |
tcp |
rsftp |
Members scan |
Port used by RSFTP - a simple FTP-like protocol.
Sometimes also used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). |
| 30 |
tcp |
trojans |
Premium scan |
Agent 40421 trojan. Also uses port 40421/tcp |
| 31 |
tcp |
msg-auth |
Members scan |
MSG Authentication
The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun |
| 37 |
tcp |
worm |
Basic scan |
Officially assigned for use by TIME protocol [RFC 868] [RFC 956]
TIME (port 37/tcp) can pose a DOS subnet threat because it has embedded functions used for the identification of critical processing time intervals and the ability to re-issue its output to port 7.
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
W32.Sober.J@mm (01.30.2005)
W32.Sober.O@mm (05.02.2005)
W32.Sober.X@mm (12.12.2005) |
| 41 |
tcp |
trojans |
Members scan |
Some trojans use this port: Deep Throat , Foreplay |
| 42 |
tcp,udp |
WINS |
Members scan |
Port used by WINS (Windows Internet Naming Service).
Worms can exploit a recently announced buffer overflow vulnerability within WINS using this port.
See:
Microsoft - How to help protect against a WINS security issue
Technical Analysis by Steve Frield
W32.Dasher.D (12.19.2005) - a worm that exploits the following MS vulnerabilities: MS05-051 (on port 53/tcp) and MS04-045 (on port 42/tcp).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp.
Port was originally assigned to the obsolete ARPA Host name server protocol (pre-DNS). |
| 43 |
tcp,udp |
whois |
not scanned |
WHOIS protocol |
| 48 |
tcp |
auditd |
Premium scan |
DRAT remote access trojan (11-1999) uses ports 48,50.
Port is also IANA assigned for: Digital Audit Daemon |
| 49 |
tcp,udp |
TACACS |
Members scan |
Login Host Protocol (TACACS)
Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. |
| 50 |
tcp |
re-mail-ck |
Members scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
Some trojans that also use this port: DRAT remote access trojan (11-1999). Uses ports 48,50. |
| 51 |
tcp |
vpn |
not scanned |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal |
| 53 |
tcp,udp |
DNS |
Basic scan |
DNS (Domain Name Service) is used for domain name resolution.
There are some attacks that target vulnerabilities within DNS servers. Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52, Trojan.Esteem.C (05.12.2005), W32.Spybot.ABDO (12.12.2005).
W32.Dasher.B (12.16.2005) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin MS05-051).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp.
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.
Bonk (DoS) trojan horse also uses port 53 (TCP). |
| 54 |
tcp,udp |
xns-ch |
Premium scan |
Port is officially assigned to XNS (Xerox Network Services) Clearinghouse.
Port is also used by the MuSka52 trojan. |
| 58 |
tcp |
trojan |
Premium scan |
DMSetup trojan horse |
| 59 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AJ (01.10.2005) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 59/tcp.
DMSetup trojan horse also uses port 59. |
| 67 |
udp |
bootp server |
Basic scan |
Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients. |
| 68 |
udp |
bootp client |
Basic scan |
Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server. |
| 69 |
udp |
TFTP |
Basic scan |
Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a bacdoor on remote compromised computers on port 8594/tcp. Port 69/udp also used by the W32.Zotob.H variant of the worm.
W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70. |
| 70 |
tcp |
trojans |
Members scan |
W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef
Note: port 69/udp is used by TFTP. |
| 77 |
tcp,udp |
priv-rje |
not scanned |
IANA assigned for any private RJE service, netjrs.
The error message "TK_SPACE undeclared" is common to this port. This occurs when installed ports keep bombing out on sqlite3. |
| 79 |
tcp,udp |
Finger |
Members scan |
Finger
Finger Security Concerns: Provides key host info to attacker - Fingered host can be DOSd if hit with a recursive finger script till its memory and swap space fill. - Fingering clients can be DOSd if they finger a maliciously configured host (returns data overload - causing client to beep continually - etc.). - If fingering clients allow programmable keys - a maliciously configured host can return a finger response that maps a key to rm -rf /-. Disable on all host unless finger service is stubbed to only provide scripted data response (eg: system admin contact info - etc.).
Trojans that also use this port: ADM worm, CDK trojan (ports 79, 15858), Firehotcker (ports 79, 5321) |
| 80 |
udp |
trojans |
Members scan |
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
Port 80 udp is also used by some games, like Alien vs Predator (Activision). |
| 80 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - port used for web traffic. See also TCP ports 81, 8080, 8081.
Some broadband routers (Linksys, etc.) run a web server on port 80 or 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.
If you're not running web services, keep in mind that Code Red and Nimda worms also propagate via TCP port 80 (HTTP). Also, a number of trojans/backdoors use these ports: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
Trojan.Webus.C
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S (01.30.2005) - runs proxy on port 80.
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
Backdoor.Darkmoon.B (10.21.2005) - a backdoor trojan with keylogger capabilities. Opens a backdoor and listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Trojan.Lodear.F (12.18.2005) - trojan that attempts to download remote files.
W32.Feebs (01.07.2006)
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp. |
| 81 |
udp |
trojans |
Premium scan |
W32.Beagle.AR@mm (9.29.2004) - mass mailing worm with backdoor functionality on port 81/tcp & udp. Affects all current Windows versions. |
| 81 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See also TCP ports 80, 8080, 8081.
Some common uses for port 81/tcp include web administration (cobalt cube), web proxy servers, etc.
If you're not running web services on this port, keep in mind it is also used by some trojans:
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default.
W32.Beagle.AR@mm (09.29.2004) - port 81. |
| 82 |
tcp |
trojans |
Members scan |
W32.Netsky.X@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 82/tcp to receive and execute a file from an attacker.
The W32.Netsky.Y@mm variant also opens port 82/tcp.
ET TROJAN LD Pinch Checkin uses port 82/udp. |
| 87 |
tcp |
terminal link |
Members scan |
terminal link - a talk/chat style protocol. Port commonly used by intruders |
| 88 |
udp |
Kerberos |
Premium scan |
KDC (Kerberos key distribution center) server.
Related ports: 464,543,544,749,751
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.
Trojans that use this port: BackDoor-AXC |
| 99 |
udp |
metagram |
Members scan |
Metagram Relay, gnutella |
| 99 |
tcp |
trojan |
Premium scan |
Hidden Port trojan horse |
| 101 |
tcp,udp |
hostname |
not scanned |
Hostnames NIC Host Name Server. [RFC953] [RFC811] |
| 102 |
tcp,udp |
iso-tsap |
Members scan |
Port used by X.400, X.500, ITOT, ISO-TSAP (Transport Service Access Point) protocol.
Microsoft Exchange uses this port for X.400 mail messaging traffic. No known vulnerabilities, but similar to data-driven attacks common to smtp plus possible direct attacks, such as with sendmail. Always static route inbound mail to a protected/hardened email server.
X.500 Directory Service - Used to distribute user names, user info and public keys.
Security Concerns: Depending on vendor implementation probes can reveal valuable user info for follow-on attacks. On poorly configured servers attackers can replace public keys for data capture or DOS purposes.
[RFC1006] [RFC2126] |
| 103 |
tcp,udp |
gppitnp |
not scanned |
Port IANA registered for Genesis Point-to-Point Trans Net
Also sometimes used with MS Exchange X.400 mail messaging traffic.
Known trojans that use this port: Skun |
| 105 |
tcp,udp |
ccso |
not scanned |
IANA assigned to CCSO name server protocol (mailbox name nameserver). [RFC2378] |
| 106 |
tcp |
poppassd |
not scanned |
(TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:
S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite
Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash. |
| 109 |
tcp,udp |
pop2 |
not scanned |
Post Office Protocol 2. While POP2 has largely been replaced by POP3, hackers still scan for this port because many older POP servers have vulnerabilities associated with them. [RFC937] |
| 110 |
udp |
pop-or-not |
Basic scan |
POP3 server traffic (should be TCP only?) |
| 110 |
tcp |
POP3 |
Basic scan |
POP3 (Post Office Protocol - Version 3)
Security Concerns: Re-usable cleartext password, no auditing of connections & attempts thus subject to grinding. Some POP3 server versions have had buffer overflow problems. CERT Advisories: CA-97.09
ProMail trojan horse also uses port 110 (TCP). |
| 111 |
tcp,udp |
SunRPC |
Basic scan |
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Port 111 was designed by the Sun Microsystems as a component of their Network File System. It is also known as Open Network Computing Remote Procedure Call (ONC RPC). Port 111 is a port mapper with similar functions to Microsoft's port 135 or DCOM DCE.
Security Concerns: Provides rpc port map without auth, has no filtering or logging, rpcinfo probes can quickly find your Unix hosts. Shut down portmapper on any hosts not requiring rpcs, ensure it is blocked at net perimeters.
Trojans that use this port: ADM worm, MscanWorm, Sadmind/IIS Worm |
| 113 |
tcp,udp |
IDENT |
Basic scan |
Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman,W32.Korgo.F
W32.Bofra.C@mm (11.11.2004) - It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Linkbot.A (11.05.2004) - worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability. It also creates an IRC backdoor and attempts to install adware on the infected machine. It can affect all current Windows versions. Listens on port 113/tcp for remote commands.
W32.Spybot.LZI (04.06.2005) - worm that attempts to exploit the MS DCOM RPC vulnerability on ports 135, 445 & 1025. Opens a backdoor on port 113.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp. |
| 118 |
udp |
trojan |
not scanned |
Infector 1.4.2 trojan horse |
| 119 |
udp |
NNTP |
Basic scan |
NNTP (Network News Transfer Protocol) control messages. |
| 119 |
tcp |
trojan |
Premium scan |
Happy99/Ska trojan horse |
| 121 |
tcp |
erpc |
Premium scan |
trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)
Port is also IANA registered for: Encore Expedited Remote Pro.Call |
| 123 |
udp |
NTP |
Basic scan |
Network Time Protocol (NTP) - used for time synchronization
Security Concerns:
It provides both information and possible avenue of attack for intruders. Info gathered can include system uptime, time since reset, time server pkt, I/O & memory statistics and ntp peer list. If a host is susceptible to time altering via ntp an attacker can possibly:
1) Run replay attacks using captured OTP and Kerberos tickets before they expire.
2) Stop security-related cron jobs from running or cause them to run at incorrect times.
3) Make system and audit logs unreliable since time is alterable. |
| 123 |
tcp |
trojan |
Premium scan |
Net Controller trojan horse |
| 125 |
tcp |
misc |
not scanned |
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25. |
| 133 |
tcp |
trojan |
Premium scan |
Farnaz |
| 135 |
tcp,udp |
loc-srv |
Basic scan |
Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.
There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is a patch downloadable from Microsoft), or you can close port 135.
Port 135 is used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
MS Security Bulletin MS03-026 outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin MS03-026). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 137 |
tcp,udp |
netbios-ns |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin MS03-026
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin MS03-026) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444. |
| 138 |
tcp,udp |
netbios-dgm |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega |
| 139 |
tcp,udp |
netbios-ss |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin MS03-026
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin MS03-026) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444. |
| 143 |
tcp,udp |
IMAP |
Basic scan |
IMAP (Internet Mail Access Protocol) mail server uses this port. See also port 993/tcp.
Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script. |
| 146 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 161 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162. |
| 162 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162. |
| 170 |
tcp |
trojan |
Premium scan |
A-Trojan |
| 177 |
tcp |
xdmcp |
Premium scan |
Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed. |
| 179 |
tcp,udp |
bgp |
not scanned |
Border Gateway Protocol |
| 194 |
tcp,udp |
IRC |
Members scan |
Internet Relay Chat Protocol |
| 221 |
tcp,udp |
fln-spx |
not scanned |
Port is IANA registered for Berkeley rlogind with SPX auth
Trojans that use this port: Snape |
| 222 |
tcp,udp |
rsh-spx |
not scanned |
IANA registered for Berkeley rshd with SPX auth
Trojans that use this port: NeuroticKat, Snape |
| 256 |
udp |
trojans |
not scanned |
Trojan.SpBot (04.05.2005) - trojan horse that opens a compromised computer to be used as an email relay. Opens a backdoor on port 256/udp. |
| 311 |
tcp,udp |
asip-webadmin |
not scanned |
Mac OS X Server Admin (officially AppleShare IP Web administration) |
| 315 |
tcp |
trojan |
Premium scan |
The Invasor trojan horse |
| 321 |
tcp |
trojans |
Members scan |
W32.Looksky.A@mm (10.25.2005) - a mass-mailing worm that lowers security settings and logs keystrokes on the compromised computer. It also gathers and sends out personal information. Opens a backdoor and listens for remote commands on port 321/tcp. It also periodically connects to proxy4u.ws on port 8080/tcp to check for updates.
Port also used by other variants:
W32.Looksky.A@mm
W32.Looksky.H@mm (01.17.2006). |
| 389 |
tcp |
LDAP |
Basic scan |
LDAP (Lightweight Directory Access Protocol) - an Internet protocol, used my MS Active Directory,as well as some email programs to look up contact information from a server.
Both Microsoft Exchange and NetMeeting install a LDAP server on this port. |
| 420 |
tcp |
trojans |
Members scan |
W32.Kibuv.Worm (2004-05-14) - a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) and the DCOM RPC vulnerability described in (Microsoft Security Bulletin MS03-026). Starts an FTP server on TCP port 9604, also listens on TCP port 420, and attempts to exploit the DCOM RPC vulnerability on TCP port 135.
Other trojans that also use this port: Breach, Incognito
Port is IANA registered for: SMPTE |
| 421 |
tcp |
trojan |
Premium scan |
TCP Wrappers |
| 443 |
tcp |
HTTPS |
Basic scan |
HTTPS / SSL - encrypted web traffic.
Port also used by some trojans:
W32.Kelvir.M (04.05.2005) - worm that spreads through MSN Messanger and drops a variant of the W32.Spybot.Worm. Connects to IRC servers on the s.defonic2.net and s.majesticwin.com domains, and listens for commands on port 443/tcp. |
| 445 |
tcp |
microsoft-ds |
Basic scan |
TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.
Leaving port 445 open will leave you vulnerable to some worms, such as W32.Deloader and IraqiWorm (aka Iraq_oil.exe ), W32.HLLW.Moega, W32.Sasser.Worm, W32.Korgo.AB (09.24.2004), Backdoor.Rtkit.B (10.01.2004), Trojan.Netdepix.B (01.16.2005), as well as the Windows Null Session Exploit.
MS Security Bulletin MS03-026 outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
See also: Microsoft Security Bulletin MS03-049 and Microsoft Security Bulletin MS03-043
W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. Port 445/tcp also used by the W32.Zotob.H variant of the worm. |
| 456 |
tcp |
trojans |
Premium scan |
used by Hackers Paradise trojan (also uses port 31) |
| 464 |
tcp,udp |
kpasswd |
not scanned |
Kerberos (v5)
Related ports: 88,543,544,749 |
| 500 |
udp |
ipsec |
Members scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
See also:
port 1701 (L2TP)
port 1723 (PPTP) |
| 511 |
tcp |
|
Premium scan |
Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port. |
| 514 |
tcp |
shell |
Members scan |
Used by rsh and (also rcp), interactive shell without any logging.
Some vulnerabilities of this port: RPC Backdoor, Whacky, ADM worm |
| 515 |
tcp |
printer |
not scanned |
Printing services, listening for incoming connections |
| 520 |
udp |
router |
Premium scan |
RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.
References: RFC1058 & RFC2453 |
| 520 |
tcp |
efs |
not scanned |
Extended File Name Server |
| 531 |
tcp |
chat |
Premium scan |
Port used by IRC chat
Trojans using this port: Rasmin |
| 535 |
udp |
CORBA IIOP |
Premium scan |
Common Object Request Broker Architecture (CORBA) is an object-oriented remote procedure call (RPC) system. If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA broadcasts send out information that can often be used to hack back into the systems generating these broadcasts. |
| 540 |
tcp |
uucp |
Members scan |
a famous file transfer service, potential vulnerability. |
| 543 |
tcp |
klogin |
not scanned |
Kerberos login
Related ports: 88,464,544,749,751 |
| 544 |
tcp |
kshell |
not scanned |
Kerberos remote shell
Related ports: 88,464,543,749,751 |
| 546 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Client |
| 547 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Server |
| 554 |
tcp |
ms-rtsp |
Members scan |
Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services.
RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.
See also: port 1755 - Microsoft Media Server (MMS) protocol |
| 555 |
tcp |
dsf |
Members scan |
Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy |
| 559 |
tcp |
trojans |
Premium scan |
Port used by Domwis remote access trojan. Creates a backdoor and spam proxy on port 559. |
| 591 |
tcp,udp |
http-alt |
not scanned |
FileMaker, Inc. - HTTP Alternate |
| 593 |
tcp |
|
Members scan |
MS Security Bulletin MS03-026 outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet. |
| 606 |
tcp |
trojan |
Premium scan |
Secret Service trojan horse |
| 635 |
tcp,udp |
NFS mount |
Members scan |
RPC Remote filesystem access mount service - a very popular attack vector, often scanned for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it's just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049. |
| 636 |
tcp |
ldaps |
not scanned |
LDAP over TLS/SSL |
| 639 |
tcp,udp |
msdp |
not scanned |
MSDP - Multicast Source Discovery Protocol |
| 641 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (control/listening): A proxy gateway connecting remote control traffic |
| 653 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (data): A proxy gateway connecting remote control traffic |
| 654 |
tcp |
trojans |
Premium scan |
Official use by AODV (Ad-hoc On-demand Distance Vector)
Port also used by HoaVelu trojan
|
| 660 |
tcp,udp |
mac-srvr-admin |
not scanned |
Mac OS X Server administration |
| 665 |
tcp |
trojans |
Members scan |
W32.Netsky.Z@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 665/tcp to receive and execute a file from an attacker. |
| 666 |
tcp,udp |
doom |
Members scan |
Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors.
Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers).
Backdoor.FTP_Ana.C - backdoor trojan, 03.2003. Affects all current Windows versions.
Backdoor.Checkesp - backdoor trojan, 06.2003. Affects all current Windows versions.
Backdoor.Private - backdoor trojan, 05.2003. Affects all current Windows versions.
W32.Dreffort (04.05.2005) - Infects .exe and .scr files, deletes files on Dec. 29th. Also opens a backdoor on the 29th of each month on port 666/tcp.
Backdoor.Microkos (08.10.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp. |
| 667 |
tcp |
trojans |
Premium scan |
SniperNet remote access trojan, 02.2000. Affects Windows 9x |
| 669 |
tcp |
trojans |
Premium scan |
Trojans that use this port: DP trojan , SniperNet
Port is also IANA assigned for: MeRegister |
| 674 |
tcp |
ACAP |
Premium scan |
ACAP -- Application Configuration Access Protocol
References: RFC2244, RFC2595, RFC2636 |
| 692 |
tcp |
trojan |
Premium scan |
GayOL trojan horse |
| 700 |
udp |
buddyphone |
not scanned |
Port used by BuddyPhone Internet Telephony software. Also uses TCP range 5000-5111. |
| 749 |
tcp,udp |
kerberos |
not scanned |
Kerberos administration
Related ports: 88,464,543,544,751 |
| 751 |
tcp,udp |
pump |
not scanned |
Port used by kerberos_master, Kerberos 'kadmin' (v4) authentication.
IANA assigned to: pump |
| 777 |
tcp |
multiling-http |
Members scan |
Trojans that use this port: AimSpy (AIM trojan), Un-Detected ( a.k.a. Backdoor.TDS, 4Fuk, Trojan.Win32.TrojanRunner.Levil, U4 ). |
| 808 |
tcp |
trojan |
Premium scan |
WinHole trojan horse |
| 815 |
tcp,udp |
trojan |
not scanned |
Everyone's Darling trojan horse |
| 860 |
tcp,udp |
iscsi |
not scanned |
iSCSI |
| 901 |
tcp |
trojans |
Members scan |
NetDevil - remote access trojan, 02.2002. Affects Windows 9x/Me/NT/2k/XP
Port IANA registered for SMPNAMERES
Also used by VMware Virtual Infrastructure Client, Samba SWAT tool, ISS RealSecure Sensor |
| 902 |
tcp |
trojans |
Premium scan |
NetDevil - remote access trojan, 02.2002. Affects Windows 9x/Me/NT/2k/XP
Port IANA registered for self documenting Telnet Door
Also used by VMware Server Console, Ideafarm Chat, ISS RealSecure Sensor |
| 903 |
tcp |
trojans |
Premium scan |
NetDevil - remote access trojan, 02.2002. Affects Windows 9x/Me/NT/2k/XP
Port IANA registered for self documenting Telnet Door
Also used by Ideafarm-catch, ISS Console Manager |
| 911 |
tcp |
trojans |
Premium scan |
used by Dark Shadow trojan. |
| 912 |
tcp |
apex |
Members scan |
Port assigned to the APEX (Application Exchange Core) protocol. It is an XML-based protocol designed for sending instant messages based on the Blocks Extensible Exchange Protocol (BEEP).
APEX also uses TCP port 913 as its endpoint-relay service. The APEX protocol has been replaced by the SIP, SIMPLE and XMPP protocols. Port 912 is used primarily to receive and send messages that are originated via the end-points located in port 913. Information sent and received via port 912 includes the endpoint that created it, a URI reference point, the endpoints that will receive it and other options. |
| 943 |
tcp |
silverlight |
Members scan |
Port not officially assigned, used by Silverlight Microsoft plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser. Port 943 was first used in Silverlight version 2 beta 2 release.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 950 |
tcp |
rpc.statd |
Members scan |
Port used by rpc.statd background process. This daemon is a part of the Network File System (NFS) protocol. This protocol was developed by Sun Microsystems to allow a client to access files that are shared on a network. The rpc.statd daemon is a subsystem of NFS used mostly on UNIX and Linux platforms.
Port 950 can also be used in a malicious way. The port allows direct access to the syslog() function, which may be manipulated by unauthorized users.
The port has been used historically to start a buffer overflow and launch Distributed Denial of Service attacks. |
| 953 |
tcp,udp |
rdns |
not scanned |
Domain Name System (DNS) RDNC Service |
| 993 |
tcp,udp |
IMAP-SSL |
Premium scan |
IMAP over SSL |
| 995 |
tcp,udp |
POP3-SSL |
not scanned |
POP3 over SSL |
| 999 |
tcp |
garcon |
Members scan |
Port used by ScimoreDB Database System
Trojans that run on this port: DeepThroat (a.k.a. DTV2, DTV3, BackDoor-J), F0replay (a.k.a. WiNNUke eXtreame), WinSatan |
| 1000 |
tcp |
trojans |
Members scan |
Trojans using this port: Der Spaeher, Direct Connection |
| 1001 |
tcp |
trojans |
Members scan |
Trojans using this port: Der Spaeher, Le Guardien, Silencer, WebEx |
| 1002 |
tcp |
ms-ils |
Basic scan |
Windows Internet Locator Server service, used by MS NetMeeting. ILS is a MS NetMeeting service that is now preferred by MS over the Internet standard LDAP service (port 389). This port does not appear in "netstat" comand listings. |
| 1003 |
tcp |
trojan |
Premium scan |
BackDoor 2.0x trojan horse |
| 1010 |
tcp |
trojans |
Premium scan |
Used by Doly trojan (v1.35 uses port 1010, v1.5 uses port 1015) and CafeIni 0.9. |
| 1011 |
tcp |
trojans |
Premium scan |
Used by Doly trojan (v1.35 uses port 1010, v1.5 uses port 1015) |
| 1012 |
tcp |
trojan |
Premium scan |
Doly Trojan 1.5 |
| 1015 |
tcp |
trojans |
Premium scan |
Used by Doly trojan (v1.35 uses port 1010, v1.5 uses port 1015) |
| 1016 |
tcp |
trojan |
Premium scan |
Doly Trojan |
| 1020 |
tcp |
trojans |
Premium scan |
Port used by Vampire remote access trojan, 06.1999. Works on Windows 9x/NT. Uses ports 1020 and 6669. |
| 1021 |
tcp |
trojans |
Premium scan |
Trojan.Webus.H (07.12.2005) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
| 1024 |
tcp |
kdm |
Basic scan |
K Display Manager (KDE version of xdm)
Trojans taht use this port: Jade, Latinus, Lithium, NetSpy, Ptakks, RAT, YAI
Backdoor.Lingosky 04.28.2005 - trojan with backdoor capabilities. Opens a backdoor on port 1024/tcp.
Applications using this port: AIM Video IM, ICUII, NetMeeting with H323, Lingo VoIP, Battlefield 2142, Everquest |
| 1025-1029 |
tcp,udp |
NFS, IIS, etc. |
Basic scan |
Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
Ports 1026/udp - 1027/udp are usually used by Messenger Popup Spam as well. |
| 1033 |
tcp |
trojans |
Premium scan |
port used by Netspy2 trojan. |
| 1034 |
tcp |
trojans |
Members scan |
Backdoor.Systsec - remote acess trojan, 02.2002. Affects all current Windows versions.
Backdoor.Zincite.A (07.27.2004) - backdoor server program that allows unauthorized access to the compromised computer. It runs and listens for remote commands on port 1034/tcp.
W32.Mydoom.CI@mm (09.27.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine. |
| 1035 |
tcp |
trojans |
Premium scan |
Backdoor.Sedepex (11.01.2005) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
|
| 1040 |
tcp |
trojans |
Premium scan |
Backdoor.Sedepex (11.01.2005) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
|
| 1042 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Bla1.1, MyDoom.L |
| 1045 |
tcp |
trojan |
Premium scan |
Rasmin trojan horse |
| 1047 |
tcp |
trojans |
Premium scan |
GateCrasher.b, GateCrasher.c |
| 1049 |
tcp |
trojans |
Premium scan |
[trojan] /sbin/initd - reported on Linux hosts as a hacked backdoor along with tcp port 65534 |
| 1050 |
tcp |
trojans |
Basic scan |
MiniCommand trojan
MS DNS Server on Windows Server 2003 machines may possibly use this port for DNS if other ports are being blocked by a firewall. See MS KB 198410, registry key "SendOnNonDnsPort" (unconfirmed).
IANA registered for: CORBA Management Agent |
| 1052 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm (07.15.2005) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability (MS04-011) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm (07.19.2005) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp.
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 1080 |
tcp |
socks |
Members scan |
Socks Proxy is an Internet proxy service, potential spam relay point.
Common programs using this port: Wingate
Trojans/worms that use this port as well:
Bugbear.xx - wide-spread mass-mailing worm, many variants. More info
SubSeven - remote access trojan, 03.2001. Afects all current Windows versions.
WinHole - remote access trojan, 01.2000 (a.k.a. WinGate, Backdoor.WLF, BackGate). Affects Windows 9x.
Trojan.Webus.C - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
WinHole, Wingate, Bagle.AI trojans also use this port. |
| 1081 |
tcp |
trojans |
Premium scan |
Backdoor.Zagaban (11.04.2005) - a trojan that allows the compromised computer to be used as a covert proxy. Allows the attacker to modify the hosts file. Starts a covert proxy and listens on port 1081/tcp.
WinHole trojan horse also uses port 1081. |
| 1082 |
tcp |
trojan |
Premium scan |
WinHole trojan horse |
| 1083 |
tcp |
trojan |
Premium scan |
WinHole trojan horse |
| 1088 |
tcp |
trojans |
Premium scan |
Trojan.Webus.D (11.12.2004) - remote access trojan, affects all current Windows versions. Opens a backdoor by connecting via port 1088 to IRC servers serv.gigaset.org or gimp.robobot.org. It then can receive a range of commands, including downloading and executing remote files. It can also open another random tcp port for incoming connections.
Trojan.Webus.E (04.05.2005) - trojan that opens a backdoor and connects to IRC servers for remote access on port 1088/tcp.
Trojan.Webus.H (07.12.2005) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
| 1090 |
tcp |
trojans |
Premium scan |
Port used by Xtreme remote access trojan with keylogger capabilities. It also installs NetBus 2.1 Pro in the background. |
| 1095-1099 |
tcp |
trojans |
Premium scan |
Some trojans use these ports: Blood Fest Evolution, Hvl RAT (also uses port 2283), Remote Administration Tool - RAT |
| 1100 |
tcp |
trojan |
Premium scan |
CafeIni 0.9 trojan horse |
| 1111 |
tcp |
trojans |
Members scan |
Trojans that use this port:
Backdoor.AIMvision - remote access trojan, 10.2002. Affects all current Windows versions.
Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.
Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows.
W32.Suclove.A@mm (09.26.2005) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.
Port is also IANA registered for: LM Social Server |
| 1117 |
tcp |
trojans |
Premium scan |
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp. |
| 1122 |
tcp,udp |
trojans |
Premium scan |
Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
Port is also IANA registered for: availant-mgr |
| 1137 |
tcp |
trojan |
Premium scan |
MTX trojan horse |
| 1149 |
tcp,udp |
trojan |
Premium scan |
Lala backdoor - a trojan horse that allows unauthorized access to a compromised computer. The Trojan attempts to steal confidential information (such as cached passwords and cookies), log keystrokes, and allow for remote file execution. Opens TCP/UDP port 4627, 1149, or 1877 to allow remote access. |
| 1155 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 1159 |
tcp,udp |
oracle-oms |
not scanned |
Oracle OMS |
| 1168 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
Port is also IANA registered for:
1168/tcp - VChat Conference Service |
| 1169 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
Port is also IANA registered for:
1169/tcp - TRIPWIRE |
| 1170 |
tcp |
trojans |
Premium scan |
Some eavesdropping/remote access trojans use this port:
Psyber Streaming Audio Server - Remote access trojan.
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
Psyber Stream Server trojan horse also uses port 1170. |
| 1200 |
udp |
trojan |
not scanned |
NoBackO trojan horse |
| 1201 |
udp |
trojan |
not scanned |
NoBackO trojan horse |
| 1207 |
tcp |
trojan |
Premium scan |
SoftWAR trojan horse |
| 1208 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 1211 |
tcp,udp |
groove-dpp |
not scanned |
Groove DPP |
| 1212 |
tcp |
trojan |
Premium scan |
Kaos trojan horse |
| 1214 |
tcp |
Kazaa |
Members scan |
Kazaa - peer-to-peer file sharing, some known ulnerabilities, and at least one worm (Benjamin) targeting it. |
| 1218 |
tcp |
trojans |
Premium scan |
Trojans that use this port:
Backdoor.Sazo - remote access trojan, 06.2002. Affects Windows
Force/Feardoor - VB6 remote access trojan, 07.2002. Affects Windows.
Port is also IANA registered for: aeroflight-ads |
| 1225 |
tcp |
trojan |
Premium scan |
Scarab trojan horse |
| 1234 |
tcp |
trojans |
Premium scan |
Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.
Some other trojans using this port: SubSeven 2.0, Bagle.AF.
Port is also IANA registered for: Infoseek Search Agent |
| 1237 |
tcp,udp |
tsdos390 |
not scanned |
Port is IANA assigned to tsdos390. Also used by Command and Conquer, Dune2000. |
| 1241 |
tcp,udp |
nessus |
not scanned |
Nessus |
| 1243 |
tcp |
trojans |
Members scan |
Some trojans use this port: SubSeven/BackDoor-G, Tiles |
| 1245 |
tcp |
trojans |
Premium scan |
Port used by Voodoo trojan. |
| 1255 |
tcp |
trojan |
Premium scan |
Scarab trojan horse |
| 1256 |
tcp |
trojans |
Premium scan |
Project nEXT, RexxRave |
| 1269 |
tcp |
trojans |
Premium scan |
port used by Maverick's Matrix remote access trojan (different variants from May 1999 to January 2004). This trojan provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the victim's machine. |
| 1313 |
tcp |
trojan |
Premium scan |
NETrojan |
| 1338 |
tcp |
|
Premium scan |
Millenium Worm, affects Unix/Linux. |
| 1349 |
udp |
trojan |
not scanned |
BO DLL trojan horse |
| 1409 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Bifrut (11.08.2004) - remote access trojan, can affect all current Windows versions. Opens a backdoor on port 1409/tcp bound to the command shell. |
| 1433 |
tcp,udp |
MS SQL Server |
Premium scan |
Microsoft SQL Server.
Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm. The Gaobot family of worms also exploit this port.
See also: Microsoft Security Bulletin MS02-061.
Digispid.B.Worm (05.21.2002) - worm that spreads to computers running MS SQL server and have blank SQL admin password. Uses port 1433/tcp.
W32.Kelvir.R (04.12.2005) - worm that spreads through MSN messenger and drops a variant of W32.Spybot.Worm. It spreads using several known MS vulnerabilities, including MS security Bulletin MS02-061 Microsoft SQL Server 2000 or MSDE 2000 audit using port 1434/udp. |
| 1434 |
tcp,udp |
MS SQL Server |
Premium scan |
Microsoft SQL Server.
Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm. The Gaobot family of worms also exploit this port.
See also: Microsoft Security Bulletin MS02-061.
Digispid.B.Worm (05.21.2002) - worm that spreads to computers running MS SQL server and have blank SQL admin password. Uses port 1433/tcp.
W32.Kelvir.R (04.12.2005) - worm that spreads through MSN messenger and drops a variant of W32.Spybot.Worm. It spreads using several known MS vulnerabilities, including MS security Bulletin MS02-061 Microsoft SQL Server 2000 or MSDE 2000 audit using port 1434/udp. |
| 1441 |
tcp |
trojan |
Premium scan |
RemoteStorm trojan horse |
| 1444 |
tcp |
trojans |
Premium scan |
Backdoor.Homutex (07.18.2005) - a trojan with backdoor capabilities. Opens a backdoor and listens for remote commands on port 1444/tcp. Also attempts to sends information about the infected computer on port 1443/tcp. |
| 1459 |
tcp,udp |
proshare1 |
not scanned |
Prosahre Notebook Application |
| 1460 |
tcp,udp |
proshare2 |
not scanned |
Proshare Notebook Application |
| 1492 |
tcp |
trojans |
Premium scan |
FTP99CMP - remote access trojan, 05.1999. Runs an FTP server on port 1492.
Back.Orifice.FTP also uses port 1492. |
| 1494 |
tcp |
citrix |
not scanned |
Citrix WinFrame. Also uses port 1604 udp. |
| 1503 |
tcp |
Netmeeting |
not scanned |
NetMeeting with H323 |
| 1509 |
tcp |
trojans |
Premium scan |
Port used by Psyber Streaming Server - remote access trojan. |
| 1513 |
tcp,udp |
fujitsu-dtc |
not scanned |
Fujitsu Systems Business of America Inc |
| 1514 |
tcp,udp |
fujitsu-dtcns |
not scanned |
Fujitsu Systems Business of America Inc |
| 1521 |
tcp |
oracle |
not scanned |
Oracle database default listener |
| 1524 |
tcp |
backdoor |
Premium scan |
Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). Connections to port 600/pcserver also have this problem. [Cert IN-99-04]
Trin00 (DDoS) trojan horse also uses port 1524 (TCP). |
| 1525 |
tcp,udp |
orasrv |
not scanned |
Oracle |
| 1526 |
tcp |
|
not scanned |
Oracle database common alternative for listener |
| 1527 |
tcp,udp |
tlisrv |
not scanned |
Oracle |
| 1533 |
tcp |
trojans |
Premium scan |
Backdoor.Miffice - remote access trojan, 08.2002. Affects all current Windows versions.
Port is also registered with IANA for: Virtual Places Software |
| 1584 |
tcp |
applications |
not scanned |
Dialpad |
| 1585 |
tcp |
applications |
not scanned |
Dialpad |
| 1600 |
tcp |
trojans |
Premium scan |
Port used by some trojans: Shiva Burka, Backdoor.DirectConnection (remote access trojan, uses ports 1000, 1600-1602) |
| 1604 |
udp |
citrix |
not scanned |
Citrix WinFrame. Also uses port 1494 tcp. |
| 1612 |
tcp,udp |
netbill-trans |
not scanned |
NetBill Transaction Server |
| 1613 |
tcp,udp |
netbill-keyrep |
not scanned |
NetBill Key Repository |
| 1614 |
tcp,udp |
netbill-cred |
not scanned |
NetBill Credential Server |
| 1615 |
tcp,udp |
netbill-auth |
not scanned |
NetBill Authorization Server |
| 1616 |
tcp,udp |
netbill-prod |
not scanned |
NetBill Product Server |
| 1639 |
tcp |
trojans |
Members scan |
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm that exploits the MS Internet Explorer IFRAME vulnerability. Affects all current Windows versions.
Runs as an HTTP server on port 1639/tcp, Attempts to connect to IRC servers on port 6667/tcp.
W32.Bofra.C@mm (11.11.2004) - another variant of the Bofra worm. It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004).
W32.Bofra.D@mm (11.08.2004). |
| 1640 |
tcp |
trojans |
Premium scan |
W32.Bofra.C@mm (11.11.2004) - mass-mailing worm that exploits the MS Internet Explorer IFRAME Vulnerability. Also spreads by sending email to addresses found on the infected computer. It can affect all current Windows versions.
It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp. |
| 1645 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 1646 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866 ) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 1661 |
tcp,udp |
netview-aix-1 |
not scanned |
netview-aix-1 |
| 1662 |
tcp,udp |
netview-aix-2 |
not scanned |
netview-aix-2 |
| 1663 |
tcp,udp |
netview-aix-3 |
not scanned |
netview-aix-3 |
| 1664 |
tcp,udp |
netview-aix-4 |
not scanned |
netview-aix-4 |
| 1665 |
tcp,udp |
netview-aix-5 |
not scanned |
netview-aix-5 |
| 1666 |
tcp,udp |
netview-aix-6 |
not scanned |
netview-aix-6 |
| 1667 |
tcp,udp |
netview-aix-7 |
not scanned |
netview-aix-7 |
| 1668 |
tcp,udp |
netview-aix-8 |
not scanned |
netview-aix-8 |
| 1669 |
tcp,udp |
netview-aix-9 |
not scanned |
netview-aix-9 |
| 1670 |
tcp,udp |
netview-aix-10 |
not scanned |
netview-aix-10 |
| 1671 |
tcp,udp |
netview-aix-11 |
not scanned |
netview-aix-11 |
| 1672 |
tcp,udp |
netview-aix-12 |
not scanned |
netview-aix-12 |
| 1687 |
tcp,udp |
nsjtp-ctrl |
not scanned |
nsjtp-ctrl |
| 1688 |
tcp,udp |
nsjtp-data |
not scanned |
nsjtp-data |
| 1700 |
tcp |
trojan |
Premium scan |
Rux.Tick trojan horse |
| 1701 |
tcp |
vpn |
Premium scan |
L2TP VPN (Virtual Private Networking)
See also:
port 500/udp (IPSec IKE)
port 1723/tcp (PPTP) |
| 1718 |
tcp |
applications |
not scanned |
H.323 GateKeeper |
| 1719 |
tcp |
applications |
not scanned |
H.323 GateKeeper |
| 1720 |
tcp |
h323 |
Premium scan |
H.323 used for voice-over IP call set-up. Port most commonly used by Microsoft NetMeeting. |
| 1723 |
tcp,udp |
PPTP |
Basic scan |
PPTP VPN (Point-to-Point Tunneling Protocol Virtual Private Networking). For additional information, see the MS VPN FAQ.
See also:
port 500/udp (IPSec IKE)
port 1701/tcp (L2TP) |
| 1745 |
tcp,udp |
remote-winsock |
not scanned |
remote-winsock |
| 1751 |
tcp |
trojans |
Members scan |
W32.Loxbot.D (01.06.2006) - a worm that opens a backdoor on the compromised computer. SPreads through AOL Instant Messenger, uses rootkit capabilities to hide its process in memory. Opens a backdoor and listens for remote commands on port 1751/tcp.
|
| 1755 |
tcp,udp |
ms-streaming |
Members scan |
Port used by Microsoft Media Server (MMS) protocol for Windows Media steaming, Microsoft Media Services, MS NetShow.
1755/tcp is used for accepting incoming MMS client connections and for delivering data packets to clients that are streaming using MMST.
1755/udp used for receiving packet loss information from clients and providing synchronization information to clients that are streaming using MMSU.
See also: ports 554,5004,5005 - Real Time Streaming Protocol (RTSP) |
| 1772 |
tcp,udp |
trojans |
Premium scan |
Backdoor.Netcontrole - remote access trojan, 06.2002. Affects all current Windows versions.
port is also registered with IANA for: EssWeb Gateway |
| 1777 |
tcp |
trojan |
Premium scan |
Scarab trojan horse |
| 1784 |
tcp |
trojan |
Premium scan |
Snid X2 trojan horse |
| 1807 |
tcp |
trojans |
Premium scan |
Port used by SpySender (a.k.a Backdoor.Delf.hp)- remote access trojan, 05.2002. Uses ports 1807, 3418 |
| 1812 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866 ) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 1813 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 1830 |
tcp,udp |
net8-cman |
not scanned |
Oracle Net8 CMan Admin |
| 1863 |
tcp,udp |
msnp |
Basic scan |
Port used by MSN Messenger
W32.Mytob.IE@mm (07.26.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It uses its own SMTP engine. Opens a backdoor and listens for remote commands on port 1863/tcp. |
| 1877 |
tcp,udp |
trojan |
Premium scan |
Lala backdoor - a trojan horse that allows unauthorized access to a compromised computer. The Trojan attempts to steal confidential information (such as cached passwords and cookies), log keystrokes, and allow for remote file execution. Opens TCP/UDP port 4627, 1149, or 1877 to allow remote access. |
| 1879 |
tcp |
virus |
Premium scan |
W32.Zori.B (04.02.2005) - virus that spreads through network shares and prepends .exe files. It deletes files from all disks 9 days after the original infection.
It also opens a backdoor on port 1879/tcp and listens for remote commands from an attacker. |
| 1900 |
tcp,udp |
SSDP, UPnP |
Premium scan |
IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol).
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders.
See UPnP vulnerabilities (port 5000). |
| 1906,1907 |
tcp |
trojans |
Premium scan |
Backdoor.Verify (4.08.2005) - backdoor trojan that that allows remote access to the compromised computer.
Opens ports 1906/tcp and 1907/tcp for remote access. |
| 1927,1930 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ (01.26.2005) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445).
Opens a backdoor on one or more of these ports: 5002, 5003, 1927, 1930. |
| 1935 |
tcp |
rtmp |
Premium scan |
Adobe Flash Media Server connection port, Real Time Messaging Protocol (RTMP) |
| 1949 |
tcp,udp |
ismaeasdaqlive |
not scanned |
ISMA Easdaq Live |
| 1950 |
tcp,udp |
ismaeasdaqtest |
not scanned |
ISMA Easdaq Test |
| 1966 |
tcp |
trojan |
Premium scan |
Fake FTP trojan horse |
| 1967 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: For Your Eyes Only , WM FTP Server
Port is also IANA registered for: SNS Quote |
| 1969 |
tcp |
trojan |
Premium scan |
OpC BO trojan horse |
| 1971 |
tcp |
trojans |
Premium scan |
Backdoor.Bifrose - remote access trojan, 10.12.2004. Affects all current Windows versions.
Port used by Faronics Deep Freeze (workstation OS protection software) - uses either port 1971 or 7725. |
| 1978 |
udp |
worm-linux |
Premium scan |
Linux.Slapper.Worm (09.13.2002) - family of worms that use an OpenSSL buffer overflow exploit to run a shell on a remote computer. Targets vilnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp.
Opens backdoors on the following ports:
The .A variant of the worm listens on port 2002/udp.
The .B variant listens on port 1978/udp.
The .C variant listens on port 4156/udp (and port 1052/tcp periodically). |
| 1979,1980 |
tcp |
trojans |
Premium scan |
Port used by ZSpyII 0.99b (a.k.a. BackDoor-AGK, Backdoor.ZSpy) - key logger, 02.2004. |
| 1981 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: Bowl, Shockrave
Port is also IANA registered for: p2pQ |
| 1987 |
tcp,udp |
tr-rsrb-p1 |
not scanned |
Cisco RSRB Priority 1 port |
| 1988 |
tcp,udp |
tr-rsrb-p2 |
not scanned |
Cisco RSRB Priority 2 port |
| 1989 |
tcp,udp |
tr-rsrb-p3 |
not scanned |
Cisco RSRB Priority 3 port |
| 1999 |
tcp |
tcp-id-port |
Members scan |
Cisco identification port.
Some trojans also use this port: Back Door, SubSeven, TransScout
Backdoor.Bifrose.C (05.19.2005) - trojan that opens a backdoor on port 1999/tcp, and sends information to a remote server. |
| 2000 |
tcp |
callbook |
Members scan |
"RemoteAnywhere" installs a webserver on this port. NeWS/OpenWin (Sun's older variation of X-Windows) uses this port.
A number of trojan horses/backdoors use this port: Der Späher / Der Spaeher, Fear, Force, GOTHIC Intruder, Insane Network, Last 2000, Real 2000, Remote Explorer 2000, Senna Spy Trojan Generator, Singularity
Backdoor.Fearic - remote access trojan, 08.2002. Affects all current Windows versions, opens ports 2000, 3456, 8811.
Trojan.Esteems.D (05.16.2005) - trojan with keylogger capabilities. Uses port 2000/tcp to communicate with a remote host and send logged information. |
| 2001 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Der Späher / Der Spaeher, Duddie, Glacier, Protoss, Senna Spy Trojan Generator, Singularity, Trojan Cow. Port also used by FreeBSD.Scalper.Worm (07.01.2002) - FreeBSD Apache worm.
|
| 2002 |
tcp |
trojans |
Premium scan |
W32.Beagle.AX@mm (11.15.2004) - mass-mailing worm, also spreads through file-sharing networks. Affects all current Windows versions. The worm opens a backdoor on port 2002/tcp, allowing the machine to be used as an open email relay. Also uses port 80 to contact "webmoney.net".
Some other trojans/backdoors that also use this port: Duddie, Senna Spy Trojan Generator, Sensive, TransScout |
| 2002 |
udp |
worm-linux |
Premium scan |
Linux.Slapper.Worm (09.13.2002) - family of worms that use an OpenSSL buffer overflow exploit to run a shell on a remote computer. Targets vilnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp.
Opens backdoors on the following ports:
The .A variant of the worm listens on port 2002/udp.
The .B variant listens on port 1978/udp.
The .C variant listens on port 4156/udp (and port 1052/tcp periodically). |
| 2003 |
tcp |
trojan |
Premium scan |
TransScout trojan horse |
| 2004 |
tcp |
trojans |
Premium scan |
Duddie, TransScout |
| 2005 |
tcp |
trojans |
Premium scan |
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
TransScout trojan horse also uses port 2005 (TCP). |
| 2007 |
udp |
raid-am |
not scanned |
raid-am |
| 2013 |
tcp |
raid-am |
not scanned |
raid-am |
| 2020 |
tcp |
trojans |
Premium scan |
Port used by Backdoor.Rockse - remote access trojan, 05.2003. Affects all current Windows versions, opens a server on port 2020 or 2525. |
| 2023 |
tcp |
trojans |
Premium scan |
port used by Ripper Pro trojan (a.k.a BackDoor-AL, Backdoor.Ripper) - key logger, steals passwords, 01.1999 |
| 2049 |
tcp,udp |
NFS |
Members scan |
Network File System (NFS) - remote filesystem access. (RFC 1813). A commonly scanned and exploited attack vector. Normally, access to portmapper is needed to find which port this service runs on, but since most installations run NFS on this port, hackers/crackers can bypass portmapper and try this port directly. |
| 2050 |
tcp |
trojans |
Premium scan |
PWSteal.Ldpinch.C - password stealing trojan horse program, 10.04.2004. Affects all current Windows versions. May open a backdoor allowing shell commands on port 2050/tcp |
| 2062 |
udp |
skype-p2p |
Members scan |
Skype uses this as a p2p port, using super nodes and other users to communicate. |
| 2080 |
tcp |
trojans |
Premium scan |
Backdoor.Curdeal (11.11.2004) - backdoor trojan horse program. It can affect all current Windows versions. Notifies website on the domain currentdeal.biz through port 2080/tcp, and opens a random port to listen for remote commands.
WinHole trojan horse also uses port 2080 (TCP).
Some versions of WinGate 3.0 contain a bug that allows the service to be crashed by connecting to this port and sending 2000 characters. |
| 2090 |
tcp |
trojans |
Premium scan |
Backdoor.Expjan - remote access trojan, 08.2002. Affects all current Windows versions.
Port is also IANA registered for: Load Report Protocol |
| 2094 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm (06.20.2005) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp. |
| 2095 |
tcp,udp |
nbx-ser |
not scanned |
NBX SER |
| 2096 |
tcp,udp |
nbx-dir |
not scanned |
NBX DIR |
| 2115 |
tcp |
trojan |
Premium scan |
Bugs |
| 2130 |
udp |
trojans |
not scanned |
Mini Backlash remote access and password stealing trojan. Affects Windows 9x/ME. Uses ports 2130/udp and 3150/udp. |
| 2140 |
tcp,udp |
trojans |
Premium scan |
Some trojans use this port: Deep Throat, Foreplay, The Invasor |
| 2155 |
tcp |
brdptc |
Members scan |
[trojan] Illusion Mailer
Port is also IANA registered for Bridge Protocol. |
| 2160 |
tcp,udp |
apc-2160 |
not scanned |
APC 2160 |
| 2161 |
tcp,udp |
apc-2161 |
not scanned |
APC 2161 |
| 2171 |
tcp,udp |
msfw-storage |
not scanned |
MS Firewall Storage |
| 2172 |
tcp,udp |
msfw-s-storage |
not scanned |
MS Firewall SecureStorage |
| 2173 |
tcp,udp |
msfw-replica |
not scanned |
MS Firewall Replication |
| 2174 |
tcp,udp |
msfw-array |
not scanned |
MS Firewall Intra Array |
| 2189 |
tcp |
trojans |
Premium scan |
Port used by one of the Backdoor.Delf variants - remote access and keylogging trojan family, 05.2003.
variant 1 listens on port 2444
variant 2 listens on port 27378
variant 3 listens on port 2189
variant 4 listens on port 23 |
| 2208 |
tcp |
trojan |
Premium scan |
Rux.PSW trojan horse |
| 2221 |
tcp,udp |
rockwell-csp1 |
not scanned |
Rockwell CSP1 |
| 2222 |
tcp,udp |
rockwell-csp2 |
not scanned |
Rockwell CSP2 |
| 2223 |
tcp,udp |
rockwell-csp3 |
not scanned |
Rockwell CSP3 |
| 2283 |
tcp |
trojans |
Members scan |
Dumaru.Y (01.23.2004) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Hvl RAT - remote access trojan, 05.1999. Coded in VB5, also uses ports 1095-1099.
Port is also registered for Lotus Notes LNVSTATUS |
| 2300 |
tcp,udp |
applications |
not scanned |
Battlecom
Xplorer trojan horse also uses port 2300 (TCP). |
| 2301 |
tcp,udp |
cpq-wbem |
not scanned |
Compaq HTTP |
| 2343 |
tcp |
trojans |
Premium scan |
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default. |
| 2381 |
tcp,udp |
compaq-https |
not scanned |
Compaq HTTPS |
| 2382 |
tcp,udp |
ms-olap3 |
not scanned |
Microsoft OLAP |
| 2383 |
tcp,udp |
ms-olap4 |
not scanned |
Microsoft OLAP |
| 2400 |
tcp,udp |
applications |
not scanned |
Battlecom |
| 2402 |
tcp,udp |
taskmaster2000 |
not scanned |
TaskMaster 2000 Server |
| 2403 |
tcp,udp |
taskmaster2000 |
not scanned |
TaskMaster 2000 Web |
| 2414 |
tcp |
trojans |
Premium scan |
VBS.Shania - remote access trojan, 02.02.2004. Affects all current Windows versions, listens on port 2414. |
| 2425 |
tcp,udp |
fjitsuappmgr |
not scanned |
Telnet, IP Messenger for Windows
IANA registered for: Fujitsu App Manager |
| 2427 |
tcp,udp |
mgcp-gateway |
not scanned |
Media Gateway Control Protocol Gateway |
| 2432 |
tcp,udp |
codasrv |
not scanned |
codasrv |
| 2433 |
tcp,udp |
codasrv-se |
not scanned |
codasrv-se |
| 2442 |
tcp |
trojans |
Premium scan |
W32.Spybot.NYT (04.18.2005) - worm with DDoS (distributed denial of service) and backdoor capabilities. Spreads through network shares, exploits multiple vulnerabilities, and opens a backdoor via IRC channels on port 2442/tcp.
|
| 2444 |
tcp |
trojans |
Premium scan |
Port used by one of the Backdoor.Delf variants - remote access and keylogging trojan family, 05.2003.
variant 1 listens on port 2444
variant 2 listens on port 27378
variant 3 listens on port 2189
variant 4 listens on port 23 |
| 2465 |
tcp,udp |
lbm |
not scanned |
Load Balance Management |
| 2466 |
tcp,udp |
lbf |
not scanned |
Load Balance Forwarding |
| 2481 |
tcp,udp |
giop |
not scanned |
Oracle GIOP |
| 2482 |
tcp,udp |
giop-ssl |
not scanned |
Oracle GIOP SSL |
| 2485 |
tcp,udp |
netobjects1 |
not scanned |
Net Objects1 |
| 2486 |
tcp,udp |
netobjects2 |
not scanned |
Net Objects2 |
| 2492 |
tcp,udp |
groove |
not scanned |
GROOVE |
| 2499 |
tcp,udp |
unicontrol |
not scanned |
gBox, CWShare
IANA registered for: UniControl |
| 2500 |
tcp,udp |
rtsserv |
not scanned |
IPContact
IANA registered for: Resource Tracking system server |
| 2501 |
tcp,udp |
rtsclient |
not scanned |
Resource Tracking system client |
| 2512 |
tcp,udp |
citrixima |
not scanned |
Citrix IMA |
| 2513 |
tcp,udp |
citrixadmin |
not scanned |
Citrix ADMIN |
| 2525 |
tcp |
trojans |
Premium scan |
Port used by Backdoor.Rockse - remote access trojan, 05.2003. Affects all current Windows versions, opens a server on port 2020 or 2525.
Backdoor.Berbew.R (05.19.2005) - remote access trojan that steals passwords and opens backdoors on ports 2525/tcp and 4495/tcp.
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP blocking port 25. |
| 2535 |
tcp |
trojans |
Members scan |
W32.Beagle.W@mm and W32.Beagle.X@mm variants - mass mailing worm and backdoor trojan, 04.2004. Affects all current Windows versions, opens a backdoor (it listens on TCP port 2535) and attempts to spread through file-sharing networks.
Port 2556 was used by earlier variants of the worm, like W32.Beagle.M@mm and W32.Beagle.N@mm. |
| 2536 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
Port is also IANA registered for:
2536/tcp - btpp2audctr1 |
| 2546 |
tcp,udp |
vytalvaultbrtp |
not scanned |
vytalvaultbrtp |
| 2547 |
tcp,udp |
vytalvaultvsmp |
not scanned |
vytalvaultvsmp |
| 2548 |
tcp,udp |
vytalvaultpipe |
not scanned |
vytalvaultpipe |
| 2556 |
tcp |
trojans |
Members scan |
W32.Beagle.M@mm - mass mailing worm and backdoor trojan, 03.13.2004. Affects all current Windows versions, opens a backdoor (it listens on TCP port 2556) and attempts to spread through file-sharing networks.
Port also used by other variants of the worm, like W32.Beagle.N@mm. |
| 2565 |
tcp |
trojan |
Premium scan |
Striker trojan horse |
| 2581 |
tcp,udp |
argis-te |
not scanned |
ARGIS TE |
| 2582 |
tcp,udp |
argis-ds |
not scanned |
ARGIS DS |
| 2583 |
tcp |
trojan |
Premium scan |
WinCrash 2 trojan horse |
| 2595 |
tcp,udp |
worldfusion1 |
not scanned |
World Fusion 1 |
| 2596 |
tcp,udp |
worldfusion2 |
not scanned |
World Fusion 2 |
| 2598 |
tcp,udp |
citriximaclient |
not scanned |
new ICA - when Session Reliability is enabled, TCP port 2598 replaces port 1494
IANA registered for: Citrix MA Client |
| 2600 |
tcp |
trojan |
Premium scan |
Digital RootBeer |
| 2601 |
tcp,udp |
discp-client |
not scanned |
zebra vty
IANA registered for: discp client |
| 2602 |
tcp,udp |
discp-server |
not scanned |
RIPd vty
IANA registered for: discp server |
| 2621 |
tcp,udp |
miles-apart |
not scanned |
Oracle Procedural Gateway
IANA registered for: Miles Apart Jukebox Server |
| 2654 |
tcp,udp |
corel_vncadmin |
not scanned |
Corel VNC Admin |
| 2656 |
tcp,udp |
kana |
not scanned |
ICQ P2P, SQL Remote Connection
IANA registered for: Kana |
| 2657 |
tcp,udp |
sns-dispatcher |
not scanned |
SNS Dispatcher |
| 2658 |
tcp,udp |
sns-admin |
not scanned |
SNS Admin |
| 2659 |
tcp,udp |
sns-query |
not scanned |
SNS Query |
| 2664 |
tcp,udp |
patrol-mq-gm |
not scanned |
Patrol for MQ GM |
| 2665 |
tcp,udp |
patrol-mq-nm |
not scanned |
Patrol for MQ NM |
| 2677 |
tcp,udp |
gadgetgate1way |
not scanned |
Gadget Gate 1 Way |
| 2678 |
tcp,udp |
gadgetgate2way |
not scanned |
Gadget Gate 2 Way |
| 2717 |
tcp,udp |
pn-requester |
not scanned |
PN REQUESTER |
| 2718 |
tcp,udp |
pn-requester2 |
not scanned |
PN REQUESTER 2
The Prayer 2 trojan horse also uses port 2718 (TCP). |
| 2727 |
tcp,udp |
mgcp-callagent |
not scanned |
Media Gateway Control Protocol Call Agent |
| 2741 |
tcp,udp |
tsb |
not scanned |
TSB |
| 2742 |
tcp,udp |
tsb2 |
not scanned |
TSB2 |
| 2745 |
tcp |
trojans |
Members scan |
Beagle.C (02.27.2004) through Beagle.K (03.03.2004) - mass mailing worms that use their own SMTP engine and open a backdoor on port 2745. They spread through email and file-sharing networks. |
| 2747 |
tcp,udp |
fjippol-swrly |
not scanned |
fjippol-swrly |
| 2748 |
tcp,udp |
fjippol-polsvr |
not scanned |
fjippol-polsvr |
| 2749 |
tcp,udp |
fjippol-cnsl |
not scanned |
fjippol-cnsl |
| 2773,2774 |
tcp |
trojans |
Premium scan |
trojans: SubSeven, SubSeven 2.1 Gold
Ports are also IANA registered for: RBackup Remote Backup |
| 2776 |
tcp,udp |
ridgeway1 |
not scanned |
Ridgeway Systems & Software |
| 2777 |
tcp,udp |
ridgeway2 |
not scanned |
Ridgeway Systems & Software |
| 2779 |
tcp,udp |
lbc-sync |
not scanned |
LBC Sync |
| 2780 |
tcp,udp |
lbc-control |
not scanned |
LBC Control |
| 2784 |
tcp |
trojans |
Members scan |
Backdoor.Sdbot.AO (01.30.2005) - worm with backdoor capabilities. Gives remote access to the compromised PC, via IRC channels on port 2784. |
| 2801 |
tcp |
trojan |
Premium scan |
Phineas Phucker trojan horse |
| 2813 |
tcp,udp |
llm-pass |
not scanned |
llm-pass |
| 2814 |
tcp,udp |
llm-csv |
not scanned |
llm-csv |
| 2815 |
tcp,udp |
lbc-measure |
not scanned |
LBC Measurement |
| 2816 |
tcp,udp |
lbc-watchdog |
not scanned |
The Guild 2, Microsoft Robotics - Visual Simulation Environment
IANA registered for: LBC Watchdog |
| 2817 |
tcp |
trojans |
Premium scan |
W32.Mytob.FI@mm (06.20.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 2817/tcp. |
| 2823 |
tcp,udp |
cqg-netlan |
not scanned |
CQG Net/LAN |
| 2824 |
tcp,udp |
cqg-netlan-1 |
not scanned |
CQG Net/LAN 1 |
| 2832 |
tcp,udp |
silkp4 |
not scanned |
Media Streaming, Live Blogging Sametime 751 (peer-to-peer video feed), FlashFXP
IANA registered for: silkp4 |
| 2834 |
tcp,udp |
evtp |
not scanned |
EVTP |
| 2835 |
tcp,udp |
evtp-data |
not scanned |
EVTP-DATA |
| 2844 |
tcp,udp |
bpcp-poll |
not scanned |
BPCP POLL |
| 2845 |
tcp,udp |
bpcp-trap |
not scanned |
BPCP TRAP |
| 2860 |
tcp,udp |
dialpad-voice1 |
not scanned |
Dialpad Voice 1 |
| 2861 |
tcp,udp |
dialpad-voice2 |
not scanned |
Dialpad Voice 2 |
| 2869 |
tcp,udp |
icslap |
not scanned |
Microsoft Internet Connection Firewall (ICF), Internet Connection Sharing (ICS), SSDP Discover Service, Microsoft Universal Plug and Play (UPnP), Microsoft Event Notification
IANA registered for: ICSLAP |
| 2874 |
tcp,udp |
dxmessagebase1 |
not scanned |
DX Message Base Transport Protocol |
| 2875 |
tcp,udp |
dxmessagebase2 |
not scanned |
DX Message Base Transport Protocol |
| 2916 |
tcp,udp |
elvin_server |
not scanned |
Elvin Server |
| 2917 |
tcp,udp |
elvin_client |
not scanned |
Elvin Client |
| 2929 |
tcp |
amx-webadmin |
Premium scan |
Trojans using this port: Konik
IANA registered for: AMX-WEBADMIN (PANJA-WEBADMIN) |
| 2930 |
tcp,udp |
amx-weblinx |
not scanned |
PANJA-WEBLINX
IANA registered for: AMX-WEBLINX |
| 2938 |
tcp,udp |
sm-pas-1 |
not scanned |
SM-PAS-1 |
| 2939 |
tcp,udp |
sm-pas-2 |
not scanned |
SM-PAS-2 |
| 2940 |
tcp,udp |
sm-pas-3 |
not scanned |
SM-PAS-3 |
| 2941 |
tcp,udp |
sm-pas-4 |
not scanned |
SM-PAS-4 |
| 2953 |
tcp,udp |
ovalarmsrv |
not scanned |
OVALARMSRV |
| 2954 |
tcp,udp |
ovalarmsrv-cmd |
not scanned |
OVALARMSRV-CMD |
| 2962 |
tcp,udp |
iph-policy-cli |
not scanned |
IPH-POLICY-CLI |
| 2963 |
tcp,udp |
iph-policy-adm |
not scanned |
IPH-POLICY-ADM |
| 2964 |
tcp,udp |
bullant-srap |
not scanned |
BULLANT SRAP |
| 2965 |
tcp,udp |
bullant-rap |
not scanned |
BULLANT RAP |
| 2968 |
tcp,udp |
enpp |
not scanned |
Rtvscan (Symantec Antivirus) for Novell NetWare servers
Trojans that may use this port: SDBot
IANA registered for: ENPP |
| 2977 |
tcp,udp |
ttc-etap-ns |
not scanned |
TTCs Enterprise Test Access Protocol - NS |
| 2978 |
tcp,udp |
ttc-etap-ds |
not scanned |
TTCs Enterprise Test Access Protocol - DS |
| 2984 |
tcp,udp |
hpidsadmin |
not scanned |
HPIDSADMIN |
| 2985 |
tcp,udp |
hpidsagent |
not scanned |
HPIDSAGENT |
| 2989 |
tcp,udp |
trojan |
not scanned |
Rat 1.2 |
| 2993 |
tcp,udp |
veritas-vis1 |
not scanned |
VERITAS VIS1 |
| 2994 |
tcp,udp |
veritas-vis2 |
not scanned |
VERITAS VIS2 |
| 3000 |
tcp |
trojan |
Premium scan |
Remote Shutdown trojan horse |
| 3001 |
tcp |
applications |
not scanned |
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp. |
| 3002 |
tcp |
applications |
not scanned |
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp. |
| 3003 |
tcp |
applications |
not scanned |
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp. |
| 3011 |
tcp,udp |
trusted-web |
not scanned |
Trusted Web |
| 3012 |
tcp,udp |
twsdss |
not scanned |
Trusted Web Client |
| 3024 |
tcp |
trojan |
Premium scan |
WinCrash trojan horse |
| 3027 |
tcp,udp |
liebdevmgmt_c |
not scanned |
LiebDevMgmt_C |
| 3028 |
tcp,udp |
liebdevmgmt_dm |
not scanned |
LiebDevMgmt_DM |
| 3029 |
tcp,udp |
liebdevmgmt_a |
not scanned |
LiebDevMgmt_A |
| 3030 |
tcp |
trojans |
Premium scan |
W32.Mytob.ET@mm (06.15.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine to spread. Connects to an IRC server and listens for remote commands on port 3030/tcp.
Port also used by the W32.Mytob.EQ variant of the worm. |
| 3067 |
tcp |
trojans |
Premium scan |
W32.Korgo.F (2004-06-01) - worm that propagates using Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 3067, and may use other random ports.
IANA registered for: FJHPJP |
| 3072 |
tcp |
csd-monitor |
Premium scan |
Trojans using this port: IRC Bot
IANA registered for: ContinuStor Monitor Port |
| 3074 |
tcp,udp |
xbox |
Premium scan |
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp. |
| 3075 |
tcp,udp |
orbix-locator |
not scanned |
Lost Planet - Extreme Condition, Call of Duty - World at War, Blazing Angels Online
IANA registered for: Orbix 2000 Locator |
| 3076 |
tcp,udp |
orbix-config |
not scanned |
Orbix 2000 Config |
| 3077 |
tcp,udp |
orbix-loc-ssl |
not scanned |
Orbix 2000 Locator SSL |
| 3078 |
tcp,udp |
orbix-cfg-ssl |
not scanned |
Orbix 2000 Locator SSL |
| 3081 |
tcp,udp |
tl1-lv |
not scanned |
TL1-LV |
| 3082 |
tcp,udp |
tl1-raw |
not scanned |
TL1-RAW |
| 3083 |
tcp,udp |
tl1-telnet |
not scanned |
TL1-TELNET |
| 3101 |
tcp |
bes |
Premium scan |
Port used by Blackberry Enterprise Server (BES). Also uses port 3500/tcp. |
| 3104 |
tcp |
applications |
not scanned |
Rainbow Six Vegas game
IANA registered for: Autocue Logger Protocol
CA Message Queuing (CAM/CAFT) software - buffer overflow vulnerability that can allow a remote attacker to execute arbitrary code by sending a specially crafted message to TCP port 3104 (CVE-2007-0060). |
| 3105 |
tcp,udp |
cardbox |
not scanned |
Cardbox |
| 3106 |
tcp,udp |
cardbox-http |
not scanned |
Cardbox HTTP |
| 3115 |
tcp,udp |
mctet-master |
not scanned |
MCTET Master |
| 3116 |
tcp,udp |
mctet-gateway |
not scanned |
MCTET Gateway |
| 3117 |
tcp,udp |
mctet-jserv |
not scanned |
Rainbow Six Vegas
IANA registered for: MCTET Jserv |
| 3119 |
tcp,udp |
d2000kernel |
Premium scan |
Trojans using this port: Delta Remote Access
IANA registered for: D2000 Kernel Port |
| 3120 |
tcp,udp |
d2000webserver |
not scanned |
D2000 Webserver Port |
| 3127 |
tcp |
worm |
Premium scan |
W32.Novarg.A@mm - mass-mailing worm with remote access trojan, 01.2004. Affects all current Windows versions. A.K.A W32/Mydoom@MM.
When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, compromissing the entire system. |
| 3128 |
tcp |
ndl-aas |
Members scan |
Port used by some proxy servers. Common web proxy server ports: 8080, 80, 3128, 6588
Officiall assignment: Active API Server Port
Trojans and backdoors that use this port: Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080. |
| 3129 |
tcp |
trojans |
Premium scan |
Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426
Port 3129 is also registered with IANA for: NetPort Discovery Port |
| 3131 |
tcp,udp |
netbookmark |
Premium scan |
Oracle Application Server, LDAP SSL, Squid (HTTP Proxy)
Trojans using this port: SubSARI.
IANA registered for: Net Book Mark. |
| 3133 |
tcp |
prism-deploy |
Members scan |
Malicious services using this port: Back Orifice, Back Orifice 2000
IANA registered for: Prism Deploy User Port |
| 3137 |
tcp,udp |
rtnt-1 |
not scanned |
rtnt-1 data packets |
| 3138 |
tcp,udp |
rtnt-2 |
not scanned |
rtnt-2 data packets |
| 3148 |
tcp,udp |
nm-game-admin |
not scanned |
NetMike Game Administrator |
| 3149 |
tcp,udp |
nm-game-server |
not scanned |
NetMike Game Server |
| 3150 |
tcp,udp |
nm-asses-admin |
Members scan |
Netmike assessor administrator port.
Some trojans that also use this port: The Invasor (TCP), Deep Throat, Foreplay (UDP), Mini Backlash (uses ports 2130/udp and 3150/udp). |
| 3151 |
tcp,udp |
nm-assessor |
not scanned |
NetMike Assessor |
| 3169 |
tcp,udp |
serverview-as |
not scanned |
SERVERVIEW-AS |
| 3170 |
tcp,udp |
serverview-asn |
not scanned |
SERVERVIEW-ASN |
| 3171 |
tcp,udp |
serverview-gf |
not scanned |
SERVERVIEW-GF |
| 3172 |
tcp,udp |
serverview-rm |
not scanned |
SERVERVIEW-RM |
| 3181 |
tcp,udp |
bmcpatrolagent |
not scanned |
BMC Patrol Agent |
| 3182 |
tcp,udp |
bmcpatrolrnvu |
not scanned |
BMC Patrol Rendezvous |
| 3190 |
tcp,udp |
csvr-proxy |
not scanned |
ConServR Proxy |
| 3191 |
tcp,udp |
csvr-sslproxy |
not scanned |
ConServR SSL Proxy |
| 3195 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Whisper.B (01.17.2005) - backdoor trojan. Connects to an IRC channel for remote access on port 3195/tcp.
IANA registered for: Network Control Unit |
| 3196 |
tcp,udp |
ncu-2 |
not scanned |
Network Control Unit |
| 3197 |
tcp,udp |
embrace-dp-s |
not scanned |
Embrace Device Protocol Server |
| 3198 |
tcp,udp |
embrace-dp-c |
not scanned |
Embrace Device Protocol Client |
| 3203 |
tcp,udp |
netwatcher-mon |
not scanned |
Network Watcher Monitor |
| 3204 |
tcp,udp |
netwatcher-db |
not scanned |
Network Watcher DB Access |
| 3207 |
tcp,udp |
vx-auth-port |
not scanned |
Veritas Authentication Port |
| 3214 |
tcp,udp |
jmq-daemon-1 |
not scanned |
JMQ Daemon Port 1 |
| 3215 |
tcp,udp |
jmq-daemon-2 |
not scanned |
Trojans using this port: XHX
IANA registered for: JMQ Daemon Port 2 |
| 3220 |
tcp,udp |
xnm-ssl |
not scanned |
XML NM over SSL |
| 3221 |
tcp,udp |
xnm-clear-text |
not scanned |
XML NM over TCP |
| 3256 |
tcp |
trojans |
Premium scan |
W32.HLLW.Dax - worm with remote access capabilities, 09.2002. Affects all current Windows versions.
port is also registered with IANA for: Compaq RPM Agent Port |
| 3260 |
tcp,udp |
iscsi-target |
not scanned |
iSCSI port |
| 3268 |
tcp,udp |
msft-gc |
not scanned |
Global Catalog LDAP
IANA registered for: Microsoft Global Catalog |
| 3269 |
tcp,udp |
msft-gc-ssl |
not scanned |
Microsoft Global Catalog with LDAP SSL |
| 3283 |
tcp,udp |
net-assistant |
not scanned |
Apple Remote Desktop, iChat
IANA registered for: Net Assistant |
| 3293 |
tcp,udp |
fg-fps |
not scanned |
fg-fps |
| 3294 |
tcp,udp |
fg-gip |
not scanned |
fg-gip |
| 3300 |
tcp,udp |
sap-gw |
not scanned |
SAP Gateway Server, TripleA game server (applications)
IANA registered for: Unauthorized use by SAP R/3 |
| 3301 |
tcp,udp |
|
not scanned |
Unauthorized use by SAP R/3 |
| 3303 |
tcp,udp |
opsession-clnt |
not scanned |
OP Session Client |
| 3304 |
tcp,udp |
opsession-srvr |
not scanned |
OP Session Server |
| 3306 |
tcp,udp |
mysql |
Members scan |
MySQL database server connections - http://www.mysql.com
Port also used by Nemog backdoor (discovered 2004.08.16) - a backdoor trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4646,4661,6565,8080
Worms using this port: W32.Spybot.IVQ |
| 3308 |
tcp,udp |
tns-server |
not scanned |
TNS Server |
| 3309 |
tcp,udp |
tns-adv |
not scanned |
TNS ADV |
| 3313 |
tcp,udp |
uorb |
not scanned |
Unify Object Broker |
| 3314 |
tcp,udp |
uohost |
not scanned |
Unify Object Host |
| 3330 |
tcp,udp |
mcs-calypsoicf |
not scanned |
MCS Calypso ICF |
| 3331 |
tcp,udp |
mcs-messaging |
not scanned |
MCS Messaging |
| 3332 |
tcp |
trojans |
Premium scan |
Port is registered with IANA for: MCS Mail Server
Some trojans that use this port:
Q0 BackDoor trojan
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp. |
| 3333 |
tcp |
trojans |
Premium scan |
W32.Bratle.A (07.31.2005) - worm that exploits the MS Windows LSASS Buffer Overrun vulnerability (MS04-011). Opens a FTP server on port 3333/tcp. |
| 3334 |
tcp |
pvfs2 |
Premium scan |
Parallel Virtual File System Version 2 (PVFS2) - http://www.pvfs.org
IANA registered for: Direct TV Webcasting |
| 3335 |
tcp,udp |
directv-soft |
not scanned |
Direct TV Software Updates |
| 3336 |
tcp,udp |
directv-tick |
not scanned |
Direct TV Tickers |
| 3338 |
tcp,udp |
anet-b |
not scanned |
OMF data b |
| 3339 |
tcp,udp |
anet-l |
not scanned |
OMF data l |
| 3340 |
tcp,udp |
anet-m |
not scanned |
OMF data m |
| 3341 |
tcp,udp |
anet-h |
not scanned |
OMF data h |
| 3344 |
tcp |
trojans |
Premium scan |
W32.Mytob.GP@mm (06.30.2005) - mass mailing worm that opens a backdoor on the compromised computer. Contacts IRC servers and listens for remote commands on port 3344/tcp. |
| 3351 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm (08.01.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability (MS04-011). Opens backdoors on ports 3351/tcp and 8190/tcp. |
| 3356 |
tcp,udp |
upnotifyps |
not scanned |
UPNOTIFYPS |
| 3360 |
tcp,udp |
kv-server |
not scanned |
KV Server |
| 3361 |
tcp,udp |
kv-agent |
not scanned |
KV Agent |
| 3372 |
tcp |
msdtc |
Members scan |
MS DTC (Microsoft Distributed Transaction Coordinator) is a Microsoft transaction processing technology. The service is installed by default in Windows 2000 and can be used by MS SQL Server and Microsoft Message Queue Server (MSMQ).
The port is vulnerable to potential DDoS attacks. A remote user may be able to crash the MS DTC service by sending 1024 bytes of random data on TCP port 3372.
If you do not need MS DTC you can set your firewall to block access to port 3372. It is possible for MS DTS to use other ports so you might need to also set your firewall to block any activity by the MS DTS service. |
| 3385 |
tcp |
trojans |
Premium scan |
W32.Mytob.KP@mm (10.21.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands by connecting to an IRC server on the rax.oucihax.info domain on port 3385/tcp. |
| 3388 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.S (12.22.2005) - trojan that opens a backdoor and runs a proxy server. The trojan can periodically connect to remote websites and send gathered information from the compromised computer. Opens a backdoor, acts as a SOCKS 4 proxy, and listens for remote commands on port 3388/tcp. |
| 3389 |
tcp |
rdp |
Basic scan |
Port registered as ms-wbt-server, used for Windows XP Remote Desktop and Remote Assistance connections (RDP - Remote Desktop Protocol). Also used by Windows NT/2k/2k3 Terminal Server.
See also: MS Security Bulletin MS02-051 and MS01-040.
Trojans using this port: Backdoor.Win32.Agent.cdm
TSPY_AGENT.ADDQ also uses this port. |
| 3393 |
tcp,udp |
d2k-tapestry1 |
not scanned |
D2K Tapestry Client to Server |
| 3394 |
tcp,udp |
d2k-tapestry2 |
not scanned |
D2K Tapestry Server to Server |
| 3398 |
tcp |
trojans |
Premium scan |
PWSteal.Bancos.AA (08.04.2005) - a trojan that steals passwords and logs keystrokes (mainly entered into a number of e-comerce and banking websites). The trojan runs a proxy server on port 3398/tcp. It also emails information from the compromised computer using its own SMTP server. |
| 3399 |
tcp,udp |
csms |
not scanned |
SAP EPS (applications)
IANA registered for: CSMS |
| 3400 |
tcp,udp |
csms2 |
not scanned |
CSMS2 |
| 3405 |
tcp,udp |
nokia-ann-ch1 |
not scanned |
Nokia Announcement ch 1 |
| 3406 |
tcp,udp |
nokia-ann-ch2 |
not scanned |
Nokia Announcement ch 2 |
| 3409 |
tcp,udp |
networklens |
not scanned |
NetworkLens Event Port |
| 3410 |
tcp |
trojans |
Members scan |
Backdoor.Optixpro - remote access trojan.
This port is also registered for NetworkLens SSL Event |
| 3418 |
tcp |
trojans |
Premium scan |
Port used by SpySender (a.k.a Backdoor.Delf.hp)- remote access trojan, 05.2002. Uses ports 1807, 3418 |
| 3422 |
tcp,udp |
rusb-sys-port |
not scanned |
Malicious services using this port: IRC Bots
IANA registered for: Remote USB System Port |
| 3423 |
tcp,udp |
xtrm |
not scanned |
xTrade Reliable Messaging |
| 3424 |
tcp,udp |
xtrms |
not scanned |
xTrade over TLS/SSL |
| 3436,3437 |
tcp |
trojans |
Premium scan |
Backdoor.Netjoe (11.16.2004)- remote access trojan. Affects all current Windows versions, opens TCP ports 3436 and 3437. |
| 3450 |
tcp,udp |
castorproxy |
not scanned |
Virtual Places Voice Chat
Malicious services using this port: Trojan Proxy
IANA registered for: CAStorProxy |
| 3456 |
tcp |
trojans |
Premium scan |
Backdoor.Fearic - remote access trojan, 08.2002. Affects all current Windows versions, opens ports 2000, 3456, 8811.
Some other trojans using this port: Teror Trojan, Fear, Force.
IANA registered for: VAT default data |
| 3457 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429
IANA registered for: VAT default control |
| 3459 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Eclipse 2000, Sanctuary
Port IANA registered for: TIP Integral |
| 3460 |
tcp,udp |
edm-manager |
not scanned |
EDM Manger |
| 3461 |
tcp,udp |
edm-stager |
not scanned |
EDM Stager |
| 3462 |
tcp,udp |
edm-std-notify |
not scanned |
Software distribution
IANA registered for: EDM STD Notify |
| 3463 |
tcp,udp |
edm-adm-notify |
not scanned |
EDM ADM Notify |
| 3464 |
tcp,udp |
edm-mgr-sync |
not scanned |
EDM MGR Sync |
| 3465 |
tcp,udp |
edm-mgr-cntrl |
not scanned |
EDM MGR Cntrl |
| 3470 |
tcp,udp |
jt400 |
not scanned |
Worms using this port: I-Worm/Mytob.BO (W32/Mytob)
IANA registered for: jt400 |
| 3471 |
tcp,udp |
jt400-ssl |
not scanned |
jt400-ssl |
| 3472 |
tcp,udp |
jaugsremotec-1 |
not scanned |
JAUGS N-G Remotec 1 |
| 3473 |
tcp,udp |
jaugsremotec-2 |
not scanned |
JAUGS N-G Remotec 2 |
| 3478 |
tcp,udp |
stun |
Premium scan |
Simple Traversal of UDP Through NAT (STUN) port. It operates on port 3478 tcp/udp. It is usually supported by newer VoIP devices. |
| 3495 |
tcp,udp |
seclayer-tcp |
not scanned |
securitylayer over tcp |
| 3496 |
tcp,udp |
seclayer-tls |
not scanned |
securitylayer over tls |
| 3500 |
tcp |
bes |
Premium scan |
Port used by Blackberry Enterprise Server (BES). Also uses port 3101/tcp. |
| 3506 |
udp |
games |
not scanned |
Take2 Bet On Soldier: Blood Sports (may require GameSpy ports to be opened - http://www.gamespyarcade.com/support/firewalls.shtml) |
| 3521 |
tcp,udp |
mc3ss |
Premium scan |
Applications: StarTrek network game
Malicios services using this port: W32.K0wbot worm
IANA registered for: Telequip Labs MC3SS |
| 3538 |
tcp,udp |
ibm-diradm |
not scanned |
IBM Directory Server |
| 3539 |
tcp,udp |
ibm-diradm-ssl |
not scanned |
IBM Directory Server SSL |
| 3567 |
tcp,udp |
oap |
not scanned |
Object Access Protocol |
| 3568 |
tcp,udp |
oap-s |
not scanned |
Dark Reign 2, Delta Force 2
IANA registered for: Object Access Protocol over SSL |
| 3585 |
tcp,udp |
emprise-lls |
not scanned |
Emprise License Server |
| 3586 |
tcp,udp |
emprise-lsc |
not scanned |
License Server Console
Snid X2 trojan horse also uses port 3585 (TCP). |
| 3591 |
tcp,udp |
gtrack-server |
not scanned |
LOCANIS G-TRACK Server |
| 3592 |
tcp,udp |
gtrack-ne |
not scanned |
LOCANIS G-TRACK NE Port |
| 3632 |
tcp,udp |
distcc |
not scanned |
3632 is default listen port for distcc daemon (distributed C/C++ compiler). It only supports IP based authentication and defaults to allow from all, which means anyone can use it. It does no other harm than letting others to use your hardware (at +5 nice) to speed up their compilation process. |
| 3660 |
tcp,udp |
can-nds-ssl |
not scanned |
AudioReQuest, Starwars Empire at War
IANA registered for: IBM Tivoli Directory Service using SSL |
| 3661 |
tcp,udp |
can-ferret-ssl |
not scanned |
IBM Tivoli Directory Service using SSL |
| 3689 |
tcp |
itunes |
not scanned |
iTunes |
| 3700 |
tcp |
LRS NetPage |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
3700/tcp is also registered with IANA for: LRS NetPage |
| 3702 |
tcp,udp |
wsd |
not scanned |
Port is also IANA registered for:
Web Services Discovery
Web Services for Devices (WSD) is a network plug-and-play experience that allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702. |
| 3703 |
tcp,udp |
adobeserver-3 |
not scanned |
Adobe Server 3 |
| 3704 |
tcp,udp |
adobeserver-4 |
not scanned |
Adobe Server 4 |
| 3705 |
tcp,udp |
adobeserver-5 |
not scanned |
Adobe Server 5 |
| 3706 |
tcp,udp |
rt-event |
not scanned |
Real-Time Event Port |
| 3707 |
tcp,udp |
rt-event-s |
not scanned |
Real-Time Event Secure Port |
| 3724 |
tcp |
games |
Premium scan |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 6112. |
| 3737 |
tcp |
trojans |
Premium scan |
Backdoor.Helios - remote access trojan, 09.2002. Affects all current Windows versions. |
| 3742 |
tcp,udp |
cst-port |
Premium scan |
Malicious services using this port: Service Tracker Attacks, W32.Mytob (worm)
IANA registered for: CST - Configuration & Service Tracker |
| 3746 |
tcp,udp |
linktest |
not scanned |
LXPRO.COM LinkTest |
| 3747 |
tcp,udp |
linktest-s |
not scanned |
LXPRO.COM LinkTest SSL |
| 3752 |
tcp,udp |
vipremoteagent |
Members scan |
Port is IANA registered for: Vigil-IP RemoteAgent
Worms using this port: W32/Spelit-A, W32/Agobot-AHT
Trojans using this port: Troj/Banker-FZ, Troj/Tanto-H |
| 3783 |
tcp |
games |
Basic scan |
GameSpy Arcade - voice chat port
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 3784 |
tcp,udp |
ventrilo |
not scanned |
Ventrilo
IANA registered for: BFD Control Protocol |
| 3785 |
tcp,udp |
bfd-echo |
not scanned |
Ventrilo VoIP
IANA registered for: BFD Echo Protocol |
| 3791 |
tcp |
trojan |
Premium scan |
Total Eclipse trojan horse (FTP) |
| 3801 |
udp |
trojan |
not scanned |
Total Eclipse trojan horse |
| 3812 |
tcp,udp |
neto-wol-server |
not scanned |
netO WOL Server |
| 3814 |
tcp,udp |
neto-dcs |
not scanned |
netO DCS |
| 3822 |
tcp,udp |
acp-discovery |
not scanned |
Compute Pool Discovery |
| 3823 |
tcp,udp |
acp-conduit |
not scanned |
Compute Pool Conduit |
| 3824 |
tcp,udp |
acp-policy |
not scanned |
Compute Pool Policy |
| 3836 |
tcp,udp |
markem-dcp |
not scanned |
MARKEM NEXTGEN DCP |
| 3837 |
tcp,udp |
mkm-discovery |
not scanned |
MARKEM Auto-Discovery |
| 3857 |
tcp,udp |
trap-port |
not scanned |
Trap Port |
| 3858 |
tcp,udp |
trap-port-mom |
not scanned |
Trap Port MOM |
| 3863 |
tcp,udp |
asap |
not scanned |
asap, F-16 Mig 29 |
| 3864 |
tcp |
asap-tcp-tls |
not scanned |
asap/tls tcp port |
| 3866 |
tcp,udp |
dzdaemon |
not scanned |
Sun SDViz DZDAEMON Port |
| 3867 |
tcp,udp |
dzoglserver |
not scanned |
Sun SDViz DZOGLSERVER Port |
| 3872 |
tcp |
|
not scanned |
Oracle Management Remote Agent |
| 3887 |
tcp,udp |
ciphire-data |
not scanned |
Ciphire Data Transport |
| 3888 |
tcp,udp |
ciphire-serv |
not scanned |
Ciphire Services |
| 3894 |
tcp,udp |
syam-agent |
not scanned |
SyAM Agent Port |
| 3895 |
tcp,udp |
syam-smc |
not scanned |
SyAm SMC Service Port |
| 3896 |
tcp,udp |
sdo-tls |
not scanned |
Simple Distributed Objects over TLS |
| 3897 |
tcp,udp |
sdo-ssh |
not scanned |
Simple Distributed Objects over SSH |
| 3910 |
tcp,udp |
prnrequest |
not scanned |
Printer Request Port |
| 3911 |
tcp,udp |
prnstatus |
not scanned |
Printer Status Port |
| 3913 |
tcp,udp |
listcrt-port |
not scanned |
ListCREATOR Port |
| 3914 |
tcp,udp |
listcrt-port-2 |
not scanned |
ListCREATOR Port 2 |
| 3957 |
tcp,udp |
mqe-broker |
not scanned |
MQEnterprise Broker |
| 3958 |
tcp,udp |
mqe-agent |
not scanned |
MQEnterprise Agent |
| 3970 |
tcp,udp |
lanrevagent |
not scanned |
LANrev Agent |
| 3971 |
tcp,udp |
lanrevserver |
not scanned |
LANrev Server |
| 3984 |
tcp,udp |
mapper-nodemgr |
not scanned |
MAPPER network node manager |
| 3985 |
tcp,udp |
mapper-mapethd |
not scanned |
MAPPER TCP/IP server |
| 3986 |
tcp,udp |
mapper-ws_ethd |
not scanned |
MAPPER workstation server |
| 3989 |
tcp,udp |
bv-queryengine |
not scanned |
BindView-Query Engine |
| 3990 |
tcp,udp |
bv-is |
not scanned |
BindView-IS |
| 3991 |
tcp,udp |
bv-smcsrv |
not scanned |
BindView-SMCServer |
| 3992 |
tcp,udp |
bv-ds |
not scanned |
BindView-DirectoryServer |
| 3993 |
tcp,udp |
bv-agent |
not scanned |
BindView-Agent |
| 4000 |
tcp,udp |
trojans |
Members scan |
Trojan.Peacomm (2007-03-02) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271
Skydance trojan horse also uses port 4000 (TCP).
Port also used by Blizzard Battlenet, Diablo II. |
| 4001 |
tcp |
newoak |
Members scan |
NewOak, ICQ Client
OptixPro (Backdoor.OptixPro.13.C) - trojan horse that opens a backdoor on TCP port 4001. |
| 4002 |
tcp,udp |
pxc-spvr-ft |
not scanned |
pxc-spvr-ft, mlnet - MLChat P2P chat proxy |
| 4003 |
tcp,udp |
pxc-splr-ft |
not scanned |
pxc-splr-ft |
| 4004 |
tcp,udp |
pxc-roid |
not scanned |
pxc-roid, PPLive |
| 4005 |
tcp,udp |
pxc-pin |
not scanned |
pxc-pin |
| 4006 |
tcp,udp |
pxc-spvr |
not scanned |
pxc-spvr |
| 4007 |
tcp,udp |
pxc-splr |
not scanned |
pxc-splr, PrintBuzzer printer monitoring socket server |
| 4015 |
tcp,udp |
talarian-mcast1 |
not scanned |
Talarian Mcast |
| 4016 |
tcp,udp |
talarian-mcast2 |
not scanned |
Talarian Mcast |
| 4017 |
tcp,udp |
talarian-mcast3 |
not scanned |
Talarian Mcast |
| 4018 |
tcp,udp |
talarian-mcast4 |
not scanned |
Talarian Mcast |
| 4019 |
tcp,udp |
talarian-mcast5 |
not scanned |
Talarian Mcast |
| 4035 |
tcp,udp |
wap-push-http |
not scanned |
WAP Push OTA-HTTP port |
| 4036 |
tcp,udp |
wap-push-https |
not scanned |
WAP Push OTA-HTTP secure |
| 4049 |
tcp,udp |
wafs |
not scanned |
Wide Area File Services |
| 4050 |
tcp,udp |
cisco-wafs |
not scanned |
Wide Area File Services |
| 4092 |
tcp |
trojan |
Premium scan |
WinCrash trojan horse |
| 4095 |
tcp |
trojans |
Members scan |
W32.Randex.EUS (08.16.2005) - a worm that spreads through weak passwords in network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 4095/tcp. |
| 4100 |
tcp,udp |
igo-incognito |
Premium scan |
IGo Incognito Data Port, WatchGuard Authentication Applet, ICQ, Abacast, Sybase ASE
Malicious services using this port: Remote Anything, SkyDance |
| 4101 |
tcp,udp |
brlp-0 |
not scanned |
Braille protocol, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR, Blackberry Enterprise Server, NewOak
Trojans that may use this port: OptixPro |
| 4102 |
tcp,udp |
brlp-1 |
not scanned |
Braille protocol, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4103 |
tcp,udp |
brlp-2 |
not scanned |
Braille protocol, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4104 |
tcp,udp |
brlp-3 |
not scanned |
Braille protocol, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4105 |
tcp,udp |
shofarplayer |
not scanned |
ShofarPlayer, IBM Internet Security, CA Message Queuing (CAM/CAFT) software. There are some known CAM/CAFT vulnerabilities (CVE-2007-0060) |
| 4123 |
tcp |
trojans |
Members scan |
W32.Bratle.B (08.02.2005) - a worm that spreads by exploiting the MS LSASS Buffer Overrun Vulnerability (MS04-011). It opens a backdoor by running an FTP server on port 4123/tcp. |
| 4125 |
tcp |
rww |
Members scan |
MS Small Business Server Remote Web Workplace administration
IANA registered for: Opsview Envoy |
| 4128 |
tcp,udp |
nufw |
Premium scan |
NuFW decision delegation protocol
Trojans using this port: RCServ, RedShad |
| 4132 |
tcp,udp |
nuts_dem |
not scanned |
NUTS Daemon, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4133 |
tcp,udp |
nuts_bootp |
not scanned |
NUTS Bootp Server, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4135 |
tcp,udp |
cl-db-attach |
not scanned |
Classic Line Database Server Attach, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4136 |
tcp,udp |
cl-db-request |
not scanned |
Classic Line Database Server Request, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4137 |
tcp,udp |
cl-db-remote |
not scanned |
Classic Line Database Server Remote, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4156 |
udp |
worm-linux |
Premium scan |
Linux.Slapper.Worm (09.13.2002) - family of worms that use an OpenSSL buffer overflow exploit to run a shell on a remote computer. Targets vilnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp.
Opens backdoors on the following ports:
The .A variant of the worm listens on port 2002/udp.
The .B variant listens on port 1978/udp.
The .C variant listens on port 4156/udp (and port 1052/tcp periodically). |
| 4161 |
tcp,udp |
omscontact |
not scanned |
OMS Contact, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4162 |
tcp,udp |
omstopology |
not scanned |
OMS Topology, Quadrox GuardDVR, Quadrox GuardNVR, Quadrox WebCCTV DVR, Quadrox WebCCTV NDVR, Quadrox WebCCTV NVR |
| 4191 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AH (11.22.2004) - a network aware worm with backdoor functionality. Affects all current Windows versions. It spreads via network shares and allows remote access on port 4191. |
| 4201 |
tcp,udp |
vrml-multi-use |
not scanned |
VRML Multi User Systems |
| 4242 |
tcp |
trojans |
Members scan |
Virtual Hacking Machine (VHM) trojan
Nemog backdoor (discovered 2004.08.16) - a backdoor trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4646,4661,6565,8080
Applications using this port: VRML Multi User Systems |
| 4243 |
tcp,udp |
vrml-multi-use |
not scanned |
VRML Multi User Systems |
| 4245 |
tcp |
trojan |
Premium scan |
Rux.Backdoor trojan horse |
| 4300 |
tcp,udp |
corelccam |
not scanned |
Corel CCam |
| 4321 |
tcp |
trojans |
Premium scan |
BoBo, Schoolbus 1.0 trojans |
| 4354 |
tcp,udp |
qsnet-trans |
not scanned |
QSNet Transmitter |
| 4355 |
tcp,udp |
qsnet-workst |
not scanned |
QSNet Workstation |
| 4356 |
tcp,udp |
qsnet-assist |
not scanned |
QSNet Assistant |
| 4357 |
tcp,udp |
qsnet-cond |
not scanned |
QSNet Conductor |
| 4367 |
tcp |
trojans |
Premium scan |
W32.Spybot.NLX (04.12.2005) - wom that exploits a number of MS vulnerabilities. It has distributed denial of service (DDoS), and backdoor capabilities. Opens a backdoor by connecting to an IRC channel using port 4367/tcp. |
| 4400 |
tcp,udp |
ds-srv |
not scanned |
ASIGRA Services |
| 4401 |
tcp,udp |
ds-srvr |
not scanned |
ASIGRA Televaulting DS-System Service |
| 4402 |
tcp,udp |
ds-clnt |
not scanned |
ASIGRA Televaulting DS-Client Service |
| 4403 |
tcp,udp |
ds-user |
not scanned |
ASIGRA Televaulting DS-Client Monitoring/Management |
| 4404 |
tcp,udp |
ds-admin |
not scanned |
ASIGRA Televaulting DS-System Monitoring/Management |
| 4405 |
tcp,udp |
ds-mail |
not scanned |
ASIGRA Televaulting Message Level Restore service |
| 4406 |
tcp,udp |
ds-slp |
not scanned |
ASIGRA Televaulting DS-Sleeper Service |
| 4444 |
tcp |
trojans |
Basic scan |
W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin MS03-026) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444. |
| 4445 |
tcp,udp |
upnotifyp |
Premium scan |
Applications: UPNOTIFYP, MIRCat, Chainsaw
Trojans using this port: Oracle, Backdoor.Oracle |
| 4495 |
tcp |
trojans |
Premium scan |
Backdoor.Berbew.R (05.19.2005) - remote access trojan that steals passwords and opens backdoors on ports 2525/tcp and 4495/tcp. |
| 4500 |
udp |
ipsec |
Premium scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
See also:
port 1701 (L2TP)
port 1723 (PPTP) |
| 4502-4534 |
tcp |
silverlight |
not scanned |
Ports are used by the Microsoft Silverlight plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 4512 |
tcp |
worm |
Members scan |
W32.Mytob mass mailing worm - contains Sdbot functionality in the worm that contacts the irc.blackcarder.net IRC server (on TCP port 4512), joins a specified channel, and waits for further instructions. |
| 4525 |
tcp,udp |
applications |
not scanned |
Java, postfix SMTP |
| 4527 |
tcp,udp |
trojan |
Premium scan |
Zvrop trojan |
| 4545 |
tcp,udp |
worldscores |
Premium scan |
WorldScores, LANSA Data/Application Server
Trojans using this port: Internal Revise, Remote Revise |
| 4564 |
tcp |
trojans |
Premium scan |
W32.Spybot.RDW (06.30.2005) - a worm with DDoS (distributed denial of service) and backdoor capabilities. Spreads by exploiting common vulnerabilities and through network shares with weak passwords. Opens an IRC backdoor on port 4564/tcp. |
| 4567 |
tcp |
trojans |
Basic scan |
Verizon Actiontec Routers have a web server listening to this port. Verizon FiOS uses it for "secure server connection to automatically monitor/upgrade the router firmware when connected to the FiOS network using a MOTIVE server connection on port 4567". The firmware shipped with Verizon's CPE does not allow port 4567 to be blocked easily.
To possibly block this port, enter the router's admin interface and navigate to:
1. Home -> Advanced-> Protocols-> Add
2. Type any service name, add server ports: protocol -> TCP, source -> any, destination -> single=4567 , then Apply.
3. Navigate to Home -> Security -> Advanced Filtering
4. Input Rule Sets -> Broadband Connection (Ethernet) Rules -> Add
Trojans that use this port: File Nail trojan
IANA registered for: TRAM |
| 4590 |
tcp |
trojan |
Premium scan |
ICQTrojan |
| 4598 |
tcp,udp |
a16-an-an |
not scanned |
A16 (AN-AN) |
| 4599 |
tcp,udp |
a17-an-an |
not scanned |
A17 (AN-AN) |
| 4600 |
tcp,udp |
piranha1 |
not scanned |
Piranha1 |
| 4601 |
tcp,udp |
piranha2 |
not scanned |
Piranha2 |
| 4627 |
tcp,udp |
applications |
Premium scan |
Applications: QualiSystems TestShell Suite Services
Lala backdoor - a trojan horse that allows unauthorized access to a compromised computer. The Trojan attempts to steal confidential information (such as cached passwords and cookies), log keystrokes, and allow for remote file execution. Opens TCP/UDP port 4627, 1149, or 1877 to allow remote access. |
| 4646 |
tcp |
trojan |
Premium scan |
Nemog - backdoor trojan horse that allows an infected computer to be used as an email relay and HTTP proxy. Attempts to contact eMule servers on ports 3306,4242,4646,4661. |
| 4654 |
tcp,udp |
worm |
not scanned |
W32.Spybot |
| 4658 |
tcp,udp |
playsta2-app |
not scanned |
PlayStation2 App Port, PS3 NHL2K7 |
| 4659 |
tcp,udp |
playsta2-lob |
not scanned |
PlayStation2 Lobby Port |
| 4661 |
tcp |
trojans |
Members scan |
Trojan.Gamqowi (10.21.2005) - a backdoor trojan that lowers security settings on the compromised computer. It blocks access to some security-related websites, and attempts to end security-related processes. Opens a backdoor and listens for remote commands by connecting to an IRC server on port 4661/tcp.
Nemog backdoor (discovered 2004.08.16) - a backdoor trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4646,4661,6565,8080
Port also used by aMule p2p - port on which an eDonkey server listens for connections by default. |
| 4662 |
tcp |
edonkey |
Members scan |
eDonkey 2000 P2P file sharing service. http://www.edonkey2000.com/
Applications that use this port: Overnet P2P Server, Pruna
IANA registered for: OrbitNet Message Service |
| 4663 |
tcp |
eDonkey2000 |
not scanned |
eDonkey2000 Command Line Client, Note It! Message Service |
| 4664 |
tcp |
Google |
Basic scan |
Port used by Google desktop's built-in HTTP server / indexing software.
Port also used by Rimage Messaging Server. Port is responsible for providing the underlying foundation for the transaction among its clients and the messaging server. The network port 4664 is used for the transmission of messaging server alerts, errors and order requests. The initialization of this system port is normally done for version 8 and higher of the Rimage software.
Port also used by: Trojan-Downloader.Win32.Banload.nrd |
| 4665 |
udp |
eDonkey2000 |
not scanned |
eDonkey2000 Server Messaging Default Port, Container Client Message Service, AudioReQuest |
| 4672 |
udp |
emule |
not scanned |
Port 4672/udp is used by the eMule file sharing software |
| 4711 |
tcp |
emule |
Premium scan |
eMule Web Server runs on this port by default. Some versions of this P2P client
are vulnerable to a DecodeBase16 buffer overflow, which would allow an
attacker to execute arbitrary code. |
| 4711 |
udp |
trojan |
not scanned |
Olfactor trojan horse |
| 4712 |
tcp |
amule |
not scanned |
aMule internal connection port - used to communicate aMule with other applications such as aMule WebServer or aMuleCMD. |
| 4726 |
tcp,udp |
applications |
not scanned |
Port Reporter, Mbone |
| 4747 |
tcp |
applications |
not scanned |
Apprentice, Azureus, Glassfish, AppletView |
| 4747 |
udp |
pgpfone |
not scanned |
PGP Secure Phone Data Stream |
| 4774 |
tcp,udp |
applications |
not scanned |
Amcheck, aMule |
| 4783 |
tcp,udp |
applications |
not scanned |
Windows Socket Control, Backup Exec |
| 4795 |
tcp,udp |
applications |
not scanned |
DB2, Limewire |
| 4797 |
tcp,udp |
applications |
not scanned |
Integrated Process Server, ProFTPD |
| 4800 |
tcp,udp |
iims |
not scanned |
Deloder Worm can run a backdoor on ports 4800 and 4900.
IANA Registered for: Icona Instant Messenging System |
| 4811 |
tcp,udp |
applications |
not scanned |
TimeTracker |
| 4833 |
tcp,udp |
applications |
not scanned |
James, Novell |
| 4837 |
tcp,udp |
varadero-0 |
not scanned |
Varadero-0 |
| 4838 |
tcp,udp |
varadero-1 |
not scanned |
Varadero-1 |
| 4839 |
tcp,udp |
varadero-2 |
not scanned |
varadero-2 |
| 4848 |
tcp,udp |
appserv-http |
not scanned |
App Server - Admin HTTP |
| 4849 |
tcp,udp |
appserv-https |
not scanned |
App Server - Admin HTTPS |
| 4888 |
tcp |
trojans |
Premium scan |
W32.Opanki (05.24.2005) - IRC worm that spreads through AOL Instant Messenger. Connects to ftpd.there3d.com on port 4888/tcp and opens a backdoor for remote access.
Port also used by the W32.Opanki.D variant of the worm.
Applications that use this port: IPNAT, Veritas Storage |
| 4890 |
tcp,udp |
applications |
Premium scan |
Malicious Services: W32/ Stration (worm)
Applications: Linux Gateway |
| 4891 |
tcp |
worm |
Premium scan |
W32.Mytob |
| 4899 |
tcp |
radmin |
Premium scan |
Radmin - remote administration of PCs. Some potenital vulnerabilities, see Radmin Default Installation Security vulnerabilities.
Worms using this port: Win32/ Agobot Family, W32.Rahack |
| 4900 |
tcp,udp |
hfcs |
not scanned |
Deloder Worm can run a backdoor on ports 4800 and 4900.
IANA registered for: Hyper File Client/Server Database Engine |
| 4912 |
tcp |
trojans |
Premium scan |
Backdoor.Mirab - remote access trojan, 06.2002. Affects all current Windows versions. It uses port 4912 for direct control and port 6430 for file transfer by default. |
| 4949 |
tcp,udp |
munin |
Premium scan |
Worms using this port: Win32.IRCBot, WORM_DELF.AYF
IANA registered for: Munin Graphing Framework |
| 4950 |
tcp |
trojan |
Premium scan |
ICQTrojan |
| 4969 |
tcp,udp |
ccss-qmm |
not scanned |
CCSS QMessageMonitor |
| 4970 |
tcp,udp |
ccss-qsm |
not scanned |
CCSS QSystemMonitor |
| 4987 |
tcp,udp |
smar-se-port1 |
not scanned |
SMAR Ethernet Port 1, maybe-veritas |
| 4988 |
tcp,udp |
smar-se-port2 |
not scanned |
SMAR Ethernet Port 2 |
| 5000 |
tcp,udp |
UPnP |
Basic scan |
Universal Plug and Pray - "Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices." MSKB - Universal PnP
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. Here is a list of some known vulnerabilities with UPnP:
MS Security Bulletin MS01-054
MS Security Bulletin MS01-059
UPnP Vulnerabilities
Trojan Horses that use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
Trojan.Webus.B - DDoS attack trojan, kills antivirus services, 10.05.2004. Uses port 5000/tcp for a DDoS attack.
W32.Mytob.HH@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 26418/tcp. Also opens a backdoor on port 5000/tcp. |
| 5001 |
tcp |
applications |
Members scan |
Yahoo Messenger Chat
Malicious services using this port:
Back Door setup trojan, Sockets des Troie trojan |
| 5002,5003 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ (01.26.2005) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445).
Opens a backdoor on one or more of these ports: 5002, 5003, 1927, 1930. |
| 5002 |
udp |
hdhomerun |
not scanned |
HDHomeRun DVR from SiliconDust uses this port. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.
List of all used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000 |
| 5004 |
udp |
hdhomerun |
not scanned |
Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services.
RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.
See also: port 1755 - Microsoft Media Server (MMS) protocol
HDHomeRun DVR from SiliconDust uses port 5004 UDP. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.
List of all HDHomeRun used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000 |
| 5005 |
udp |
ms-rtsp |
not scanned |
Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services.
RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.
See also: port 1755 - Microsoft Media Server (MMS) protocol |
| 5010 |
tcp,udp |
yahoo |
Premium scan |
Yahoo Messenger Voice Chat
Also used by Avaya ISPI Control protocol. Used to communicate via CCMS (Control Channel Message Set) between an Avaya PBX, such as the S8300 or S8700 Media Servers, and an IPSI (IP Server Interface).
Applications/games that use this port: Ultima Online, Defcon, Ojo
Trojans that use this port: Solo (tcp)
IANA registered for: TelepathStart |
| 5011 |
tcp |
telelpathattack |
Premium scan |
Trojans using this port: Peanut Brittle, modified, One of the Last Trojans (OOTLT)
Applications/games using this port: Defcon (UDP)
IANA registered for: TelepathAttack |
| 5017 |
tcp |
applications |
Premium scan |
Applications using this port: Astronomical Image Processing System (AIPS), Ojo (UDP)
Malicious services using this port: Win32-Pakes-AKM, WORM_NUWAR |
| 5020 |
tcp,udp |
zenginkyo-1 |
not scanned |
zenginkyo-1 |
| 5021 |
tcp,udp |
applications |
not scanned |
zenginkyo-2, LocationFree |
| 5031 |
tcp |
trojan |
Premium scan |
NetMetropolitan 1.0, NetMetropolitan 1.04 trojan horse |
| 5032 |
tcp |
trojan |
Premium scan |
NetMetropolitan 1.04 |
| 5051 |
tcp,udp |
ita-agent |
not scanned |
ITA Agent, Symantec Intruder Alert, Orbit Downloader (P2P) |
| 5056 |
tcp,udp |
intecom-ps1 |
not scanned |
Intecom Pointspan 1 |
| 5057 |
tcp,udp |
intecom-ps2 |
not scanned |
Intecom Pointspan 2 |
| 5064 |
tcp,udp |
ca-1 |
not scanned |
Applications using this port: Nomado
IANA registered for: Channel Access 1 |
| 5065 |
tcp,udp |
ca-2 |
not scanned |
Applications using this port: IConnectHere, Lingo VoIP, Nomado
IANA registered for: Channel Access 2 |
| 5066 |
tcp,udp |
stanag-5066 |
not scanned |
IANA registered for: STANAG 5066 (http://s5066.nc3a.nato.int) Communication protocol stack for Long thin pipes with a high bit-error rate specifically, HF radio.
Applications that use this port: GeoVision RemotePlayBack |
| 5106 |
tcp |
applications |
not scanned |
A-Talk Common connection |
| 5107 |
tcp |
applications |
not scanned |
A-Talk Remote server connection |
| 5110 |
tcp |
applications |
Premium scan |
Applications using this port: ProRat Server
Trojans using this port: BDS/Hupigon.bsw, BDS/Prorat.M.B.38, ProRAT |
| 5111 |
tcp,udp |
taep-as-svc |
Premium scan |
Malicious services using this port: W32.Korgo
IANA Registered for: TAEP AS service |
| 5136 |
tcp |
trojans |
Premium scan |
Backdoor.Toob.A (11.03.2005) - a trojan horse with backdoor capabilities. Opens a backdoor and listens for remote commands on port 5136/tcp. |
| 5151 |
tcp |
trojans |
Premium scan |
Backdoor.Optix.04.c - remote access troan, 10.23.2002. Affects all current Windows versions, listens to port 5151 by default.
Port is also IANA assigned to: esri_sde - ESRI SDE Instance |
| 5167 |
tcp,udp |
scte104 |
not scanned |
SCTE104 Connection |
| 5168 |
tcp,udp |
scte30 |
not scanned |
SCTE30 Connection |
| 5180 |
tcp,udp |
applications |
not scanned |
Peeper, Netscape |
| 5190 |
tcp,udp |
aim |
Members scan |
ICQ, AIM (AOL Instant Messenger)
Malicious services using this port: MBomber, W32.hllw.anig |
| 5191 |
tcp,udp |
aim |
not scanned |
ICQ, AIM (AOL Instant Messenger) |
| 5192 |
tcp,udp |
aim |
not scanned |
ICQ, AIM (AOL Instant Messenger) |
| 5193 |
tcp,udp |
aim |
not scanned |
ICQ, AIM (AOL Instant Messenger) |
| 5200 |
tcp,udp |
targus-getdata |
not scanned |
TARGUS GetData, Echolink |
| 5201 |
tcp,udp |
targus-getdata1 |
not scanned |
TARGUS GetData 1 |
| 5202 |
tcp,udp |
targus-getdata2 |
not scanned |
TARGUS GetData 2 |
| 5203 |
tcp,udp |
targus-getdata3 |
not scanned |
TARGUS GetData 3 |
| 5222 |
tcp |
jabber |
Members scan |
Jabber instant messenging software client-to-server connection, see http://www.jabber.org/protocol/ |
| 5225 |
tcp,udp |
hp-server |
not scanned |
HP Server |
| 5226 |
tcp,udp |
hp-status |
not scanned |
IANA registered for: HP Status
Trojans that may be using this port: FakeAlert-C |
| 5232 |
tcp |
trojans |
Members scan |
Backdoor.Lateda.C (04.01.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
W32.Mytob.EP@mm (06.15.2005) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on this port.
W32.Spybot.UBH (08.16.2005) - a worm with backdoor and distributed denial of service (DDoS) capabilities. Spreads by exploiting the MS Plug and Play Buffer Overflow vulnerability (MS05-039).
Opens a backdoor and listens for remote commands via IRC on this port. |
| 5269 |
tcp |
jabber |
not scanned |
Jabber instant messenging software server-to-server connection, see http://www.jabber.org/protocol/
IANA registered for: Extensible Messaging and Presence Protocol - XMPP Server Connection [RFC3920] |
| 5277 |
tcp |
trojan |
Members scan |
WinJank (2003-07-11) - a backdoor trojan horse that allows unauthorized access to your computer, listens to port 5277 TCP by default. |
| 5280 |
tcp,udp |
applications |
not scanned |
Xvnc |
| 5300 |
tcp,udp |
hacl-hb |
not scanned |
HA cluster heartbeat, Neverwinter Nights
Worms that may use this port: W32.Kibuv.Worm (TCP) |
| 5301 |
tcp,udp |
hacl-gs |
not scanned |
HA cluster general services |
| 5307 |
tcp,udp |
sco-aip |
Premium scan |
IANA registered for: SCO AIP
Trojans using this port: PWS-WOW.gen |
| 5321 |
tcp |
trojans |
Premium scan |
Port used by Firehotcker remote access trojan (uses ports 79, 5321). |
| 5326 |
tcp |
trojan |
Premium scan |
Snowdoor (2003.02.20) - a backdoor trojan horse that allows unauthorized access to an infected computer. It creates an open C drive share and llistens on port 5328 by default. May also use port 5326. |
| 5328 |
tcp |
trojan |
Members scan |
Snowdoor (2003.02.20) - a backdoor trojan horse that allows unauthorized access to an infected computer. It creates an open C drive share and llistens on port 5328 by default. |
| 5333 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Backage, NetDemon |
| 5343 |
tcp |
trojan |
Premium scan |
WCrat trojan horse |
| 5353 |
tcp,udp |
mdns |
not scanned |
Multicast DNS (MDNS), iChat, Mac OS X Bonjour/Zeroconf port |
| 5354 |
tcp,udp |
mdnsresponder |
not scanned |
Multicast DNS Responder IPC |
| 5357 |
tcp,udp |
wsdapi |
Members scan |
Used by Microsoft Network Discovery, should be filtered for public networks. Disabling Network Discovery for any public network profile should close the port unless it's being used by another potentially malicious service.
To disable Network Discovery for a public profile, navigate to:
- Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings
- disable Network Discovery for any public network
Port should be correctly mapped by the Windows Firewall to only accept connections from the local network.
Malicious services using this port:
Trojan.win32.monder.gen (a.k.a Trojan.Vundo)
Port is also IANA registered for:
Web Services for Devices (WSD) - a network plug-and-play experience that is similar to installing a USB device. WSD allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702. |
| 5358 |
tcp,udp |
wsdapi-s |
not scanned |
Web Services for Devices Secured port
Web Services for Devices (WSD) is a network plug-and-play experience that is similar to installing a USB device. WSD allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702. |
| 5373 |
tcp |
worm |
Members scan |
W32.Gluber (2003-12-21) - a mass-mailing worm that spreads through email and network shares. Uses its own SMTP engine, opens a backdoor on port 5373. |
| 5400 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy
Port is also IANA registered for:
5400/tcp Excerpt Search |
| 5401 |
tcp |
excerpts |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy , Mneah
Port is also IANA registered for:
5401/tcp Excerpt Search Secure |
| 5402 |
tcp |
mftp |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy, Mneah
Port is also IANA registered for:
mftp, Stratacache OmniCast content delivery system MFTP file sharing protocol |
| 5405 |
tcp,udp |
netsupport |
not scanned |
NetSupport, PcDuo remote control |
| 5421 |
tcp,udp |
netsupport2 |
not scanned |
Net Support 2 |
| 5445 |
udp |
applications |
not scanned |
Cisco Unified Video Advantage |
| 5467 |
tcp |
worm |
Members scan |
W32.Kobot worm |
| 5494 |
tcp,udp |
applications |
not scanned |
MobiControl Deployment server |
| 5498 |
tcp |
hotline |
not scanned |
Hotline tracker server connection, Hotline Tracker |
| 5499 |
udp |
hotline |
not scanned |
Hotline tracker server discovery, Hotline Server Locator, Hotline Server |
| 5500 |
tcp,udp |
fcp-addr-srvr1 |
not scanned |
fcp-addr-srvr1 |
| 5501 |
tcp,udp |
fcp-addr-srvr2 |
not scanned |
fcp-addr-srvr2, Hotline server, Hotline file transfer connection, MOHAA Reverend |
| 5502 |
tcp,udp |
fcp-srvr-inst1 |
not scanned |
fcp-srvr-inst1, Hotline Server, MOHAA Reverend |
| 5503 |
tcp,udp |
fcp-srvr-inst2 |
not scanned |
fcp-srvr-inst2, Hotline Server, Remote Shell, MOHAA Reverend |
| 5504 |
tcp,udp |
fcp-cics-gw1 |
not scanned |
fcp-cics-gw1, MOHAA Reverend |
| 5512 |
tcp |
trojan |
Premium scan |
Illusion Mailer trojan horse |
| 5521 |
tcp |
skype |
Premium scan |
Port used by Skype VoIP.
Illusion Mailer trojan horse also uses port 5521 (TCP). |
| 5522 |
tcp,udp |
applications |
Premium scan |
MOHAA Reverend, Telnet
Malicious services using this port: WinShell Backdoor |
| 5544 |
tcp |
applications |
Premium scan |
MOHAA Reverend
W32.Zotob trojan/worm also uses this port. |
| 5550 |
tcp |
trojan |
Premium scan |
Xtcp 2 |
| 5554 |
tcp |
trojans |
Members scan |
W32.Sasser.Worm - remote access trojan, 05.2004. Affects all current Windows versions, attemts to exploit a vulnerability addressed in Microsoft Security Bulletin MS04-011. There are some issues associated with using the MS04-011 update discussed here: MS KB 835732.
Trojan runs a FTP server on port 5554 on infected systems and attempts to connect to random IPs on TCP port 445. If a connection is established, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. |
| 5555 |
tcp |
trojans |
Premium scan |
Backdoor.Darkmoon.E (2007-09-25) - a Trojan horse that opens a back door on TCP port 5555 on the compromised computer.
ServeMe trojan horse also uses port 5555 (TCP).
Port also used by Freeciv gaming protocol. |
| 5556 |
tcp |
trojan |
Premium scan |
BO Facil, H0rtiga |
| 5557 |
tcp |
trojan |
Premium scan |
BO Facil trojan horse |
| 5569 |
tcp |
trojan |
Premium scan |
RoboHack trojan horse |
| 5577 |
tcp |
applications |
not scanned |
MOHAA Reverend, iSeries Access |
| 5588 |
tcp |
trojans |
Premium scan |
Easyserv.11 - remote access trojan, 08,2002. Affects all current Windows versions. |
| 5598 |
tcp |
trojan |
Premium scan |
BackDoor 2.03 |
| 5600 |
tcp,udp |
esmmanager |
not scanned |
Enterprise Security Manager |
| 5631 |
udp |
pc-anywhere |
Members scan |
PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block. |
| 5632 |
udp |
pc-anywhere |
Members scan |
PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block. |
| 5637 |
tcp |
trojan |
Premium scan |
PC Crasher trojan horse |
| 5638 |
tcp |
trojan |
Premium scan |
PC Crasher trojan horse |
| 5645 |
tcp,udp |
applications |
not scanned |
Voyager Server
Malicious services using this port: IRC-based Botnet |
| 5652 |
tcp |
trojans |
Members scan |
W32.Fanbot.A@mm (10.18.2005) - a mass-mailing worm that lowers security settings on the compromised computer. It can also spread through P@P networks and exploring the MS Plug and Play Buffer Overflow vulnerability described in MS05-039. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 5652/tcp. |
| 5656 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5657 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5658 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5665 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5666 |
tcp |
applications |
not scanned |
MOHAA Reverend, Nagios NRPE |
| 5667 |
tcp |
applications |
not scanned |
NSCA (Nagios), MOHAA Reverend |
| 5672 |
tcp |
amqp |
not scanned |
Advanced Message Queueing Protocol, see http://www.amqp.org
Also used by: MOHAA Reverend |
| 5678 |
tcp,udp |
rrac |
Basic scan |
Port used by Linksys (and other) Cable/DSL Routers Remote Administration
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
|
| 5695 |
tcp |
trojan |
Members scan |
Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
| 5698 |
tcp |
trojan |
Premium scan |
BackDoor.203 trojan |
| 5714 |
tcp |
trojan |
Premium scan |
WinCrash, WinCrash 3 (TCP) |
| 5732 |
tcp |
worm |
Members scan |
W32.Bolgi.Worm (2003.11.20) - a network aware worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability using TCP port 445 |
| 5741 |
tcp |
trojan |
Premium scan |
WinCrash, WinCrash 3 (TCP) |
| 5742 |
tcp |
trojan |
Premium scan |
WinCrash (TCP) |
| 5799 |
tcp,udp |
applications |
not scanned |
ECC Server |
| 5800 |
tcp |
vnc |
Members scan |
VNC (Virtual Network Computing) - remote control program, http://www.realvnc.com/
It also uses ports 5800+ and 5900+ for additional machines. |
| 5843 |
tcp,udp |
applications |
not scanned |
IIS Admin Service |
| 5864 |
tcp,udp |
applications |
not scanned |
BiblioFile |
| 5880 |
tcp |
trojan |
Members scan |
Y3K RAT - a backdoor trojan allowing unauthorized access to the compromised computer. |
| 5881 |
udp |
trojan |
not scanned |
Y3K RAT (UDP)
|
| 5882 |
tcp |
trojan |
Members scan |
Y3K RAT - a backdoor trojan allowing unauthorized access to the compromised computer. |
| 5884 |
tcp |
trojan |
Members scan |
Y3K RAT - a backdoor trojan allowing unauthorized access to the compromised computer. |
| 5888 |
tcp |
trojan |
Members scan |
Y3K RAT - a backdoor trojan allowing unauthorized access to the compromised computer. |
| 5889 |
tcp |
trojan |
Members scan |
Y3K RAT - a backdoor trojan allowing unauthorized access to the compromised computer. |
| 5900 |
tcp |
vnc |
Members scan |
VNC (Virtual Network Computing) - remote control program, http://www.realvnc.com/
It also uses ports 5800+ and 5900+ for additional machines. |
| 5901 |
tcp |
vnc-1 |
not scanned |
Virtual Network Computer Display 1, IPContact |
| 5902 |
tcp |
vnc-2 |
not scanned |
Virtual Network Computer display 2 |
| 5903 |
tcp |
vnc-3 |
not scanned |
Virtual Network Computer display 3 |
| 5987 |
tcp,udp |
wbem-rmi |
not scanned |
WBEM RMI |
| 5988 |
tcp,udp |
wbem-http |
not scanned |
WBEM CIM-XML (HTTP), WBEM HTTP, Apple Remote Desktop |
| 5989 |
tcp,udp |
wbem-https |
not scanned |
WBEM CIM-XML (HTTPS), WBEM HTTPS |
| 5990 |
tcp,udp |
wbem-exp-https |
not scanned |
WBEM Export HTTPS |
| 5993 |
tcp,udp |
applications |
not scanned |
Remote Synchronization (GoldSync), Private game server |
| 6000 |
tcp |
trojan |
Premium scan |
Port used by W32.LoveGate.ak mass-mailing worm. Uses its own SMTP engine. Affects Windows 2000, Windows NT, Windows Server 2003, Windows XP
Trojans using this port: The Thing, APStrojan (TCP) |
| 6006 |
tcp |
trojans |
Premium scan |
Bad Blood, The Thing, APStrojan (TCP) |
| 6050 |
tcp,udp |
x11 |
not scanned |
X Window System, ARCserve agent, Brightstor Arcserve Backup, Nortel Software |
| 6051 |
tcp,udp |
x11 |
not scanned |
X Window System, Brightstor Arcserve Backup |
| 6060 |
tcp,udp |
x11 |
Premium scan |
X Windows System
Malicious services using this port: W32.Lovgate, W32.Spybot |
| 6080 |
tcp,udp |
applications |
not scanned |
PSI Webhosting, BridgeChannel |
| 6100 |
tcp,udp |
synchronet-db |
not scanned |
SynchroNet-db, Ventrilo, Vizrt System |
| 6101 |
tcp,udp |
synchronet-rtc |
not scanned |
SynchroNet-rtc, Backup Exec UNIX and 95/98/ME Aent, Veritas Backup Exec Advertiser |
| 6102 |
tcp,udp |
synchronet-upd |
not scanned |
SynchroNet-upd, Veritas Backup Exec Client |
| 6103 |
tcp,udp |
rets |
not scanned |
RETS, Veritas Backup Exec Remote Agent |
| 6112 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6113 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6114 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6115 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6116 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6117 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6118 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6119 |
tcp |
games |
not scanned |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6129 |
tcp |
dameware |
Premium scan |
DameWare - See CERT Vulnerability Note VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets. |
| 6161 |
tcp,udp |
patrol-ism |
not scanned |
PATROL Internet Srv Mgr |
| 6162 |
tcp,udp |
patrol-coll |
not scanned |
PATROL Collector |
| 6187 |
tcp |
trojans |
Members scan |
Tilser trojan (2004.02.27) - gives an attacker complete access to your computer, opens a backdoor on TCP port 6187. |
| 6257 |
udp |
winmx |
Members scan |
port used by the WinMX P2P file sharing software. It also uses port 6699/tcp. |
| 6262 |
tcp,udp |
applications |
not scanned |
Advantage Database Server, Security Manager Plus, Web Callback Standard Protocol, License Server (Poseidon for UML) |
| 6272 |
tcp |
trojan |
Premium scan |
Secret Service (TCP) |
| 6331 |
udp |
applications |
not scanned |
Windows Live OneCare (WinSs.exe) |
| 6346 |
tcp,udp |
gnutella-svc |
not scanned |
Gnutella (FrostWire, Limewire, Shareaza, etc.), BearShare file sharing app, |
| 6347 |
tcp,udp |
gnutella-rtr |
not scanned |
Gnutella2 file sharing protocol, gnutella-rtr, Gnutella alternate |
| 6348 |
tcp,udp |
gnutella |
not scanned |
Gnutella Proxy, Bearshare, Limewire, FrostWire, Files sharing, p2p |
| 6384 |
tcp |
worm |
Members scan |
W32.HLLW.Gaobot |
| 6394 |
tcp |
worm |
Members scan |
W32.Spybot |
| 6400 |
tcp,udp |
boe-cms |
Premium scan |
Business Objects CMS contact port, info-aps, Seagate Crystal Reports
Trojans using this port: APStrojan (TCP), The Thing |
| 6401 |
tcp,udp |
boe-was |
not scanned |
Seagate Crystal Enterprise, boe-was, info-was |
| 6402 |
tcp,udp |
boe-eventsrv |
not scanned |
boe-eventsrv, info-eventsvr |
| 6403 |
tcp,udp |
boe-cachesvr |
not scanned |
boe-cachesvr, boe-cachesvr |
| 6404 |
tcp,udp |
boe-filesvr |
not scanned |
Business Objects Enterprise internal server, info-filesvr |
| 6405 |
tcp,udp |
boe-pagesvr |
not scanned |
Business Objects Enterprise internal server, info-pagesvr |
| 6406 |
tcp,udp |
boe-processsvr |
not scanned |
Business Objects Enterprise internal server, info-processvr |
| 6430 |
tcp |
trojans |
Premium scan |
Backdoor.Mirab - remote access trojan, 06.2002. Affects all current Windows versions. It uses port 4912 for direct control and port 6430 for file transfer by default. |
| 6436 |
tcp,udp |
applications |
not scanned |
LimeWire Client, Gnutella, PhatBox |
| 6444 |
tcp,udp |
sge_qmaster |
not scanned |
Sun Grid Engine - Qmaster Service |
| 6445 |
tcp,udp |
sge_execd |
not scanned |
Sun Grid Engine - Execution Service, S4 Leage |
| 6500 |
tcp |
games |
Premium scan |
GameSpy Arcade - query port
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901
Trojans using this port: Devil 1.03 (TCP) |
| 6501 |
tcp,udp |
boks_servc |
not scanned |
BoKS Servc |
| 6502 |
tcp,udp |
boks_servm |
not scanned |
BoKS Servm, NetOp Remote Control (by Danware Data A/S), |
| 6503 |
tcp,udp |
boks_clntd |
not scanned |
BoKS Clntd |
| 6505 |
tcp,udp |
badm_priv |
not scanned |
BoKS Admin Private Port |
| 6506 |
tcp,udp |
badm_pub |
not scanned |
BoKS Admin Public Port |
| 6507 |
tcp,udp |
bdir_priv |
not scanned |
BoKS Dir Server, Private Port |
| 6508 |
tcp,udp |
bdir_pub |
not scanned |
BoKS Dir Server, Public Port |
| 6515 |
udp |
games |
not scanned |
GameSpy Arcade - Dplay UDP game data
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 6543 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm (06.20.2005) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp. |
| 6556 |
tcp |
trojans |
Members scan |
W32.Toxbot.C (06.30.2005) - worm that opens a backdoor on the compromised computer. Spreads by exploiting common Windows vulnerabilities. Opens and IRC backdoor on port 6556/tcp.
Also: W32.Toxbot.AL (10.09.2005). |
| 6564 |
tcp |
trojans |
Members scan |
Trojans that use this port:
Sdbot (2002.05.01) - a.k.a IRC-Sdbot, Backdoor.IRC.SdBot
w32/Akbot (2006.05.01) - attempts to join the IRC servers and listens on TCP port 6564 |
| 6565 |
tcp |
trojans |
Members scan |
Nemog backdoor - discovered 2004.08.16. A Backdoor Trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4661,6565,8080 |
| 6580 |
tcp,udp |
parsec-master |
not scanned |
Parsec Masterserver |
| 6581 |
tcp,udp |
parsec-peer |
not scanned |
Parsec Peer-to-Peer |
| 6582 |
tcp,udp |
parsec-game |
not scanned |
Parsec Gameserver, The Settlers II 10th Aniversary Edition |
| 6588 |
tcp |
analogx |
Premium scan |
Port used by AnalogX proxy server. Common web proxy server ports: 8080, 80, 3128, 6588 |
| 6595 |
tcp |
applications |
Members scan |
Backdoor.Assasin.C trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
| 6620 |
tcp,udp |
kftp-data |
not scanned |
Kerberos V5 FTP Data |
| 6621 |
tcp,udp |
kftp |
not scanned |
Kerberos V5 FTP Control |
| 6623 |
tcp,udp |
ktelnet |
not scanned |
Kerberos V5 Telnet |
| 6631 |
tcp |
worm |
Premium scan |
Backdoor.Sdbot.AG (11.18.2004) - network-aware worm with backdoor capabilities that spreads through network shares. Affects all current Windows versions.
It opens a backdoor by connecting to an IRC server (ronz1.afraid.org or ronz2.afraid.org) on port 6631/tcp. |
| 6660 |
tcp |
trojans |
Members scan |
W32.Spybot.OBZ 04.25.2005 - worm with DDoS and backdoor capabilities. Exploits multiple vulnerabilities, spreads through network shares. Opens a backdoor on port 6660/tcp. |
| 6661 |
tcp |
applications |
Members scan |
Internet Relay Chat
Trojans using this port: Weia-Meia, TEMan |
| 6662 |
tcp |
applications |
not scanned |
Internet Relay Chat, Radmind protocol |
| 6663 |
tcp |
trojans |
Premium scan |
W32.Mytob.GA@mm (06.30.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 6663/tcp.
Port also used by the W32.Mytob.HM@mm variant of the worm.
Internet Relay Chat also uses this port. |
| 6664 |
tcp |
applications |
Members scan |
Internet Relay Chat
Trojans using this port: W32.Zotob |
| 6665 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood
Backdoor.Hacarmy.E (10.14.2004) - remote access trojan.
W32.Spybot.EAS (10.01.2004) - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC (10.01.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.E (10.14.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica (11.03.2004) - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload (11.04.2004) - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.F (11.04.2004) - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004) - uses ports 1639 and 6667/tcp.
Backdoor.Sdbot.AF (11.18.2004) - backdoor trojan, uses port 6667/tcp.
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W (01.28.2005) - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6666 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire, TCPshell.c.
Backdoor.IRC.Flood
Backdoor.Hacarmy.E (10.14.2004) - remote access trojan.
W32.Spybot.EAS (10.01.2004) - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC (10.01.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.E (10.14.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica (11.03.2004) - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload (11.04.2004) - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.F (11.04.2004) - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004) - uses ports 1639 and 6667/tcp.
Backdoor.Sdbot.AF (11.18.2004) - backdoor trojan, uses port 6667/tcp.
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W (01.28.2005) - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6667 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood
Backdoor.Hacarmy.E (10.14.2004) - remote access trojan.
W32.Spybot.EAS (10.01.2004) - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC (10.01.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.E (10.14.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica (11.03.2004) - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload (11.04.2004) - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.F (11.04.2004) - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004) - uses ports 1639 and 6667/tcp.
Backdoor.Sdbot.AF (11.18.2004) - backdoor trojan, uses port 6667/tcp.
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W (01.28.2005) - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6668 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood
Backdoor.Hacarmy.E (10.14.2004) - remote access trojan.
W32.Spybot.EAS (10.01.2004) - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC (10.01.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.E (10.14.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica (11.03.2004) - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload (11.04.2004) - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.F (11.04.2004) - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004) - uses ports 1639 and 6667/tcp.
Backdoor.Sdbot.AF (11.18.2004) - backdoor trojan, uses port 6667/tcp.
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W (01.28.2005) - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6669 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood
Backdoor.Hacarmy.E (10.14.2004) - remote access trojan.
W32.Spybot.EAS (10.01.2004) - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC (10.01.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.E (10.14.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica (11.03.2004) - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload (11.04.2004) - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.F (11.04.2004) - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004) - uses ports 1639 and 6667/tcp.
Backdoor.Sdbot.AF (11.18.2004) - backdoor trojan, uses port 6667/tcp.
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W (01.28.2005) - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6670 |
tcp |
vocaltec |
Members scan |
Vocaltec global online directory.
Some trojans also use this port: BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame. |
| 6677 |
tcp |
trojans |
Premium scan |
W32.Mydoom.BT@mm (05.17.2005) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 6677/tcp. |
| 6681 |
tcp,udp |
applications |
not scanned |
UPnP, Bittorent, peer-to-peer |
| 6699 |
tcp |
winmx |
Members scan |
Port used by p2p software, such as WinMX.
Note: WinMX also uses port 6257/udp. |
| 6711 |
tcp |
trojans |
Premium scan |
SubSeven/BackDoor-G, VP Killer trojans
Backdoor.Kilo - remote access trojan, 02.2003. Affects Windows, listens on port 6711 and 6718. |
| 6712 |
tcp |
trojan |
Members scan |
BackDoor-G trojan, SubSeven (Sub7) trojan, KiLo trojan, Funny trojan |
| 6713 |
tcp |
trojan |
Members scan |
BackDoor-G trojan, SubSeven (Sub7) trojan, KiLo trojan |
| 6718 |
tcp |
trojans |
Premium scan |
Backdoor.Kilo - remote access trojan, 02.2003. Affects Windows, listens on port 6711 and 6718. |
| 6723 |
tcp |
trojan |
Premium scan |
Mstream trojan horse |
| 6754 |
tcp,udp |
trojans |
Premium scan |
Backdoor.Mapsy (a.k.a. BackDoor-AMI, 2002.12.06) - a backdoor trojan that gives an attacker unauthorized access to an infected computer |
| 6767 |
tcp |
trojans |
Members scan |
KiLo, Pasana, UandMe, NT Remote Control trojans |
| 6771 |
tcp |
trojan |
Premium scan |
DeepThroat trojan horse |
| 6776 |
tcp |
trojans |
Members scan |
RAT (remote administration tool)
Trojans that use this port: 2000 Cracks, SubSeven/BackDoor-G, VP Killer |
| 6777 |
tcp,udp |
applications |
Premium scan |
BlackSite - Area 51
Trojans using this port: W32.Gaobot |
| 6786 |
tcp,udp |
smc-jmx |
not scanned |
Sun Java Web Console JMX |
| 6787 |
tcp,udp |
smc-admin |
not scanned |
Sun Web Console Admin |
| 6788 |
tcp,udp |
smc-http |
not scanned |
SMC-HTTP |
| 6789 |
tcp |
trojans |
Premium scan |
W32.Netsky.T@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. It has backdoor and DoS (Denial of Service) capabilities. Listens on port 6789/tcp to receive and execute a file from an attacker.
The W32.Netsky.S@mm variant opens this port as well.
Doly Trojan also uses port 6789 (TCP). |
| 6800 |
tcp |
applications |
not scanned |
Resin server, Resin Watchdog |
| 6809 |
tcp,udp |
applications |
not scanned |
cman (cluster manager) |
| 6838 |
udp |
trojan |
not scanned |
Mstream trojan horse |
| 6868 |
tcp |
trojans |
Premium scan |
Backdoor.Darkmoon (08.19.2005) - trojan that opens a backdoor on the compromised computer and has keylogging capabilities. Opens a backdoor and listens for remote commands on ports 6868/tcp and 7777/tcp. |
| 6881 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6882 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6883 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader
Trojans using this port: DeltaSource (TCP) |
| 6884 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6885 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6886 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6887 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6888 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6889 |
tcp |
applications |
Premium scan |
BitTorrent P2P traffic, Azureus P2P traffic (6881-6889)
Age of Conan game, World of Warcraft (WoW) Downloader |
| 6891 |
tcp,udp |
applications |
Premium scan |
BitTorrent, Windows Live Messenger, MSN Messenger
Trojans using this port: Force (6891/tcp only) |
| 6892 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger |
| 6893 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger |
| 6894 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6895 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6896 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6897 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6898 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6899 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6900 |
tcp,udp |
applications |
not scanned |
BitTorrent part, Windows Live Messenger, MSN Messenger, Ragnarok Online Server |
| 6912 |
tcp |
trojan |
Premium scan |
Shit Heep trojan horse |
| 6939 |
tcp |
trojans |
Premium scan |
Indoctrination, Gatecrasher.a trojans |
| 6942 |
tcp |
applications |
not scanned |
BitTorrent, SubEthaEdit text editor |
| 6963 |
tcp,udp |
swismgr1 |
not scanned |
swismgr1, BitTorrent |
| 6964 |
tcp,udp |
swismgr2 |
not scanned |
swismgr2, BitTorrent |
| 6969 |
tcp |
acmsoda |
Members scan |
Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker.
Other trojans that use this port: GateCrasher, IRC 3/IRC Hack, Net Controller, Priority |
| 6970 |
tcp,udp |
applications |
Members scan |
Port used by Tivoli Software, RTP (Real Time Transport Protocol), RTSP (Real Time Streaming Protocol), BitTorrent, QuickTime 4 server, RealAudio.
Trojans using this port: GateCrasher |
| 6999 |
tcp,udp |
iatp-normalpri |
Premium scan |
IATP-normalPri, World of Warcraft, Blizzard Downloader, BitTorrent, Line Request for VoIP, Video Streaming service, OfficePax, QuickTime 4 server, RealAudio
Malicios services using this port: Worm_MYTOB.LW |
| 7000 |
tcp |
afs-fileserver |
Members scan |
afs fileserver
W32.Gaobot.BQJ (11.08.2004) - network-aware worm taht opens a backdoor and can be controlled via IRC. It can affect all current Windows versions. Connects to an IRC server on port 7000/tcp.
W32.Mydoom.BQ@mm (05.11.2005) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 7000/tcp.
W32.Mytob.GC@mm (06.30.2005) - mass-mailing worm that opens a backdoor on port 7000/tcp.
Some older trojan horses/backdoors that also use this port: Exploit Translation Server, Kazimas, Remote Grab, SubSeven |
| 7001 |
tcp,udp |
afs3-callback |
Premium scan |
Callback To Cache Manager, MSN Messenger
Trojans that use this port: Freak2k, Freak88, NetSnooper Gold. |
| 7002 |
tcp,udp |
afs3-pserver |
not scanned |
users & groups database |
| 7003 |
tcp,udp |
afs3-vlserver |
not scanned |
Volume location database, City of Heroes, City of Villains, RealAudio |
| 7004 |
tcp,udp |
afs3-kaserver |
not scanned |
AFS/Kerberos authentication service, City of Heroes, City of Villains, RealAudio |
| 7005 |
tcp,udp |
afs3-volser |
not scanned |
Volume managment server, City of Heroes, City of Villains, RealAudio, BMC Control-M/Server, BMC Control-M/Agent, Oracle HTTP |
| 7006 |
tcp,udp |
afs3-errors |
not scanned |
Error interpretation service, BMC Software CONTROL-M/Server and CONTROL-M/AgentServer-to-Agent, City of Heroes, City of Villains, RealAudio |
| 7007 |
tcp,udp |
applications |
Members scan |
Port used by: Windows Media Player Encoder-to-Server Communication, Skype Session Manager, G3Torrent, X-Men Movieverse, Silent Spy, basic overseer process, City of Heroes, City of Villains, RealAudio.
Trojans that use this port: W32.Spybot.Gen3, Silent Spy |
| 7043 |
tcp |
trojans |
Members scan |
W32.Spybot.YCL (10.04.2005) - a worm with backdoor and distributed denial of service (DDoS) capabilities. It can spread by exploiting a number of vulnerabilities, as well as backdoors left by other malware. Opens a backdoor and listens for remote commands via IRC on port 7043/tcp.
Also: W32.Spybot.YQL (10.18.2005) |
| 7080 |
tcp |
haxdoor |
Premium scan |
Backdoor.Haxdoor.E (08.01.2005) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp. |
| 7090 |
udp |
applications |
not scanned |
City of Heroes, City of Villains, RealAudio |
| 7090 |
tcp |
applications |
not scanned |
Surpass Copycat, EverQuest Launch Pad, Database Voyager (ABLE) |
| 7099 |
udp |
applications |
not scanned |
City of Heroes, City of Villains, lazy-ptop, RealAudio |
| 7101 |
tcp,udp |
elcn |
not scanned |
Embedded Light Control Network, RealAudio |
| 7103 |
udp |
applications |
not scanned |
RealAudio |
| 7123 |
tcp |
applications |
not scanned |
Port used by RealAudio.
Also the default port for the "fakewww" web server used with NDT (Network Diagnostic Tool). |
| 7125 |
udp |
applications |
not scanned |
StateMirrorClientToServer, RealAudio |
| 7126 |
udp |
applications |
not scanned |
RealAudio |
| 7127 |
udp |
applications |
not scanned |
RealAudio |
| 7128 |
tcp,udp |
scenidm |
not scanned |
intelligent data manager, RealAudio |
| 7144 |
tcp |
applications |
not scanned |
PeerCast, EMC RepliStor, RealAudio |
| 7201 |
tcp |
trojan |
Premium scan |
NetMonitor trojan horse (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor) |
| 7215 |
tcp |
trojans |
Premium scan |
trojans: SubSeven, SubSeven 2.1 Gold, BackDoor-G |
| 7222 |
udp |
worm-linux |
not scanned |
Linux.Plupii (11.10.2005) - a worm with backdoor capabilities. Attempts exploiting several Linux web server related vulnerabilities. Opens a backdoor and listens for remote commands on port 7222/udp. |
| 7234 |
tcp |
applications |
not scanned |
WebSEAL, Knights of the Ruby Order, PokerTH Online, Player Worlds |
| 7300 |
tcp |
trojans |
Premium scan |
NetMonitor trojan horse (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor) |
| 7301 |
tcp |
trojan |
Premium scan |
NetMonitor trojan horse (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor) |
| 7306 |
tcp |
trojan |
Premium scan |
NetMonitor trojan horse (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor) |
| 7307 |
tcp |
trojan |
Premium scan |
NetMonitor trojan horse (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor) |
| 7308 |
tcp |
|
Premium scan |
NetMonitor trojan horse (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor) |
| 7329 |
tcp |
trojans |
Premium scan |
Backdoor.Netshadow (02.09.2005) - a trojan horse with backdoor capabilities. Listens on port 7329 by default (port configurable). |
| 7424 |
tcp,udp |
trojan |
not scanned |
Host Control trojan horse (TCP/UDP) |
| 7555 |
udp |
worm-linux |
not scanned |
Linux.Plupii.B (11.17.2005) - a worm with backdoor capabilities. Attempts exploiting Linux vulnerabilities. Opens a backdoor and listens for remote commands on port 7555/udp. |
| 7597 |
tcp |
trojan |
Premium scan |
Qaz trojan (a.k.a W32.HLLW.Qaz.A) |
| 7609 |
tcp |
trojan |
Premium scan |
Snid X2 trojan horse |
| 7654 |
tcp |
applications |
not scanned |
SSH Tunneling |
| 7714 |
tcp |
trojans |
Members scan |
Backdoor.Berbew (2003.07.16) - a backdoor trojan horse that steals passwords, may open ports 7714 and 8546.
Port is IANA assigned for: GunZ |
| 7724 |
tcp,udp |
nsdeepfreezectl |
not scanned |
Novell Snap-in Deep Freeze Control, GunZ |
| 7725 |
tcp,udp |
applications |
not scanned |
Nitrogen Service
GunZ
Faronics Deep Freeze (workstation OS protection software) - uses either port 1971 or 7725. |
| 7745 |
tcp |
trojans |
Premium scan |
W32.Mytob.HG@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 7745/tcp. |
| 7776 |
tcp,udp |
applications |
not scanned |
marlDOOM, PoslDOOM, RuneGame, Spliter Cell Chaos Theory, Spliter Cell Chaos Theory w AllSeeingEye, Spliter Cell Pandora Tomorrow, GunZ |
| 7777 |
tcp |
trojans |
Premium scan |
Backdoor.Darkmoon (08.19.2005) - trojan that opens a backdoor on the compromised computer and has keylogging capabilities. Opens a backdoor and listens for remote commands on ports 6868/tcp and 7777/tcp.
Port 777/tcp is also used by:
iChat server file transfer proxy
Oracle Cluster File System 2
Windows backdoor program tini.exe |
| 7778 |
tcp |
Oracle9iAS-OJSP |
not scanned |
Oracle 9i Application Server Oracle Java Server Pages |
| 7788 |
tcp,udp |
trojans |
Premium scan |
Trojans that use this port: Last 2000, Singularity (Backdoor.Singu) |
| 7789 |
tcp |
trojan |
Members scan |
Mozilla trojan, Back Door Setup trojan, ICKiller trojan |
| 7797 |
tcp |
applications |
not scanned |
Accelerate It, Humboldt Internet Accelerator, Hyperspeed Dialup |
| 7798 |
tcp,udp |
pnet-enc |
not scanned |
Propel Encoder port, GunZ |
| 7811 |
tcp,udp |
trojans |
Premium scan |
Backdoor.RemoteSOB (2003.01.08) - allows unauthorized access to the infected computer, listens to port 7811 by default and uses ICQ to notify the hacker. |
| 7812 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AP (03.04.2005) - worm with backdoor capabilities. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 7812/tcp. |
| 7823 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 7871 |
udp |
trojans |
Members scan |
Trojan.Peacomm (2007-03-02) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271. |
| 7968 |
tcp,udp |
applications |
not scanned |
Odyssey |
| 7983 |
tcp |
trojan |
Premium scan |
Mstream trojan horse |
| 7999 |
tcp |
worm |
Members scan |
W32.Mytob.LZ@mm (11.20.2005) - a mass-mailing worm with backdoor capabilities. It can spread using network shares and exploiting Windows vulnerabilities. Blocks access to several security-related websites by modifying the hosts file. Opens a backdoor and listens for remote commands by connecting to an IRC server on port 7999/tcp. |
| 8000 |
tcp |
trojans |
Basic scan |
Commonly used for internet radio streams such as those using SHOUTcast. Sometimes also used as an alternative HTTP port.
Applications that use this port: Winamp Audio Streaming, X-Lite, Icecast.
Malware using this port:
W32.Gaobot.CEZ (01.25.2005) - Worm with backdoor capabilities. Spreads trough exploiting various vulnerabilities (ports 80, 135, 445). Blocks access to security-related websites and terminates some processes. Connects to an IRC server and listens on port 8000.
W32.Spybot.OGX (05.02.2005) - network-aware worm with distributed denial of service and backdoor capabilities. Opens a backdoor by connecting to an IRC server on port 8000/tcp.
W32.Mytob.JW@mm (10.04.2005) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm. |
| 8008 |
tcp |
haxdoor |
Premium scan |
Backdoor.Haxdoor.E (08.01.2005) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp. |
| 8009 |
tcp,udp |
netware-http |
not scanned |
Netware HTTP Server |
| 8076 |
tcp |
trojans |
Members scan |
W32.Spybot.PEN (05.24.2005) - worm with DDoS and backdoor capabilities. Spreads through network shares and by exploiting multiple vulnerabilities. Can be dropped by W32.Kelvir.CG. Opens a backdoor by connecting to IRC channel on port 8076/tcp. Exploits vulnerabilities on port 445/tcp (MS04-011), and 1433/udp (MS02-061).
W32.Mytob.HI@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 8076/tcp. |
| 8080 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic. See also TCP ports 80, 81.
Some broadband routers run a web server on port 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.
If you're not running web services, keep in mind that some trojans also use these ports:
Reverse WWW Tunnel Backdoor - remote access/tunneling software coded in Perl, uses ports 80, 3128, 8080. Works on Unix, Linux, Solaris, AIX and OpenBSD.
RingZero (a.k.a. Ring0, Trojan.PSW.Ring, RingZero.gen, Ring) - uses ports 80, 3128, 8080. Affects Windows 9x.
Screen Cutter (a.k.a. Backdoor.Screencut) - uses ports 80, 8080.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
W32.Spybot.OFN (04.29.2005) - network-aware worm with DDoS and backdoor capabilities. Spreads through network shares and exploiting multiple vulnerabilities. It ay be downloaded by W32.Kelvir variants. Opens a backdoor on port 8080/tcp. Also exploits vulnerabilities on ports 445 and 1433.
W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
Backdoor.Naninf.D (02.01.2006)
Backdoor.Naninf.C (01.31.2006)
W32.Rinbot.A (2007-03-02) - a worm that opens a back door, copies itself to IPC$ shares, connects to an IRC server, and awauts commands on port 8080/tcp. |
| 8080 |
udp |
trojans |
Premium scan |
Backdoor.Tjserv.D (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp. |
| 8081 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic. See also TCP ports 80, 81, 8080.
If you're not running web services on this ports, keep in mind that some trojans also use it:
W32.Bufei (04.18.2005) - virus with backdoor and keylogger capabilities. Attempts to connect to URLs for remote access on port 8081 every 3 minutes. |
| 8090 |
tcp |
http_alt_alt |
Premium scan |
Another HTTP Alternate (http_alt_alt)used as an alternative to port 8080.
Applications using this port: WebcamXP
Trojans that use this port: Aphex's Remote Packet Sniffer (Asniffer) |
| 8126 |
tcp |
trojans |
Members scan |
W32.Pejaybot (01.14.2005) - worm that spreads via file sharing networks. Connects to an IRC server and opens a backdoor on port 8126.
W32.Kelvir.Q (04.12.2005) - worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm. Connects to an IRC server on port 8126/tcp. |
| 8143 |
tcp,udp |
applications |
not scanned |
ImapProxy, SCO SSH Tunneling |
| 8181 |
tcp |
trojans |
Members scan |
W32.Erkez.D@mm (12.15.2004) - mass mailing worm that can terminate processes, lower security settings, and allow remote access to the compromised computer. Opens a backdoor and listens for remote commands on port 8181/tcp. |
| 8182 |
tcp |
applications |
not scanned |
SQL servers |
| 8190 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm (08.01.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability (MS04-011). Opens backdoors on ports 3351/tcp and 8190/tcp. |
| 8192 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, SnapStream PVS, SpyTech Phone Service, Y-cam Wireless IP Camera use this port. |
| 8193 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Y-cam Wireless IP Camera |
| 8194 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Bloomberg data API, Y-cam Wireless IP Camera use this port. |
| 8198 |
tcp |
applications |
not scanned |
Sophos Antivirus, Y-cam Wireless IP Camera |
| 8211 |
tcp |
applications |
not scanned |
Dealing Office Server, Y-cam Wireless IP Camera |
| 8222 |
tcp |
applications |
not scanned |
VMWare, Y-cam Wireless IP Camera |
| 8243 |
tcp,udp |
synapse-nhttps |
not scanned |
Synapse Non Blocking HTTPS, HTTPS listener for Apache Synapse, Y-cam Wireless IP Camera |
| 8245 |
tcp |
applications |
not scanned |
No-IP, DynDNS, Y-cam Wireless IP Camera use this port. |
| 8280 |
tcp,udp |
synapse |
not scanned |
Apache Synapse, Y-cam Wireless IP Camera use this port. |
| 8282 |
tcp |
applications |
not scanned |
Y-cam Wireless IP Camera, SAS Server, CS Intranet use this port. |
| 8333 |
tcp,udp |
applications |
not scanned |
VMware Server Management User Interface , Y-cam Wireless IP Camera |
| 8443 |
tcp,udp |
applications |
not scanned |
PCsync HTTPS, PCSync SSL, Common alternative https port, SW Soft Plesk Control Panel |
| 8500 |
tcp |
Macromedia |
not scanned |
Port used by Macromedia ColdFusion MX Server (Edition 6) to allow remote access as Web server |
| 8546 |
tcp |
trojans |
Members scan |
Backdoor.Berbew (2003.07.16) - a backdoor trojan horse that steals passwords, may open ports 7714 and 8546. |
| 8550 |
tcp,udp |
4psa |
not scanned |
Primary/Master 4PSA DNS Manager server - http://www.4psa.com/
Port is used for master/slave connection between servers, also uses ports 53 and 953 tcp/udp. |
| 8563 |
tcp |
trojans |
Members scan |
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 8594 |
tcp |
trojans |
Basic scan |
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. |
| 8719 |
tcp |
trojans |
Premium scan |
Backdoor.WinShell.50 - remote access trojan, 08.05.2003. Affects all current Windows versions, listens on port 8719. It is an earlier variant of Backdoor.WinShell.50.b (port 39581) and usually packed along with Trojan.Stealther.B. |
| 8767 |
udp |
teamspeak |
Premium scan |
Teamspeak default server port (configurable in server.ini). Program can also use port 51234 for server queries, and port 80/tcp or 14534/tcp for administration. |
| 8787 |
tcp |
trojan |
Premium scan |
Back Orifice 2000 (BO2K) trojan |
| 8811 |
tcp |
trojans |
Premium scan |
Backdoor.Fearic - remote access trojan, 08.2002. Affects all current Windows versions, opens ports 2000, 3456, 8811. |
| 8866 |
tcp |
trojans |
Members scan |
Beagle.B (02.17.2004) - mass mailing worm that uses its own SMTP engine and opens a backdoor on port 8866/tcp. |
| 8881 |
tcp |
worm |
Members scan |
W32.Mytob.IK@mm (07.30.2005) - a mass-mailing worm that uses its own SMTP engine, opens a backdoor, and lowers security settings on the compromised computer. Listens for remote commands on port 8881/tcp. |
| 8885 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm (07.15.2005) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability (MS04-011) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm (07.19.2005) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp. |
| 8888,8889 |
tcp |
trojans |
Premium scan |
W32.Axatak - password stealing virus with remote access trojan capabilities, 08.2002. Affects all current Windows versions, uses ports 8888 and 8889.
POrts also registered with IANA for: ddi-tcp-1 NewsEDGE server |
| 8897 |
tcp |
trojan |
Premium scan |
HackOffice, Armageddon trojans |
| 8900 |
tcp |
trojans |
Premium scan |
W32.Mytob.EV@mm (06.15.2005) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on port 8900/tcp. |
| 8989 |
tcp |
trojan |
Premium scan |
Rcon (Recon), Xcon trojans |
| 9000 |
tcp |
trojans |
Premium scan |
W32.Randex.CZZ (03.16.2005) - network aware worm that attempts to connect to an IRC server on port 9000/tcp for remote instructions.
W32.Mytob.GK@mm (06.30.2005) - mass-mailing worm that opens a backdoor on port 9000/tcp.
Netministrator trojan horse also uses port 9000 (TCP).
Port 9000 also used by the EverQuest World server. |
| 9020 |
udp |
surfcontrol |
not scanned |
Juniper Networks SurfControl URL Filtering |
| 9030 |
tcp |
trojans |
Members scan |
W32.Beagle.BY@mm (08.04.2005) - a mass-mailing worm that uses its own SMTP engine. It opens a backdoor on the compromised computer and listens for remote commands on port 9030/tcp. |
| 9035 |
tcp |
trojans |
Members scan |
W32.Beagle.CK@mm (10.18.2005) - a mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, stops some anti-virus and security related processes. Opens a backdoor and listens for remote commands on port 9035/tcp.
Port also used by W32.Beagle.CL@mm (10.09.2005) |
| 9040 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp. |
| 9125 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.J (03.26.2005) - back door and a keylogger, periodically sending the stolen info via email. Listens on port 9125/tcp for instructions from a remote attacker.
Backdoor.Nibu.N (08.12.2005) - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp. |
| 9200 |
udp |
wsp |
not scanned |
WAP Connectionless Wireless Session Protocol |
| 9325 |
udp |
trojan |
not scanned |
Mstream trojan horse |
| 9400 |
tcp |
trojan |
Premium scan |
InCommand trojan horse |
| 9515 |
tcp |
trojans |
Members scan |
W32.Loxbot.A (10.19.2005) - a worm with backdoor capabilities. It can spread using AIM, and it can lower security settings on the comromised computer. Also uses a rootkit to hide its process in memory. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 9515/tcp.
Port also used by the W32.Loxbot.B variant. |
| 9604 |
tcp |
worm |
Members scan |
W32.Kibuv.Worm (2004-05-14) - a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) and the DCOM RPC vulnerability described in (Microsoft Security Bulletin MS03-026). Starts an FTP server on TCP port 9604, also listens on TCP port 420, and attempts to exploit the DCOM RPC vulnerability on TCP port 135. |
| 9696,9697 |
tcp |
trojans |
Premium scan |
Gholame - remote access trojan, 08,2002. Affects all current Windows versions. |
| 9833 |
tcp |
applications |
not scanned |
Telindus router - default port for the 1100 series of Telindus ADSL routers, such as 1110 and 1120. |
| 9867 |
tcp |
trojans |
Premium scan |
Backdoor.Sokeven - remote access trojan, 09.22.2004. Affects all current Windows versions, opens a SOCKS proxy on port 9867 by default. Systems can get infected by visiting malicious website with Internet Explorer - exploits IE File Installation Vulnerability. |
| 9872-9875 |
tcp |
trojans |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
Port 9875 also used by the EverQuest Chat server.
Port 9875 tcp is also registered with IANA for Session Announcement v1 - RFC 2974. |
| 9876 |
tcp |
session director |
Premium scan |
Session Director, True Image Remote Agent, Wireshark, nmap use this port.
Trojans that also use this port:
Cyber Attacker, Rux, Backdoor.Lolok
Backdoor.Lolok is a backdoor Trojan that uses the mIRC client to give a hacker access to the computer. By default, it establishes an IRC connection to irc.tu-pac.net on port 9876. Usualy spreads through email attachments or disguised as a video file. Discovered on 12.05.2002. |
| 9878 |
tcp |
trojan |
Premium scan |
Small Big Brother, TransScout trojans |
| 9898 |
tcp |
trojans |
Members scan |
Dabber.A (05.14.2004) and Dabber.B (06.04.2004) - a worm that propagates by exploiting vulnerability in the FTP server component of W32.Sasser.Worm and its variants. It installs a backdoor on port 9898/tcp (if it fails, tries to listen on ports 9899-9999). |
| 9989 |
tcp |
trojan |
Premium scan |
iNi-Killer trojan horse |
| 9996 |
tcp |
trojans |
Members scan |
W32.Sasser.Worm - remote access trojan, 05.2004. Affects all current Windows versions, attemts to exploit a vulnerability addressed in Microsoft Security Bulletin MS04-011. There are some issues associated with using the MS04-011 update discussed here: MS KB 835732.
Trojan runs a FTP server on port 5554 on infected systems and attempts to connect to random IPs on TCP port 445. If a connection is established, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. |
| 9998 |
tcp |
totalbill |
not scanned |
Totalbill (billing and provisioning system for ISPs by Aptis Software) listens on port 9998/tcp (by default) and allows full control over the software. An exploit script for this software has been published in 2000. |
| 9999 |
tcp |
trojans |
Premium scan |
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
Backdoor.Lateda.C (04.01.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
The Prayer 1 trojan horse also uses port 9999 (TCP). |
| 10000 |
tcp |
trojans |
Basic scan |
Dumaru.Y (01.23.2004) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Other trojans that use this port: Oracle, TCP Door, XHX, OpwinTRojan
Applications that use this port: The Matrix Online, Everquest Online Adventures, BitTornado, Viatalk, Webmin, BackupExec, Ericsson Account Manager (avim) |
| 10001,10002 |
tcp |
trojans |
Premium scan |
Ports used by Backdoor.Zdemon.126 - remote access trojan, 05.2003. Affects all current Windows versions.
Port 10001/tcp is also assigned by IANA to: SCP Configuration Port |
| 10008 |
tcp |
worm |
Premium scan |
In early 2001, many exploit scripts for DNS TSIG name overflow would place a root shell on this port. In mid-2001, a worm ("cheese" worm) was created that enters the system via this port (left behind by some other attacker), then starts scanning other machines from this port.
CERT: IN-2001-05 |
| 10027 |
tcp |
trojans |
Premium scan |
W32.Mytob.JW@mm (10.04.2005) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm. |
| 10067,10167 |
udp |
trojans |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 10080 |
tcp |
trojans |
Premium scan |
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080. |
| 10082 |
tcp |
trojans |
Premium scan |
W32.Mytob.CP@mm (05.23.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, spreads by exploiting the MS Security Bulletin MS04-011 vulnerability. Starts an FTP server on a random TCP port. Uses port 10082/tcp to download the worm as "bingoo.exe". |
| 10085 |
tcp |
trojans |
Premium scan |
W32.Mytob.BL@mm 04.25.2005 - mass-mailing worm with backdoor capabilities. Connects to an IRC server on port 6667/tcp, opens a backdoor FTP server on port 10085.
Syphillis trojan horse also uses port 10085 (TCP). |
| 10086 |
tcp |
trojans |
Members scan |
Syphillis trojan, W32.Mytob |
| 10087 |
tcp |
trojans |
Members scan |
W32.Mytob.AD@mm (04.07.2005) - mass-mailing worm with built-in SMTP engine. Spreads by exploiting the MS DCOM RPC vulnerability (MS03-026) and the MS Windows Local Security Authority Service Remote Buffer Overflow (MS04-011). Opens a backdoor on port 10087/tcp. Also connects to an IRC channel on the ircd.dists.com domain on port 6667 and listens for commands. Compromised PCs can be rebooted remotely, files can be downloaded/executed, and IRC commands can be performed.
W32.Mytob.AA@mm (04.05.2005) - mass-mailing worm that uses its own SMTP engine, and has backdoor capabilities. Uses port 10087 to transfer copies of the worm, and also opens an FTP server that listens on a random TCP port.
W32.Mytob.FP@mm (06.23.2005) - mass-mailing worm that opens backdoors on ports 10087/tcp and 12347/tcp. |
| 10089 |
tcp |
trojans |
Premium scan |
W32.Mytob.AR@mm (04.12.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine. Opens a backdoor on port 10089/tcp, and connects to an IRC server on port 8080. |
| 10099 |
tcp |
trojans |
Premium scan |
W32.Mytob.FX@mm (06.23.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 36311/tcp. Also runs an FTP server on port 10099/tcp. |
| 10101 |
tcp |
trojan |
not scanned |
BrainSpy trojan horse (TCP) |
| 10102 |
tcp |
backdoor |
Premium scan |
Backdoor.Staprew.B 05.02.2005 - backdoor program, contacts the lowesapr.net domain on port 10102/tcp with the IP of the compromised computer and a number of the random tcp port of the backdoor. |
| 10104 |
udp |
trojans |
Premium scan |
Backdoor.Lowtaper - remote access trojan, 10.14.2004. Affects all current Windows versions.
Uses ports 24681/tcp and 10104/udp |
| 10168 |
tcp |
trojans |
Premium scan |
W32.HLLW.Lovgate - a worm with backdoor trojan capabilities, 06.2003. Affects all current Windows versions. |
| 10520 |
tcp |
trojan |
Premium scan |
Acid Shivers trojan |
| 10528 |
tcp |
trojan |
Premium scan |
Host Control trojan |
| 10607 |
tcp |
trojan |
Premium scan |
Coma trojan |
| 10666 |
udp |
trojan |
not scanned |
Ambush trojan |
| 10752 |
tcp |
backdoor |
Members scan |
Backdoor. One of the many Linux mountd (port 635) exploits installs its backdoor at this port. Origin??? 10751 = 0x2a00, where 0x2a = 42 (proposed by Darren Reed)
The bx.c IRC exploit puts a root shell backdoor listening at this port.
The ADM named v3 attack puts a shell at this port. |
| 10888 |
tcp |
trojans |
Premium scan |
Trojan.Webus.C - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080. |
| 11000 |
tcp,udp |
applications |
Premium scan |
Port used by Cisco Border Gateway Protocol, Microsoft Visual Studio, .Net Framework, SCInterface.
Senna Spy Trojan Generator, DataRape also use this port. |
| 11050 |
tcp |
trojan |
Premium scan |
Host Control trojan |
| 11051 |
tcp |
trojan |
Premium scan |
Host Control trojan |
| 11223 |
tcp |
trojan |
Premium scan |
Progenic trojan, Secret Agent trojan |
| 11271 |
udp |
trojans |
Members scan |
Trojan.Peacomm (2007-03-02) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271. |
| 11768 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin MS04-011). Uses tcp ports 11768 and 15118. |
| 11831 |
tcp |
trojans |
Premium scan |
Trojans that use this port:
DarkFace - remote access trojan. Affects Windows
Latinus - remote access trojan, 06.2002. Affects Windows 9x/ME/NT/2k/XP
Pestdoor - remote access trojan, 10.2002. Affects Windows 9x/ME/NT/2k/XP
Vagr Nocker - remote access trojan, 02.2001. Affects Windows |
| 12000 |
tcp |
trojans |
Members scan |
SatanCrew - remote access trojan, 08.2002. Affects Windows 9x/Me,NT,2K,XP
W32.Mytob.GN@mm (06.30.2005) - mass-mailing worm with its own SMTP engine and backdoor capabilities. Sends itself to email addresses it finds on the compromised computer. Opens and IRC backdoor on port 12000/tcp.
Applications that use this port: Phantasy Star Universe, ClearCommerce Engine 4.x (www.clearcommerce.com)
IANA assigned to: entextxid - IBM Enterprise Extender SNA XID Exchange |
| 12076 |
tcp |
trojans |
Premium scan |
GJamer, MSH.104b trojans |
| 12080 |
tcp |
applications |
Members scan |
Port used by WebShield, Dwyco Video Conferencing, NetworkServer, Delta Three PC to Phone.
Trojan Troj/Agent-E, Win32.Disprox.A also use this port. |
| 12083 |
tcp |
applications |
not scanned |
Delta Three PC to Phone |
| 12120 |
udp |
applications |
not scanned |
Delta Three PC to Phone |
| 12122 |
udp |
applications |
not scanned |
Delta Three PC to Phone |
| 12200 |
tcp |
applications |
not scanned |
GNucDNA, Tenebril GhostSurf |
| 12223 |
tcp |
trojan |
not scanned |
Hack'99 KeyLogger (TCP) |
| 12345 |
tcp |
NetBus |
Members scan |
NetBus Trojan Horse uses this port.
Because of the common sequence of numbers "1 2 3 4 5" this port is commonly chosen when configuring programs, or as default port number.
Some other trojan horses/backdoors that use this port: Ashley, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, Pie Bill Gates, Whack Job, X-bill
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429
Trend Micro's OfficeScan products use port 12345 as well (see Securityfocus BugtraqID: 1013). |
| 12346 |
tcp |
NetBus |
Members scan |
NetBus Trojan Horse uses this port.
Because of the common sequence of numbers "1 2 3 4 5" this port is commonly chosen when configuring programs, or as default port number.
Some other trojan horses/backdoors that use this port: Ashley, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, Pie Bill Gates, Whack Job, X-bill
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429
Trend Micro's OfficeScan products use port 12345 as well (see Securityfocus BugtraqID: 1013). |
| 12347 |
tcp |
trojans |
Premium scan |
W32.Mytob.FP@mm (06.23.2005) - mass-mailing worm that opens backdoors on ports 10087/tcp and 12347/tcp. |
| 12348 |
tcp |
BioNet |
Members scan |
GCI BioNet trojan |
| 12349 |
tcp |
trojans |
Members scan |
Trojans that use this port: GCI BioNet, The Saint, Webhead |
| 12361 |
tcp |
trojan |
Premium scan |
Whack-a-mole trojan |
| 12362 |
tcp |
trojan |
Premium scan |
Whack-a-mole trojan |
| 12623 |
udp |
trojan |
not scanned |
ButtMan, DUN Control trojans |
| 12624 |
tcp |
trojan |
Premium scan |
Buttman trojan |
| 12631 |
tcp |
trojan |
Premium scan |
WhackJob, WhackJob.NB1.7 trojan |
| 12701 |
tcp |
trojan |
Premium scan |
Eclipse 2000 trojan |
| 12754 |
tcp |
trojan |
Premium scan |
Mstream trojan horse |
| 13000 |
tcp,udp |
trojan |
Premium scan |
Senna Spy trojan uses port 13000 udp.
TCP port can also be used by Unreal Tournament 3. |
| 13010 |
tcp |
trojans |
Premium scan |
BitchController, Hacker Brazil trojans |
| 13139 |
udp |
games |
not scanned |
GameSpy Arcade - Custom UDP Pings
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 13173 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 13700 |
tcp |
trojan |
Premium scan |
Kuang2 The Virus |
| 14456 |
tcp |
trojan |
Premium scan |
Solero trojan |
| 14500 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
| 14501 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
| 14502 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
| 14503 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
| 14534 |
tcp |
teamspeak |
Premium scan |
Teamspeak server default web administration port (configurable in server.ini). Program also uses port 51234/tcp for server queries, and port 8767/udp. |
| 14690 |
tcp,udp |
applications |
not scanned |
Port used by BitKeeper.
14690/udp is also used by Battlefield 1942. |
| 15000 |
tcp |
trojan |
not scanned |
NetDaemon 1.0 (TCP) |
| 15092 |
tcp |
trojan |
not scanned |
Host Control trojan horse (TCP) |
| 15104 |
tcp |
trojan |
not scanned |
Mstream trojan horse (TCP) |
| 15118 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin MS04-011). Uses tcp ports 11768 and 15118. |
| 15432 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 15432 and 51234. |
| 15858 |
tcp |
trojans |
Premium scan |
CDK trojan (ports 79, 15858) |
| 16322 |
tcp |
trojans |
Premium scan |
Backdoor.Lastdoor - remote access trojan, 09.2002. Affects all current Windows versions. |
| 16484 |
tcp |
trojan |
not scanned |
Mosucker trojan horse (TCP) |
| 16660 |
tcp |
trojan |
not scanned |
Stacheldraht (DDoS) (TCP) |
| 16661 |
tcp |
trojans |
Premium scan |
Backdoor.Haxdoor.D (01.25.2005) - backdoor trojan program. Also attempts to log key strokes and steal passwords. Listens on port 16661/tcp, opens two additional high random ports.
Backdoor.Haxdoor.E (08.01.2005) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp.
|
| 16772 |
tcp |
trojan |
not scanned |
ICQ Revenge (TCP) |
| 16969 |
tcp |
trojan |
not scanned |
Priority trojan horse (TCP) |
| 17166 |
tcp |
trojan |
not scanned |
Mosaic trojan horse (TCP) |
| 17300 |
tcp |
trojans |
Premium scan |
Some backdoors use this port: Milkit (Spybot 3), Kuang2 the_Virus. |
| 17490 |
tcp |
trojan |
not scanned |
CrazyNet trojan horse (TCP) |
| 17500 |
tcp |
trojan |
not scanned |
CrazyNet trojan horse (TCP) |
| 17569 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 17777 |
tcp |
trojan |
Premium scan |
Nephron trojan |
| 17940 |
tcp |
trojans |
Members scan |
W32.Imav.A (01.29.2006) - a worm spreading through ICQ messages, may also arrive as a .zip attachment to emails. Disables security-related products and lowers security settings on the compromised computer. Connects to login.icq.com on port 17940/tcp, and sends out messages containing links to copies of the worm. |
| 17988 |
tcp |
hp |
Premium scan |
HP integrated Lights Out Management Feature uses this port.
Also used by HP iLO as Virtual Media port. |
| 18067 |
tcp |
trojans |
Basic scan |
Backdoor.Mousey (08.05.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands via IRC on port 18067/tcp.
W32.Esbot.B (08.17.2005) - a worm that spreads by exploiting the MS Plug and Play Buffer Overflow Vulnerability (MS05-039). Opens a backdoor and listens for remote commands by connecting to IRC servers on port 18067/tcp.
W32.Mocbot.A (10.25.2005) - a worm with backdoor capabilities that exploits the MS Plug and Play Buffer Overflow Vulnerability (MS05-039). Opens a backdoor and listens for remote commands by connecting to an IRC server on port 18067/tcp. |
| 18302 |
tcp,udp |
portmon |
not scanned |
Portmon- monitors and displays all serial and parallel port activity on a system. |
| 18753 |
udp |
trojan |
not scanned |
Shaft (DDoS) |
| 18888 |
tcp,udp |
liquidaudio |
not scanned |
Port used by LiquidAudio servers. |
| 18923 |
tcp,udp |
jahia |
not scanned |
Jahia |
| 19864 |
tcp |
trojan |
Premium scan |
ICQ Revenge trojan horse |
| 20000 |
tcp,udp |
dnp |
Premium scan |
Distributed Network Protocol (DNP), frequently used in SCADA networks.
Trojans that use this port: Millenium, PSYcho Files, XHX |
| 20001 |
tcp |
trojan |
Premium scan |
Millennium trojan |
| 20002 |
tcp |
trojan |
Premium scan |
AcidkoR trojan |
| 20034 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: NetBus, NetRex, Whack Job |
| 20049 |
tcp,udp |
nfsrdma |
not scanned |
Network File System (NFS) over RDMA |
| 20192 |
tcp |
trojans |
not scanned |
Backdoor.Ranky.V (11.03.2005) - a trojan horse that allows the compromised computer to be used as a covert proxy. Starts a covert proxy on a random tcp port between 1025 and 65535. Uses port 20192/tcp to send notifications of infection. |
| 20203 |
tcp |
trojan |
not scanned |
Chupacabra, Logged! (TCP) |
| 20331 |
tcp |
trojan |
Premium scan |
Bla trojan horse |
| 20432 |
tcp,udp |
ddos |
not scanned |
Shaft (DDoS) |
| 20742 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.E - Mail Relay trojan, 03.13.2004. Affects all current Windows versions, creates a listening proxy on a configurable high port that allows the ability to relay email. By default, the Trojan listens on port 20742. |
| 21157 |
udp |
games |
not scanned |
Activision gaming protocol [RFC 3027] |
| 21211 |
tcp |
trojans |
Members scan |
W32.Dasher.B (12.16.2005) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin MS05-051).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp. |
| 21302 |
tcp,udp |
applications |
not scanned |
BitchX IRC Client |
| 21554 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Exploiter, Kid Terror, Winsp00fer, GirlFriend
Scwhindler remote access trojan - ports 21554, 50766 |
| 22222 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Donald Dick, Prosiak, Ruler, RUX The TIc.K
Viasat (Swedish TV provider) routes traffic to digital boxes for digital TV through this port. |
| 22311 |
tcp |
trojans |
Premium scan |
Backdoor.Simali - remote access trojan, 04.2003. Affects all current Windows versions, listens on port 22311 by default. Notifies attacker via email or ICQ. |
| 22554 |
tcp |
trojan |
Premium scan |
Schwindler trojan horse |
| 22555 |
udp |
vocaltec |
not scanned |
Port used by VocalTec Internet Phone. |
| 22703 |
tcp,udp |
webtv |
not scanned |
WebTV is vulnerable to a DoS exploit on this port that can reboot the machine. |
| 22793 |
tcp |
vocaltec |
not scanned |
VocalTec Internet Phone - tcp connection to VocalTec servers on this port. |
| 23023 |
tcp |
trojan |
Premium scan |
Logged trojan horse |
| 23432 |
tcp |
trojans |
Premium scan |
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default. |
| 23456 |
tcp |
trojans |
Members scan |
The following trojans/backdoors use this port: Evil FTP, Ugly FTP, WhackJob |
| 23476,23477 |
tcp |
trojans |
Premium scan |
DonaldD.Trojan (09.28.1999) - backdoor trojan similar to BlackOrifice. Opens a backdoor and listens for remote commands on ports 23476/tcp and 23477/tcp by default. |
| 23523 |
tcp |
trojans |
Premium scan |
W32.Mytob.KM@mm (10.12.2005) - a mass-mailing worm with backdoor capabilities, that also lowers security settings on the compromised computer. Opens a backdoor by connecting to rax.oucihax.info and listens for remote commands on port 23523/tcp. |
| 23560 |
tcp |
trojans |
Premium scan |
Backdoor.Sparta.D (10.02.2005) - a backdoor trojan that can be controlled by a remote attacker via IRC channels. Uses port 23560/tcp. |
| 24000 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 24681 |
tcp |
trojans |
Premium scan |
Backdoor.Lowtaper - remote access trojan, 10.14.2004. Affects all current Windows versions.
Uses ports 24681/tcp and 10104/udp |
| 25080 |
tcp,udp |
applications |
not scanned |
Ninja Email Security - port for checking against phishing attacks, spam, and malware. |
| 25121 |
tcp,udp |
applications |
not scanned |
VOISpeed VoIP |
| 26000 |
tcp,udp |
quake |
not scanned |
Quake-based games (e.g. Half-Life, Quakeworld, QuakeIII, etc.) use this port. |
| 26274 |
udp |
trojan |
not scanned |
Delta Source trojan horse |
| 26418 |
tcp |
trojans |
Premium scan |
W32.Mytob.HH@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 26418/tcp. Also opens a backdoor on port 5000/tcp. |
| 26675 |
tcp,udp |
applications |
not scanned |
ActiveSync - data synchronization between a mobile computer and a desktop computer, connected to the Internet. |
| 27000 |
tcp,udp |
flex-lm |
not scanned |
FLEX LM (1-10) |
| 27001 |
tcp,udp |
flex-lm |
not scanned |
FlexLM (1-10) |
| 27002 |
tcp,udp |
flex-lm |
not scanned |
FlexLM (1-10) |
| 27003 |
tcp,udp |
flex-lm |
not scanned |
FlexLM (1-10) |
| 27004 |
tcp,udp |
flex-lm |
not scanned |
FLEX LM (1-10) |
| 27005 |
tcp,udp |
flex-lm |
not scanned |
FLEX LM (1-10) |
| 27006 |
tcp,udp |
flex-lm |
not scanned |
FLEX LM (1-10) |
| 27007 |
tcp,udp |
flex-lm |
not scanned |
FLEX LM (1-10) |
| 27008 |
tcp,udp |
flex-lm |
not scanned |
FLEX LM (1-10) |
| 27009 |
tcp,udp |
flex-lm |
not scanned |
FLEX LM (1-10) |
| 27015 |
tcp |
steam |
Premium scan |
Port used by Steam servers for online gaming, Half-Life and its mods, such as Counter-Strike. |
| 27017 |
udp |
steam |
not scanned |
Port used by Valve Steam Friends, an instant messaging protocol that is built into Steam, Counter-Strike, Xpire, MBL TF2 Tango. |
| 27020 |
tcp,udp |
steam |
not scanned |
Valve Steam Client |
| 27030 |
tcp,udp |
applications |
not scanned |
Counter Strike, Day of Defeat Source, Half Life Steam, Steam Client |
| 27031 |
tcp,udp |
applications |
not scanned |
Port used by: UKS UT server, Flex-net managed application VRCO (TrackD), Counter Strike, Day of Defeat Source, Half Life Steam, Steam Client. |
| 27041 |
tcp,udp |
applications |
not scanned |
Steam Client |
| 27045 |
tcp,udp |
applications |
not scanned |
Steam Client |
| 27328 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.N (08.12.2005) - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp. |
| 27374 |
tcp,udp |
SubSeven |
Basic scan |
One of the most commonly probed ports.
SubSeven Trojan horse uses this port (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.
Other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, SubSeven (many versions), Ttfloader
Address Search Protocol Daemon (ASPD) and BackDoor-G also use port 27374 TCP. |
| 27378 |
tcp |
trojans |
Premium scan |
Port used by one of the Backdoor.Delf variants - remote access and keylogging trojan family, 05.2003.
variant 1 listens on port 2444
variant 2 listens on port 27378
variant 3 listens on port 2189
variant 4 listens on port 23 |
| 27444 |
udp |
trojans |
Premium scan |
Trinoo and tribe flood network (or TFN) Denial of Service (DoS) tools use this port. See CERT: IN-99-07.
See also: port 27665 (Trinoo master port). |
| 27589 |
tcp |
trojans |
Premium scan |
Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
| 27655 |
tcp |
trojans |
Members scan |
Trinoo Denial of Service (DoS) tool uses this port. See CERT: IN-99-07.
See also: port 27444 |
| 27665 |
tcp |
trojan |
Premium scan |
Trin00 trojan (Windows DDoS) |
| 27900 |
udp |
games |
not scanned |
GameSpy Arcade - Master Server UDP Heartbeat
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 27999 |
tcp |
trojans |
Members scan |
W32.Mytob.EU@mm (06.15.2005) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands on this port.
W32.Mytob.GB@mm (06.30.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 27999/tcp.
W32.Mytob.KE@mm (10.21.2005) |
| 28221 |
tcp,udp |
emule |
not scanned |
eMule, BitTorrent |
| 28432 |
udp |
trojan |
not scanned |
Hack'a'Tack trojan |
| 28876 |
tcp |
trojans |
Premium scan |
Trojan.Helemoo (07.25.2005) - a backdoor trojan that exploits a MS IE DHTML Memory Corruption Vulnerability (MS05-020). Opens a backdoor and listens for remote commands on port 28876/tcp (backdoor can also be a random port). |
| 28900 |
tcp |
games |
Members scan |
GameSpy Arcade - Master Server List Request
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 28960 |
tcp,udp |
games |
Basic scan |
Port used by Call of Duty, Return to Castle Wolfenstein |
| 29000 |
tcp,udp |
applications |
not scanned |
PWI and PWI patches
Battlefield 2 |
| 29070 |
udp |
games |
Members scan |
Star Wars III Jedi Knight Jedi Academy (JK3) |
| 29104 |
tcp |
trojan |
Members scan |
NETrojan, Host Control trojans |
| 29147 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AI (01.03.2005) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 29147/tcp. |
| 29559 |
tcp |
trojans |
Premium scan |
Backdoor.Ducktoy - remote access trojan, 07.2002. Affects all current Windows versions, listens to ports 29559 and 59211 by default.
Backdoor.Latinus - remote access trojan, 06.2002. Affects Windows 9x/ME/NT/2k/XP. Uses port 11831 for direct control and port 29559 for file transfer. |
| 29831 |
tcp,udp |
slapd |
not scanned |
Slapd |
| 29891 |
udp |
trojan |
not scanned |
The Unexplained trojan horse |
| 29900 |
tcp |
games |
Basic scan |
Nintendo Wi-Fi Connection
GameSpy Arcade - GP Connection Manager. Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 29901 |
tcp |
games |
Basic scan |
Nintendo Wi-Fi Connection
GameSpy Arcade - GP Search Manager. Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 29976 |
tcp |
trojan |
Premium scan |
Trojan Spirit 2001a |
| 29980 |
tcp |
trojan |
Premium scan |
Trojan Spirit 2001a |
| 29984 |
tcp |
trojan |
Premium scan |
Trojan Spirit 2001a |
| 29999 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 29999 and 47891. |
| 30000 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 30001 |
tcp |
trojans |
Members scan |
Err0r32 (ErrOr32), Terr0r32 (TerrOr32) trojans
W32.Gaobot.ADX worm - opens ports 30001, 63000, 63001 |
| 30003 |
tcp |
trojan |
Premium scan |
Lamers Death trojan |
| 30005 |
tcp |
trojans |
Members scan |
Backdoor JZ, Litmus trojan |
| 30029 |
tcp |
trojan |
Members scan |
AOL Trojan (aliases: AOL Admin, Backdoor.Cheeser) |
| 30100-30103 |
tcp |
trojan |
Members scan |
NetSphere trojan uses these ports.
30100 tcp - the main port that NetSphere connects to.
30101-30103 tcp - NetSphere runs FTP services on these ports, used to transfer various files (e.g. keylog files).
NetSphere infects only Windows 9x systems. A server program called nssx.exe is placed in the C:\Windows\System directory, a "NSSX" value is added to the Run hive of the registry to launch the server. |
| 30129 |
tcp |
trojans |
Premium scan |
Masters Paradise backdoor (aliases: Backdoor.Krass, Hacker's Paradise) |
| 30133 |
tcp |
trojans |
Premium scan |
Trojan Spirit 2001a, NetSphere Final trojan |
| 30303 |
tcp |
trojan |
Premium scan |
Sockets de Troie trojan. Typically uses ports 5000, 5001, 30303, and 50505. Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion. |
| 30331 |
tcp |
trojan |
Premium scan |
MuSka52 trojan |
| 30464 |
tcp |
exploits |
Members scan |
Port used by Slapper trojan. Numerous exploit scripts bind root shells to this port. See also SMTP ETRN overflow |
| 30700 |
tcp |
trojan |
Premium scan |
Mantis trojan |
| 30722 |
tcp |
trojans |
Basic scan |
W32.Esbot.A (08.15.2005) - a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (MS Security Bulletin MS05-039). Opens a backdoor and listens for remote commands by connecting to IRC servers on port 30722/tcp. |
| 30947 |
tcp |
trojan |
Premium scan |
Intruse trojan |
| 30974 |
tcp |
trojan |
Premium scan |
Intruse trojan |
| 30999 |
tcp |
trojans |
Premium scan |
Backdoor.Novacal (10.02.2005) - a backdoor server prorgrams that allows unauthorized access to a compromised computer. Uses ICQ to notify the remote attacker of the compromised computer. Opens a backdoor and listens for remote commands on port 30999/tcp.
Kuang2 trojan horse also uses this port. |
| 31000 |
tcp,udp |
applications |
not scanned |
OpCon/xps
Titan FTP server |
| 31113 |
tcp |
worms |
Members scan |
W32.Mytob.IH@mm (07.25.2005) - a mass-mailing worm that uses its own SMTP engine, opens a backdoor, and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 31113/tcp. |
| 31221 |
tcp |
trojan |
Premium scan |
Knark trojan |
| 31320 |
tcp,udp |
trojan |
not scanned |
Little Witch trojan |
| 31332 |
tcp |
trojans |
Premium scan |
Backdoor.Grobodor - backdoor trojan coded in Delphi, 10.06.2003. Affects all current Windows versions, listens on port 31332. |
| 31335 |
udp |
trojan |
not scanned |
Trinoo distributed attack tool port. |
| 31336 |
tcp |
trojans |
Premium scan |
BOWhack, ButtFunnel trojans |
| 31337 |
tcp,udp |
Back Orifice |
Members scan |
This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and because of the special meaning is often used for interesting stuff... Many backdoors/trojans run on this port, the most notable being Back Orifice.
Here are some others that run on the same port: Back Fire, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini.
.Net Remoting also uses this port. |
| 31338 |
tcp,udp |
trojans |
Premium scan |
Back Orifice, ButtFunnel, DeepBO, NetSpy DK trojans |
| 31339 |
tcp |
trojans |
Premium scan |
LittleWitch, Net Spy |
| 31340 |
tcp,udp |
trojan |
not scanned |
Little Witch trojan |
| 31382 |
tcp |
trojan |
Premium scan |
Lithium trojan |
| 31399 |
tcp |
trojan |
Premium scan |
NetSpy (DK) trojan |
| 31415 |
tcp |
trojan |
Premium scan |
Lithium trojan |
| 31416 |
tcp,udp |
trojan |
not scanned |
Lithium trojan |
| 31554 |
tcp |
trojan |
Premium scan |
Schwindler trojan horse |
| 31557 |
tcp |
trojans |
Premium scan |
NetBus, Xanadu |
| 31631 |
tcp |
trojan |
Premium scan |
CleptoManicos trojan |
| 31666 |
tcp |
trojan |
Premium scan |
BOWhack, BOWackmole trojans |
| 31745 |
tcp |
trojan |
Premium scan |
BuschTrommel trojan |
| 31778 |
tcp |
trojan |
Members scan |
Hack'a'Tack trojan |
| 31785 |
tcp |
trojan |
Premium scan |
Hack'a'Tack trojan |
| 31787 |
tcp |
trojan |
Premium scan |
Hack'a'Tack trojan |
| 31788 |
tcp |
trojan |
Premium scan |
Hack'a'Tack trojan |
| 31789 |
udp |
hackatack |
Members scan |
Windows Hack'a'Tack trojan |
| 31790 |
udp |
hackattack |
Members scan |
Windows Hack'a'Tack trojan |
| 31791 |
tcp,udp |
trojan |
not scanned |
Hack'a'Tack trojan |
| 31792 |
tcp |
trojan |
Premium scan |
Hack'a'Tack trojan |
| 31887 |
tcp |
trojan |
Premium scan |
BDDT trojan |
| 31889 |
tcp |
trojan |
Premium scan |
BDDT trojan |
| 32000 |
tcp |
applications |
Members scan |
BugtraqID: 791 - Artisoft XtraMail DoS vulnerability. Control port can be overflown with long usernames.
BDDT trojan also uses this port.
Port also used by:
Merak WebMail server, Mercur Messaging, Java Wrapper Service |
| 32001 |
tcp |
trojan |
Premium scan |
Donald Dick trojan |
| 32100 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Peanut Brittle, Project nEXT |
| 32121 |
tcp |
trojan |
Premium scan |
backdoor.berbew.j trojan |
| 32418 |
tcp |
trojan |
Members scan |
Peanut Brittle, Project nEXT, Acid Battery trojan horse |
| 32440 |
tcp |
trojan |
Premium scan |
Backdoor.Alets.B trojan |
| 32768 |
tcp,udp |
first-os-ports |
not scanned |
first ports typically used for outgoing connections by some Linux distros like Red Hat: see /etc/rc.d/init.d/network and /proc/sys/net/ipv4/ip_local_port_range
Hacker's Paradise trojan also uses port 32768 (TCP). |
| 32769 |
tcp,udp |
first-os-ports |
not scanned |
first ports typically used for outgoing connections by some Linux distros like Red Hat: see /etc/rc.d/init.d/network and /proc/sys/net/ipv4/ip_local_port_range |
| 32770 |
tcp,udp |
first-os-ports |
not scanned |
first ports typically used for outgoing connections by some Linux distros like Red Hat: see /etc/rc.d/init.d/network and /proc/sys/net/ipv4/ip_local_port_range |
| 32791 |
tcp |
trojans |
Premium scan |
Backdoor.Acropolis - 02.16.2001. Remote access trojan, affects all current Windows versions. listens on ports 32791, 45673. |
| 33270 |
tcp |
trojan |
Premium scan |
Trinity trojan |
| 33291 |
tcp |
trojan |
Premium scan |
RemoteHak trojan |
| 33322 |
tcp |
trojans |
Members scan |
Trojan.Lodeight.B (01.26.2006) - trojan horse that attempts to download a W32.Beagle variant and opens a backdoor on the compromised computer. Opens a backdoor and listens for remote commands on port 33322/tcp. |
| 33333 |
tcp |
trojans |
Members scan |
W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
Backdoor.Selka (11.12.2004) - backdoor program, can affect all current Windows versions. Listens on port 33333.
Some older trojans/backdoors that also use this port: Blakharaz, Prosiak |
| 33390 |
tcp |
trojan |
Premium scan |
Unknown Trojan |
| 33434-33523 |
udp |
traceroute |
not scanned |
incoming traceroute |
| 33545 |
tcp |
trojan |
Premium scan |
G.R.O.B. trojan |
| 33567 |
tcp |
trojans |
Premium scan |
Lion, T0rn Rootkit |
| 33568 |
tcp |
trojans |
Premium scan |
Lion, T0rn Rootkit |
| 33577 |
tcp |
trojan |
Members scan |
Son of PsychWard trojan |
| 33777 |
tcp |
trojan |
Members scan |
Son of PsychWard trojan |
| 33911 |
tcp |
trojan |
Members scan |
Spirit 2001a trojan horse |
| 34312 |
tcp |
trojan |
Premium scan |
Delf trojan |
| 34313 |
tcp |
trojan |
Premium scan |
Delf trojan |
| 34324 |
tcp |
trojans |
Premium scan |
Port used by BigGluck aka TN, Tiny Telnet Server. |
| 34330 |
tcp |
trojans |
Premium scan |
W32.Myfip.AB (04.08.2005) - network aware worm that steals files from compromised computers. Sends files to a remote server on port 34330/tcp. |
| 34343 |
tcp |
trojan |
Premium scan |
Osiris trojan |
| 34444 |
tcp |
trojan |
Premium scan |
Donald Dick trojan |
| 34555 |
udp |
trojan |
Premium scan |
Trin00 trojan (Windows DDoS) |
| 34570 |
udp |
adaptec |
not scanned |
Adaptec Storage Manager |
| 34571 |
tcp |
serveraid |
not scanned |
ServeRAID Manager |
| 34572 |
tcp |
applications |
not scanned |
ServeRAID Manager
IBM Director 5.10 |
| 34763 |
tcp |
trojan |
Premium scan |
Infector trojan |
| 35000 |
tcp |
trojan |
Premium scan |
Infector trojan |
| 35332 |
tcp,udp |
bribble |
not scanned |
Bribble Chat |
| 35555 |
udp |
trojan |
not scanned |
Trin00 trojan (Windows DDoS) |
| 35600 |
tcp |
trojan |
Premium scan |
SubSARI trojan |
| 36183 |
tcp |
trojan |
Premium scan |
Backdoor.Lifefournow trojan |
| 36311 |
tcp |
trojans |
Premium scan |
W32.Mytob.FX@mm (06.23.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 36311/tcp. Also runs an FTP server on port 10099/tcp. |
| 36794 |
tcp |
trojans |
Premium scan |
port used by W32.Bugbear@mm - mass-mailing worm, also spreading through network shares, 10.2003. Affects all current Windows versions. The worm also attempts to terminate the processes of various antivirus and firewall programs and opens a backdoor service on port 36794. |
| 36987 |
tcp,udp |
robocode |
not scanned |
Robocode - an educational game, intended to help gamers learn Java programming. |
| 37237 |
tcp |
trojan |
Premium scan |
Mantis trojan |
| 37266 |
tcp |
trojan |
Premium scan |
The Killer Trojan |
| 37651 |
tcp |
trojan |
Premium scan |
YAT trojan horse |
| 37653 |
tcp |
trojan |
Premium scan |
YAT trojan |
| 37892 |
tcp,udp |
applications |
not scanned |
devel/haddock 0.2 |
| 38080 |
tcp,udp |
applications |
not scanned |
hpcmips, JBoss Application Server |
| 38121 |
tcp,udp |
applications |
not scanned |
Squid - a caching proxy server for the Web supporting HTTP, HTTPS, FTP, Telnet and SSL. It reduces bandwidth and improves response times by caching repeated requests. Squid is free software, intended to run on Unix-like systems but it also runs on Windows-based systems.
Cabal Server Online also uses this port. |
| 38741 |
tcp |
trojan |
Premium scan |
CyberSpy trojan |
| 38742 |
tcp |
trojan |
Premium scan |
CyberSpy |
| 39507 |
tcp |
trojan |
Premium scan |
Busters trojan |
| 39581 |
tcp |
trojans |
Premium scan |
Backdoor.WinShell.50.b - remote access trojan, 08.11.2003. Affects all current Windows versions, listens on port 39581. It is a variant of Backdoor.WinShell.50 (port 8719) and usually packed along with Trojan.Stealther.B. |
| 39780 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.O (10.10.2005) - a backdoor trojan that also runs a keylogger.
Opens a backdoor and listens for remote commands on port 39780/tcp. Also logs information and sends captured keystrokes to predetermined websites/emails. |
| 39999 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.C - Mail Relay trojan, 01.20.2004. Affects all current Windows versions, listens on port 39999. Opens a mail relay on your computer (allowing others to use it to send unsolicited commercial email). The Trojan also downloads and executes PWSteal.Ldpinch. |
| 40071 |
tcp |
trojan |
Premium scan |
Ducktoy trojan |
| 40116 |
tcp,udp |
applications |
not scanned |
GMPlayer - application uses port 40116 for downloading/upstreaming music, audio and/or video files from the Internet. |
| 40308 |
tcp |
trojan |
Premium scan |
SubSARI trojan |
| 40404 |
tcp |
trojans |
Members scan |
W32.Randex.DFJ (04.06.2005) - network-aware worm that spreads via network shares exploiting weak passwords. Opens a backdoor on port 40404/tcp and connects to IRC server on the tunit.p2p.com.hk doman. It can be remotely controlled via IRC. |
| 40412 |
tcp |
trojan |
Premium scan |
The Spy trojan horse |
| 40421-40426 |
tcp |
trojans |
Premium scan |
Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426.
Port 40421/tcp also used by Agent 40421 trojan. Check port 30/tcp as well. |
| 40999 |
tcp |
trojan |
Premium scan |
DiemsMutter trojan |
| 41337 |
tcp |
trojan |
Premium scan |
Storm trojan |
| 41626 |
tcp |
trojan |
Premium scan |
Shah trojan |
| 41666 |
tcp,udp |
trojan |
Premium scan |
Remote Boot trojan horse |
| 41952 |
tcp,udp |
applications |
not scanned |
Tversity Media Player - this application uses port 41952 to download video, audio and/or music files from the Internet. You can run TVersity in PCs, as well as in Playstations, Nintendo Wii, and the Xbox 360.
BitTorrent also uses this port. |
| 42424 |
tcp |
applications |
not scanned |
ASP.NET Session State, ASP.NET State Service |
| 42508 |
tcp,udp |
candp |
not scanned |
Computer Associates network discovery protocol |
| 42509 |
tcp,udp |
candrp |
not scanned |
Computer Associates discovery response |
| 42510 |
tcp,udp |
caerpc |
not scanned |
Computer Associates eTrust RPC |
| 42511 |
tcp |
inoculateit |
not scanned |
eTrust AV - default port for Computer Associates' eTrust antivirus, a.k.a InoculateIT. |
| 43210 |
tcp |
trojan |
Premium scan |
Master's Paradise, Schoolbus 1.6 / 2.0 trojan horse |
| 43287 |
tcp |
trojans |
Members scan |
W32.Mytob.KU@mm (10.18.2005) - a mass-mailing worm that uses its own SMTP engine, has backdoor capabilities, and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 43287/tcp.
Also: W32.Mytob.KR@mm (10.18.2005) |
| 43720 |
udp |
trojan |
not scanned |
KiLo trojan |
| 43958 |
tcp |
applications |
Members scan |
Serv-U FTP Server
Trojans that use this port:
Backdoor.ServU-based (AVP), Backdoor.ServU.B (Central Command), Troj/Vicwor-A, BKDR_ServU_ey |
| 44014 |
tcp,udp |
trojan |
not scanned |
Iani trojan |
| 44280,44390 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 44334 |
tcp,udp |
tiny firewall |
Members scan |
Remote administration port used by Tiny Personal Firewall, and Kerio Personal firewall.
See a possible exploit here: http://www.securiteam.com/exploits/5HP0A2AA1Y.html
Also see: Kerio's hidden "Internal Traffic Rules" for open ports not displayed in the Personal Firewall GUI. |
| 44444 |
tcp |
trojan |
Members scan |
Prosiak trojan horse |
| 44501 |
tcp |
kerio |
Members scan |
Port used by Kerio Personal Firewall pop-up blocking. It uses a script to send information about blocked pages ?
Also see: Kerio's hidden "Internal Traffic Rules" for open ports not displayed in the Personal Firewall GUI. |
| 44575 |
tcp |
trojan |
Premium scan |
Exploiter trojan |
| 44767 |
tcp,udp |
trojan |
not scanned |
School Bus trojan |
| 45092 |
tcp |
trojan |
Premium scan |
BackGate Kit |
| 45100 |
tcp,udp |
applications |
not scanned |
Limewire client magnet, Azureus |
| 45454 |
tcp |
trojan |
Premium scan |
Osiris trojan |
| 45559 |
tcp |
trojan |
Premium scan |
Maniac rootkit trojan |
| 45632 |
tcp |
trojan |
Premium scan |
Little Witch trojan |
| 45673 |
tcp |
trojans |
Premium scan |
Backdoor.Acropolis - 02.16.2001. Remote access trojan, affects all current Windows versions. listens on ports 32791, 45673. |
| 45682 |
tcp,udp |
applications |
not scanned |
pseudo-default uTorrent port |
| 46626 |
tcp |
trojan |
Premium scan |
Psychward trojan |
| 46666 |
tcp,udp |
trojan |
not scanned |
Taskman trojan |
| 46882 |
tcp |
trojan |
Premium scan |
Psychward trojan |
| 47017 |
tcp |
trojan |
Premium scan |
T0rn Rootkit trojan |
| 47252 |
tcp |
trojan |
Premium scan |
Delta Source trojan |
| 47262 |
udp |
trojan |
not scanned |
Delta Source trojan horse (UDP) |
| 47387 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 47624 |
tcp,udp |
applications |
not scanned |
Battlecom |
| 47698 |
tcp |
trojan |
Premium scan |
KiLo trojan |
| 47785 |
tcp,udp |
trojan |
not scanned |
KiLo trojan |
| 47891 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 29999 and 47891. |
| 48000 |
tcp,udp |
nimcontroller |
not scanned |
Nimbus Controller |
| 48002 |
tcp,udp |
nimhub |
not scanned |
Nimbus Hub |
| 48003 |
tcp,udp |
nimgtw |
not scanned |
Nimbus Gateway |
| 48004 |
tcp |
trojan |
Premium scan |
Fraggle Rock trojan |
| 48006 |
tcp |
trojan |
Premium scan |
Fraggle Rock trojan |
| 48049 |
tcp,udp |
3gpp |
not scanned |
3GPP Cell Broadcast Service Protocol |
| 48094 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.M (07.12.2005) - a a trojan with backdoor capabilities, that runs a keylogger, sends information periodically to a remote server (via http), and also blocks access to security-related websites. Listens for remote commands on port 48094/tcp. |
| 48512 |
tcp |
trojan |
Premium scan |
Arctic trojan |
| 49000 |
tcp |
trojan |
Premium scan |
Fraggle Rock trojan |
| 49152 |
tcp,udp |
applications |
Members scan |
As the first port in the dynamic/private range (49152-65535), this port is commonly used by applications that utilize a dynamic/random/configurable port.
uTorrent, and Azureus/Vuze p2p torrent clients often use this port. |
| 49153 |
tcp |
applications |
not scanned |
ANTLR, ANother Tool for Language Recognition, (formerly PCCTS) - a parser generator for recognizing languages |
| 49159 |
tcp,udp |
applications |
Premium scan |
Bonjour for Windows - employed by iTunes and iChat for sharing files between Windows and Mac OS. |
| 49160 |
tcp,udp |
applications |
not scanned |
SJPhone (VoIP softphone), Azureus/Vuze BitTorrent client |
| 49165 |
tcp,udp |
applications |
not scanned |
Siebel Server - Siebel Customer Relationship Management application |
| 49301 |
tcp |
trojan |
Premium scan |
Online Keylogger (TCP) |
| 49495 |
tcp |
trojans |
Premium scan |
Backdoor.Danrit (11.16.2005) - a trojan that opens a backdoor and logs keystrokes. Opens a backdoor on port 49495/tcp. |
| 49683 |
tcp,udp |
trojan |
not scanned |
Fenster trojan (a.k.a. Trojan.Win32.Fenster, Backdoor.Fenster.21) |
| 49698 |
udp |
trojan |
not scanned |
KiLo trojan |
| 50000 |
tcp |
trojans |
Premium scan |
Infector, SubSARI |
| 50001 |
tcp,udp |
applications |
not scanned |
Java Remote Shell Server, Zotero, IBM DB2 |
| 50005 |
tcp |
trojan |
Premium scan |
Trojan.Fulamer.25 |
| 50021 |
tcp |
trojan |
Premium scan |
Optix Pro trojan |
| 50130 |
tcp |
trojan |
Premium scan |
Enterprise trojan |
| 50505 |
tcp |
trojans |
Premium scan |
Sockets des Trois2 trojan. Typically uses ports 5000, 5001, 30303, and 50505. Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion. |
| 50551 |
tcp |
trojan |
Premium scan |
R0xr4t trojan |
| 50552 |
tcp |
trojan |
Premium scan |
R0xr4t trojan |
| 50766 |
tcp |
trojans |
Premium scan |
Fore remote access trojan - ports 21, 50766
Scwhindler remote access trojan - ports 21554, 50766 |
| 50776 |
tcp |
trojans |
Premium scan |
Fore, Fore 1.0, Remote Windows Shutdown |
| 50829 |
tcp,udp |
trojan |
not scanned |
KiLo trojan |
| 51210 |
tcp |
applications |
not scanned |
Dialpad |
| 51234 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 15432 and 51234.
Port also used by TeamSpeak server to telnet remotely. |
| 51413 |
tcp,udp |
p2p |
Premium scan |
Commonly used by Transmission BitTorrent Client. |
| 51435 |
tcp |
trojans |
Members scan |
W32.Kalel.A@mm (05.24.2005) - mass-mailing worm that uses its own SMTP engine, also spreads through file-sharing networks. Opens a backdoor for remote access on port 51435/tcp. |
| 51966 |
tcp |
trojans |
Premium scan |
Trojan Cafeini |
| 51996 |
tcp |
trojan |
not scanned |
CafeIni trojan horse (TCP) |
| 52001 |
tcp,udp |
applications |
not scanned |
Xlockmore, which is the maintained edition of Xlock, makes use of port 52001 to administer an X server network. Xlock prevents illegal access to the X server while the user is still keying in his or her password.
Jabber Session Manager (JSM) also employs port 52001 for administering instant messaging activities. |
| 52028 |
tcp,udp |
applications |
not scanned |
Altiris Agent for Linux, Mac and Unix
BibleTime for Linux |
| 52179 |
tcp |
trojans |
Premium scan |
Backdoor.Tjserv.D (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp. |
| 52317 |
tcp |
trojans |
Premium scan |
Port used by: Acid Battery 2000 trojan |
| 52365 |
tcp |
trojan |
Premium scan |
Way trojan |
| 52901 |
udp |
trojan |
Premium scan |
Possibly the Omega DDoS tool. |
| 53001 |
tcp |
trojans |
Premium scan |
Remote Windows Shutdown trojan horse |
| 53217 |
tcp |
trojan |
Premium scan |
Acid Battery 2000 trojan horse (TCP) |
| 53535,53540,53541 |
tcp,udp |
activepdf |
not scanned |
Port used by ActivePDF software - automates PDF generation process from different sources, such as a website
ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541 |
| 54283 |
tcp |
trojan |
Premium scan |
Trojans using this port:
BackDoor-G, SubSeven, Sub7(*) (TCP) |
| 54320 |
udp |
trojan |
not scanned |
Back Orifice 2000, BO2K(*) trojan horse (UDP) |
| 54321 |
tcp |
trojans |
Premium scan |
Trojans using this port:
Schoolbus .69-1.11, 1.6, 2.0 (TCP)
Back Orifice 2000, BO2K(*) (TCP/UDP) |
| 54321 |
udp |
loadavg |
not scanned |
UDP port used by "loadavg" - a service that replies with the load average of a machine. |
| 54345 |
tcp |
loadrunner |
not scanned |
Port used by HP LoadRunner for checking performance and behavior of a system when under load. |
| 55000 |
tcp,udp |
trojans |
Premium scan |
Backdoor.Roxe - remote access trojan, 09.27.2004. Affects all current Windows versions, exploits the MS GDI+ Library vulnerability: MS Seciruty Bulletin MS04-028. Listens on port 55000/tcp.
Port also used by Windows Home Server for managing the various components of the home network.
Port also used by some versions of uTorrent by default. |
| 55165 |
tcp |
trojans |
Premium scan |
Some trojans use this port: File Manager trojan, WM Trojan Generator |
| 55166 |
tcp |
trojan |
Premium scan |
WM Trojan Generator |
| 55555 |
tcp |
trojan |
Premium scan |
Shadow Phyre trojan |
| 55665 |
tcp |
trojans |
Premium scan |
Latinus, Pinochet |
| 55666 |
tcp |
trojans |
Premium scan |
Latinus, Pinochet |
| 56565 |
tcp |
trojans |
Premium scan |
Backdoor.Osirdoor - remote access trojan, 08.2002. Affects all current Windows versions. |
| 56789 |
tcp |
trojans |
Basic scan |
Worm:Win32/Autorun.OA worm - it may change the computer system date, delete other programs, or connect to a remote site and await commands from a remote attacker. Opens a backdoor and attempts to connect to 'rj.rufang2005.cn' using TCP port 56789. |
| 57005 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Cirebot - 08.02.2003. Trojan that exploits the MS DCOM vulnerability and installs a backdoor. Uses ports 445 & 69, opens port 57005. |
| 57163 |
tcp |
trojan |
Premium scan |
BlackRat |
| 57341 |
tcp |
trojans |
Premium scan |
Port used by NetRaider trojan. |
| 57588 |
tcp,udp |
gtk |
not scanned |
Gtk#
The Gtk# GUI toolkit from Novell employs port 57588 to connect with its host site. It contains a collection of .NET bindings and an assortment of GNOME libraries. |
| 57785 |
tcp |
trojan |
Premium scan |
G.R.O.B. |
| 58008 |
tcp |
trojans |
Premium scan |
Backdoor.Tron - remote access trojan, 06.2002.Affects all current Windows versions, has the ability to kill software firewall processes. |
| 58009 |
tcp |
trojan |
Premium scan |
Backdoor.Tron - remote access trojan, 06.2002.Affects all current Windows versions, has the ability to kill software firewall processes. |
| 58134 |
tcp |
trojan |
Premium scan |
Charge trojan |
| 58339 |
tcp |
trojan |
Members scan |
ButtFunnel trojan horse (TCP) |
| 58343 |
tcp |
trojans |
Premium scan |
Backdoor.Prorat - Delphi remote access trojan, 06.2003. Affects Windows. It opens port 58343 by default. |
| 58641 |
tcp |
trojans |
Premium scan |
W32.Kalel.B@mm (06.15.2005) - mass-mailing worm with keylogger and backdoor capabilities. Spreads through email and file-sharing networks. Opens a backdoor and listens for remote commands on port 58641/tcp. |
| 58666 |
tcp |
trojans |
Premium scan |
Backdoor.Redkod - remote access trojan, 02.2003. Affects all current Windows versions. |
| 59000 |
tcp,udp |
applications |
not scanned |
Tekkotsu, Cisco Agent Desktop
Tekkotsu is an open-source environment for the programming of robots.
Cisco Agent Desktop is an application for Computer Telephony Integration (CTI). |
| 59211 |
tcp |
trojans |
Premium scan |
Backdoor.Ducktoy - remote access trojan, 07.2002. Affects all current Windows versions, listens to ports 29559 and 59211 by default. |
| 60000 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: DeepThroat/BackDoor-J, F0replay/WiNNUke eXtreame, Sockets des Troie |
| 60000 |
udp |
sco |
not scanned |
SCO Copy Protection Demon (CPD)
Among the products protected by SCO CPD are the SCO UnixWare, SCO OpenServer, Smallfoot, SCOoffice Server, WebFace, SCOx Web Services Substrate, Me Inc., and Caldera WebSpyder. |
| 60001 |
tcp |
trojans |
Premium scan |
Some trojans that use this port: Entitee trojan, Trinity trojan - DOS |
| 60001 |
udp |
nat-traverse |
not scanned |
nat-traverse, Vorsis
The nat-traverse application utilizes UDP port 60001 to pass through NAT gateways to generate links between nodes located behind these gateways.
Vorsis audio processors employ UDP and TCP port 60001 to communicate with their host. |
| 60006 |
tcp |
trojan |
Premium scan |
Trojan.Fulamer.25 |
| 60008 |
tcp |
trojans |
Premium scan |
T0rn Rootkit, Lion Trojan - exploits Linux Bind servers' TSIG vulnerability |
| 60068 |
tcp |
trojans |
Premium scan |
Xzip trojan, T0rn rootkit |
| 60411 |
tcp |
trojan |
Premium scan |
Connection trojan |
| 60551 |
tcp |
trojan |
Premium scan |
R0xr4t |
| 60552 |
tcp |
trojan |
Premium scan |
R0xr4t |
| 60666 |
tcp |
trojan |
Premium scan |
Basic Hell trojan |
| 61000 |
tcp |
trojans |
Premium scan |
Backdoor.Mite - remote access trojan, 09.2002. Affects all current Windows versions, listens on port 61000. |
| 61115 |
tcp |
trojan |
Premium scan |
Protoss trojan |
| 61337 |
tcp |
trojan |
Premium scan |
Nota trojan |
| 61348 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 61440 |
tcp |
trojan |
Premium scan |
Orion trojan |
| 61446 |
tcp |
trojans |
Premium scan |
Port used by Telecommando remote access trojan. |
| 61466 |
tcp |
trojans |
Premium scan |
Telecommando trojan |
| 61603 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 61616 |
tcp,udp |
activemq |
not scanned |
Apache ActiveMQ, Java Message Service (JMS) |
| 61695 |
tcp,udp |
surfcontrol |
not scanned |
SurfControl Web Filter - uses port 61695 to establish communication with Juniper Networks Security Devices |
| 61746 |
tcp,udp |
trojan |
not scanned |
KiLo trojan |
| 61747 |
tcp,udp |
trojan |
not scanned |
KiLo trojan horse |
| 61748 |
udp |
trojan |
not scanned |
KiLo trojan horse |
| 61979 |
tcp |
trojan |
Premium scan |
Cool Remote Control trojan horse |
| 62011 |
tcp |
trojan |
Premium scan |
Ducktoy trojan |
| 62078 |
tcp,udp |
upnp |
not scanned |
UPnP (Universal Plug and Play), iTunes
Port used by UPnP for multimedia files sharing, also used for synchronizing iTunes files between devices. |
| 62514 |
udp |
vpn |
not scanned |
Cisco VPN Service to Cisco Systems IPSec Driver |
| 62515 |
udp |
vpn |
not scanned |
Cisco VPN Client - also employs Network Admission Control (NAC) |
| 62516 |
udp |
ireike |
not scanned |
IREIKE, SonicWall VPN, NetScreen Remote Client
Port 62516 is used for communications between the IKE service and driver for interface detection. The IKE service sends a broadcast, and it should be blocked by the driver. But if DNE (Deterministic NDIS) is not bound to an interface, this broadcast will be sent out. |
| 63000,63001 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX - Worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. It can affect all current Windows versions, discovered 04-2004.
The worm can act as a backdoor server program and attack other systems, it also attempts to kill the process of many antivirus and security applications. It runs the following services:
Runs the following network services:
HTTP proxy on TCP port 63000
HTTPS proxy on TCP port 63001
SOCKS proxy on TCP port 30001
FTP server on randomly chosen TCP port |
| 63485 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 63808 |
tcp |
trojan |
Premium scan |
Phatbot |
| 63809 |
tcp |
trojans |
Premium scan |
Phatbot, W32.hllw.gaobot.dk worm |
| 64087 |
udp |
games |
not scanned |
Crysis game uses this port.
The ports for Crysis are as follows:
TCP 29900, 29901, 28910, 6667
UDP 64087
When hosting a server the following ports are used:
TCP 29900, 29901, 28910, 443, 80
UDP 64087, 29910, 27900, 27901 |
| 64101 |
tcp |
trojans |
Premium scan |
Taskman trojan |
| 64320 |
tcp,udp |
activepdf |
not scanned |
Port used by ActivePDF software - automates PDF generation process from different sources, such as a website
ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541 |
| 64429 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 64444 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AM (01.28.2005) - worm with backdoor and denial of service capabilities. Spreads via network shares. Connects via IRC and listens on port 64444/tcp. |
| 65000 |
tcp |
trojans |
Premium scan |
Devil 13, Sockets des Troie, Stacheldraht trojans |
| 65000 |
udp |
trojans |
not scanned |
Devil trojan horse 1.03 |
| 65001 |
tcp,udp |
hdhomerun |
not scanned |
HDHomeRun DVR from SiliconDust uses this port. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.
List of all used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000 |
| 65100 |
tcp,udp |
applications |
not scanned |
Port used by the Sage Act! customer and contact manager. Port 65100 serves Act! as a link that offers remote access to information in the enterprise network. Act! can also be integrated into business programs such as accounting tools and MS Office. |
| 65111 |
tcp |
trojans |
Premium scan |
Backdoor.Microkos (08.10.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp. |
| 65112 |
tcp,udp |
tv-multicast |
not scanned |
Port used by One-to-One TV over IP Multicast. Used for IP-based multimedia "chunk streaming", extending the capability of multimedia streaming to provide every client with individual content over the Internet. |
| 65289 |
tcp |
trojan |
Premium scan |
yoyo trojan horse |
| 65301 |
tcp |
pcanywhere |
Premium scan |
Port used by PC Anywhere |
| 65390 |
tcp |
trojans |
Premium scan |
Xylo Eclypse trojan |
| 65421 |
tcp |
trojans |
Premium scan |
Alicia trojan, Jade trojan packed with neolite |
| 65422 |
tcp |
trojan |
Premium scan |
Alicia trojan horse |
| 65432 |
tcp |
trojans |
Premium scan |
Port used by The Traitor (th3tr41t0r) trojan. Also uses port 65532/udp |
| 65506 |
tcp |
trojans |
Premium scan |
Port 65506 is used by some trojans for a spam email relay.
PhatBot (a.k.a. Agobot, Gaobot) - most variants exploit the MS DCOM RPC vilnerability (MS Security Billetin MS03-026) and the RPC locator vulnerability (MS Security Bulletin MS03-001) to spread. Some variants scan port 65506 for a possible backdoor. |
| 65530 |
tcp |
trojan |
Members scan |
[trojan] Windows Mite |
| 65532 |
udp |
trojans |
Premium scan |
Port used by The Traitor (th3tr41t0r) trojan. Also uses port 65432/tcp |
| 65534 |
tcp |
trojans |
Premium scan |
[trojan] /sbin/initd - reported on Linux hosts as a hacked backdoor along with tcp port 1049
Port also used by NetMeeting with H323 |
| 65535 |
tcp |
trojans |
Premium scan |
Port used by ShitHeep and Remote Control (RC) trojans. |
Total vulnerabilities listed: 1543 (some use multiple ports)
|