The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 |....| 54 
Port(s) Protocol Service Scan level Description
 0 tcp,udp not scanned Port 0 is reserved by IANA, it is technically invalid to use, but possible. It is sometimes used to fingerprint machines, because different operating systems respond to this port in different ways. Some ISPs may block it because of exploits. Port 0 can be used by applications when calling the bind() command to request the next available dynamically allocated source port number.
 1 udp tcpmux not scanned TCP Port Service Multiplexer (IANA registered)

Sockets des Troie remote access trojan uses this port (a.k.a. Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan, TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000.
 1 tcp tcpmux Premium scan Scans against this port are commonly used to test if a machine runs SGI Irix (as SGI is the only system that typically has this enabled). This service is almost never used in practice.

RFC1078 - TCPMUX acts much like Sun's portmapper, or Microsoft's end-point mapper in that it allows services to run on arbitrary ports. In the case of TCPMUX, however, after the "lookup" phase, all further communication continues to run over that port.

builtins.c in Xinetd before 2.3.15 does not check the service type when the tcpmux-server service is enabled, which exposes all enabled services and allows remote attackers to bypass intended access restrictions via a request to tcpmux port 1 (TCP/UDP).
References: [CVE-2012-0862] [BID-53720] [OSVDB-81774]

Trojans that use this port: Breach.2001, SocketsDeTroie

Also see: CERT: CA-95.15.SGI.lp.vul
 2 tcp compressnet Premium scan trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg

America's Army, Operation Flashpoint also use this port.

Port 2 is also registered with IANA for compressnet management utility.
 3 tcp,udp compressnet not scanned Delta Force uses port 3 (TCP)
Midnight Commander
SynDrop trojan

Backdoor.Win32.Quux / Weak Hardcoded Credentials - the malware listens on TCP port 3. Authentication is required, however the password "Faraon" translated from Romanian as "Pharaoh" is weak and hardcoded in cleartext within the PE file. Third-party adversaries who can reach an infected host can call commands made available by the backdoor. Commands include uploading files and code execution. Theres a need to code a custom client to communicate with the infected host as nc64.exe and telnet send LF characters and will fail authentication when sending credentials containing "\n" etc. Once connected if we send any files they will be written to Windows\System unless calling the "SetCurrDir" commmand.
References: [MVID-2022-0656]

Compression Process (IANA official)
 4 tcp sfs Basic scan Self-Certifying File System(SFS) sfssd acceps connections on TCP port 4 and passes them to the appropriate SFS daemon. SFS is a secure, global file system with completely decentralized control. SFS uses NFS 3 as the underlying protocol for file access.

America's Army also uses this port.

Midnight Commander sometimes uses port 4/tcp as well.
 5 tcp trojans Premium scan Incoming Routing Redirect Bomb, yoyo
 7 tcp Echo Members scan Echo Service, somewhat outdated by ICMP echo. Port just echoes whatever is sent to it. This feature can be used in many attacks, such as Smurf/Fraggle.

See also: [RFC862]
ICP - Internet Caching Protocol - This protocol is used by HTTP caching proxies in order to coordinate working together in a cluster. Part of this implementation includes bouncing packets off the echo port in order to test if the peers are alive.

Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288]
 7 udp wol not scanned WOL (Wake on LAN) typically uses UDP port 7 or 9. LANDESK Management Suite uses port 0 for WOL.
 8 tcp trojan Premium scan Ping Attack
 9 tcp,udp,sctp Discard Members scan Discard server - this protocol is only installed on machines for test purposes. The service listening at this port (both TCP and UDP) simply discards any input.

WOL (Wake on LAN) typically uses UDP port 7 or 9 (LANDESK uses port 0).

Railroad Tycoon 3 also uses this port (TCP).

See also [RFC 863], [RFC 4960], [CVE-1999-0060]

Intrusions: Ascend kill
This exploit kills Ascend routers by sending them a specially formatted malformed TCP packet. On certain versions of the Ascend operating system, the router can be forced to cause an internal error, resulting in the router rebooting.
 10 tcp misc Premium scan AT&T 5268ac router may listen on port 10 TCP
 11 tcp,udp systat Premium scan system / active users information.

On some UNIX machines, creating a TCP connection to this port will dump the active processes and who launched them. The original intent for this was to make remote management of UNIX easier. However, intruders will query the systat information in order to map out the system.
This service is rarely available anymore because of these security concerns.
On UNIX, there are also local commands that show this information, such as systat or ps.

Skun trojan also uses this port.

See also: [RFC866]
 12 tcp games not scanned Dark Ages of Camelot
 13 tcp,udp Daytime Members scan Daytime service [RFC 867] - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.

Dark and Light also uses this port.

Backdoor.Win32.Infexor.b / Remote Buffer Overflow - remote SEH Stack Buffer Overflow on HTTP server response when connecting to TCP Port 13.
References: [MVID-2021-0010]
 15 tcp,udp netstat Premium scan Port used by netstat (a variant of systat, see port 11). Rarely available because of security concerns. It can be used to list active processes and who launched them on some UNIX machines.

Port also used by B2 trojan.
 16 tcp trojan Premium scan Skun
 16 udp applications not scanned Observer is vulnerable to a denial of service, caused by a NULL pointer dereference when copying an octet string from a variable binding list. By sending a specially-crafted SNMP SetRequest PDU sent to UDP port 16, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-73909], [BID-52409]
 17 tcp,udp qotd not scanned Responds with Quote of the Day. See [RFC 865]

Skun trojan also uses this port.
 18 tcp,udp msp not scanned Message Send Protocol
Also: Remote Write Protocol (RWP)
Related RFCs: [RFC 1159] [RFC 1312] [RFC 1756]

Skun trojan also uses this port.
 19 tcp,udp Chargen Members scan Generates and replies with a stream of characters (TCP) or a packet containing characters (UDP). Should be disabled if there is no specific need for it, source for potential attacks. [RFC 864]

Skun trojan also uses this port.
 20 tcp,udp,sctp FTP - data Basic scan File Transfer Protocol - Data
See also [RFC 4960]

The default configuration of BenHur Firewall release 3 update 066 fix 2 allows remote attackers to access arbitrary services by connecting from source port 20.
References: [CVE-2002-2307] [BID-5279]

Some trojans also use this port: Amanda, Senna Spy FTP server.
 21 tcp FTP Basic scan File Transfer Protocol [RFC 959] - some network devices may be listening on this port, such as NAT routers for remote access/private cloud storage and network attached multi-function printers (scan to ftp feature).

Asus RT routers may open an internet accessible FTP server for USB-attached storage, configurable in administration panel under "USB Application > Servers Center > FTP Share"

Trojan horses/backdoors that also use this port: 7tp trojan, MBT, Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm [Symantec-2005-040915-5504-99], W32.Sober.N@mm [Symantec-2005-041910-4132-99], W32.Bobax.AF@mm [Symantec-2005-081611-4121-99] - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.

W32.Loxbot.C [Symantec-2006-010515-3159-99] (2006-01-05)

FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service (network connectivity loss) via a connection to port 21 with a large amount of random data.
References: [CVE-2002-0779]

TURCK BL20 / BL67 could allow a remote attacker to bypass security restrictions, caused by the use of hardcoded credentials for the FTP service. An attacker could exploit this vulnerability using TCP port 21 to gain administrative access to the device.
References: [CVE-2012-4697], [XFDB-84351]

The FTP service in QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, has hardcoded credentials, which makes it easier for remote attackers to obtain access via a session on TCP port 21.
References: [CVE-2015-7261]

The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices has a default password, which makes it easier for remote attackers to read or write to files via a session on TCP port 21.
References: [CVE-2015-3968]

A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker with access to port 21/tcp to access or alter historical measurement data stored on the device.
References: [CVE-2017-6872], [BID-99473]

A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The two FTP services (default ports 21/tcp and 5411/tcp) of the SiNVR 3 Video Server contain a path traversal vulnerability that could allow an authenticated remote attacker to access and download arbitrary files from the server, if the FTP services are enabled.
References: [CVE-2019-19296]

Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]

ReverseTrojan by satan_addict listens on TCP ports, 12000 and 21. The malware accepts empty credentials for authentication as the default settings are set to blank. Third-party attackers who can reach an infected host can potentially gain access to the machine before or if no password is set.
References: [MVID-2021-0256]

Backdoor.Win32.Wollf.16 / Authentication Bypass - the malware listens on TCP port 1015 and has an FTPD feature that when enabled listens on TCP port 21. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0462]

Backdoor.Win32.Hellza.120 / Unauthorized Remote Command Execution - the malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can issue commands made available by the backdoor.
References: [MVID-2022-0641]
 21 udp FSP Basic scan FSP/FTP [RFC959]
 22 udp ssh Basic scan The Secure Shell (SSH) Protocol [RFC 4251]

Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22.
 22 tcp,sctp SSH Basic scan Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service [RFC 4251], [RFC 4960]

freeSSHd 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a SSH2_MSG_NEWKEYS packet to TCP port 22, which triggers a NULL pointer dereference.
References: [CVE-2008-0852] [BID-27845] [SECUNIA-29002]

The SSH service on Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48, and 5324 2.0.1.4 switches allows remote attackers to cause a denial of service (device reset) or possibly execute arbitrary code by sending many packets to TCP port 22.
References: [CVE-2013-3594], [XFDB-90595], [BID-65070]

RUCKUS could allow a remote attacker to bypass security restrictions. An unauthenticated remote attacker with network access to port 22 can tunnel random TCP traffic to other hosts on the network via Ruckus devices. A remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access to the vulnerable application.
References: [XFDB-84626]

360 Systems contains a default hard-coded password in the image server series. By logging into the device via TCP port 22, a remote attacker could gain root privileges on the system to modify or upload video to play immediately and affect the emergency broadcast system in the United States.
References: [XFDB-82650], [BID-58338], [CVE-2012-4702]

Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.
References: [CVE-2016-8209], [XFDB-125665]

A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. The following products have been confirmed to be vulnerable: Cisco ASR 5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to 18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco Virtualized Packet Core - Single Instance (VPC-SI) and Distributed Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs: CSCva65853.
References: [CVE-2017-3819], [BID-96913]

Including port 22 in the list of allowed FTP ports in Networking in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially enumerate internal host services via a crafted HTML page.
References: [CVE-2018-6082], [BID-103297]

A vulnerability has been identified in ROX II (All versions < V2.12.1). An authenticated attacker with a high-privileged user account access via SSH could circumvent restrictions in place and execute arbitrary operating system commands. Successful exploitation requires that the attacker has network access to the SSH interface in on port 22/tcp. The attacker must be authenticated to exploit the vulnerability. The vulnerability could allow an attacker to execute arbitrary code on the device.
References: [CVE-2018-13802], [BID-105545]

A vulnerability has been identified in ROX II (All versions < V2.12.1). An attacker with network access to port 22/tcp and valid low-privileged user credentials for the target device could perform a privilege escalation and gain root privileges. Successful exploitation requires user privileges of a low-privileged user but no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system.
References: [CVE-2018-13801], [BID-105545]

The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password only authentication not cryptographic keys, however the firmware image contains an RSA host-key for the server. An attacker can exploit this vulnerability to gain root access to the Angstrom Linux operating system and modify any binaries or configuration files in the firmware. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7.
References: [CVE-2018-5399]

An issue was discovered in Valve Steam Link build 643. When the SSH daemon is enabled for local development, the device is publicly available via IPv6 TCP port 22 over the internet (with stateless address autoconfiguration) by default, which makes it easier for remote attackers to obtain access by guessing 24 bits of the MAC address and attempting a root login. This can be exploited in conjunction with CVE-2017-17878.
References: [CVE-2017-17877]

A vulnerability has been identified in SCALANCE SC-600 (V2.0). An authenticated attacker with access to port 22/tcp as well as physical access to an affected device may trigger the device to allow execution of arbitrary commands. The security vulnerability could be exploited by an authenticated attacker with physical access to the affected device. No user interaction is required to exploit this vulnerability. The vulnerability impacts the confidentiality, integrity and availability of the affected device.
References: [CVE-2019-10928]

Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue. The affected components are characterized as: SSH. The potential impact is: Remote code execution, manipulate configuration, denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP. Login as root to this service is permitted and credentials for the root user are hardcoded without automatically changing them upon first commissioning. The credentials for the SSH service are hardcoded in the firmware. The credentials grant an attacker access to a root shell on the PLC/RTU, allowing for remote code execution, configuration manipulation and denial of service.
References: [CVE-2022-30318]

Backdoor.Win32.Bingle.b / Weak Hardcoded Credentials - the malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.
References: [MVID-2022-0643]

Some trojans also use this port: InCommand, Shaft, Skun
 23 tcp telnet Basic scan Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities [RFC 854]

Trojans that also use this port: Prosiak, Wingate, ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants [Symantec-2003-050207-0707-99], Backdoor.Dagonit [Symantec-2005-092616-0858-99] (2005.09.26)

Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23.
References: [CVE-2012-1222], [BID-52061]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]

Buffer overflow in the Remote command server (Rcmd.bat) in IpTools (aka Tiny TCP/IP server) 0.1.4 allows remote attackers to cause a denial of service (crash) via a long string to TCP port 23.
References: [CVE-2012-5345]

Hospira Lifecare PCA infusion pump running "SW ver 412" does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.
References: [CVE-2015-3459]

Zhuhai RaySharp firmware has a hardcoded root password, which makes it easier for remote attackers to obtain access via a session on TCP port 23 or 9000.
References [CVE-2015-8286]

Hughes satellite modems contains default telnet service (port 23) account credentials. A remote attacker could exploit this vulnerability to gain administrative access on affected devices.
References: [CVE-2016-9495], [XFDB-122123]

An issue was discovered in Cloud Media Popcorn A-200 03-05-130708-21-POP-411-000 firmware. It is configured to provide TELNET remote access (without a password) that pops a shell as root. If an attacker can connect to port 23 on the device, he can completely compromise it.
References: [CVE-2018-12072]

Telestar Digital GmbH Imperial and Dabman Series I and D could allow a remote attacker to gain elevated privileges on the system, caused by the use of weak passwords with hardcoded credentials in an undocumented Telnet service (Telnetd) that connects to Port 23. A remote attacker could exploit this vulnerability to gain root access to the gadgets' embedded Linux BusyBox operating system.
References: [CVE-2019-13473], [XFDB-166724]

Multiple C-Data OLT devices are vulnerable to a denial of service, caused by a shawarma attack. By sending random bytes to the telnet server on port 23, a remote attacker could exploit this vulnerability to cause the device to reboot.
References: [CVE-2020-29057], [XFDB-192290]

An issue was discovered on FiberHome HG6245D devices through RP2613. The telnet daemon on port 23/tcp can be abused with the gpon/gpon credentials.
References: [CVE-2021-27165]

TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The user can then download the filesystem through preinstalled BusyBox utilities (e.g., tar and nc).
References: [CVE-2021-37555]

Backdoor.Win32.Agent.oj / Unauthenticated Remote Command Execution - unauthenticated Remote Command Execution Description: The malware listens on TCP port 23, upon connection to an infected host third-party attackers get handed a remote shell.
References: [MVID-2021-0197]

Backdoor.Win32.Cafeini.b / Weak Hardcoded Credentials - the malware listens on TCP port 23. Authentication is required, however the credentials test:test are weak and hardcoded within the PE file.
References: [MVID-2022-0568]
 23 udp games not scanned Dungeon Siege II
 24 tcp priv-mail not scanned Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port
 25 tcp SMTP Basic scan SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.

Integer overflow in Apple Safari [CVE-2010-1099], Arora [CVE-2010-1100], Alexander Clauss iCab [CVE-2010-1101], OmniWeb [CVE-2010-1102], Stainless [CVE-2010-1103] allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25.

List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy, Aji, Email Worms, Haebu Coceda, Loveletter, Neabi, Shtrilitz.
W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R [Symantec-2005-070117-2559-99] (2005.07.01) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.15) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E [Symantec-2005-110111-3344-99]. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock [Symantec-2006-060111-5747-99] (2006.06.01) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries.

NJStar Communicator is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MiniSMTP server when processing packets. By sending a specially-crafted request to TCP port 25, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-4040], [XFDB-71086], [BID-50452]

Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.
References: [CVE-2021-43270]

Trojan.Win32.Barjac / Remote Stack Buffer Overflow - Trojan.Win32.Barjac makes SMTP connection to Port 25, upon processing the server response we control, we overwrite instruction pointer (EIP), undermining the integrity of the trojan.
References: [MVID-2021-0011]
 25 udp games not scanned Final Fantasy XI
 26 tcp rsftp Members scan Port used by RSFTP - a simple FTP-like protocol.

Sometimes also used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol).

An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to start a Linux telnetd as root on port 26/tcp by using the CLI interface commands of ddd and shell (or tshell).
References: [CVE-2021-27171]
 26 udp games not scanned Dungeon Siege II
 27 tcp trojan Premium scan Assasin

Backdoor.Amitis [Symantec-2003-010717-1940-99] (2003.01.07) Windows remote access trojan. Listens on ports 27, 551. Other variants of Backdoor.Amitis also use ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
 28 tcp Premium scan Palo Alto Networks Panorama HA (High Availability) uses these ports:
28/tcp - HA1 control link for SSH over TCP encrypted communication
28260/tcp, 28769/tcp - used for HA1 control link for clear text communication between HA peer firewalls
28770/tcp - Panorama HA1 backup sync port
28771/tcp - heartbeat backups
29781/udp - HA2 link to synchronize sessions, table forwarding, IPSec, ARP tables

AltaVista Firewall97 accepts connections on ports 26,27,28 and 29, this can be used to fingerprint the type of firewall in use.

Amanda trojan uses port 28/tcp.
 30 tcp trojans Premium scan Agent 40421 trojan. Also uses port 40421/tcp

ATC Battlefield 1942 (TCP/UDP), ATC Ghost Recon 2 (TCP/UDP), ATC Splinter Cell Chaos Theory (TCP/UDP), developer: Foolish Entertainment
 31 tcp msg-auth Members scan MSG Authentication

Delta Force also uses this port.

The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun
 34 tcp,udp remote not scanned Remote File (RF) - used for file transfer between machines
 35 udp games not scanned Delta Force
 37 tcp worm Basic scan Officially assigned for use by TIME protocol [RFC 868] [RFC 956]
TIME (port 37/tcp) can pose a DOS subnet threat because it has embedded functions used for the identification of critical processing time intervals and the ability to re-issue its output to port 7.

W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
W32.Sober.J@mm [Symantec-2005-013110-1026-99] (2005.01.30)
W32.Sober.O@mm [Symantec-2005-050210-2339-99] (2005.05.02)
W32.Sober.X@mm [Symantec-2005-111915-0848-99] (2005.11.19)
 38 tcp,udp rap not scanned Route Access Protocol (IANA official)
 39 tcp trojan Premium scan SubSARI
 41 tcp trojans Members scan Some trojans use this port: Deep Throat, Foreplay

Graphics (TCP/UDP) (IANA official)
 42 tcp,udp WINS Members scan Port used by WINS (Windows Internet Naming Service). Worms can exploit a buffer overflow vulnerability within WINS using this port. See: MSKB 890710

The WINS service (wins.exe) on Microsoft Windows NT Server, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
References: [CVE-2004-1080] [BID-11763] [OSVDB-12378] [SECUNIA-13328]

W32.Dasher.D [Symantec-2005-121915-1543-99] (2005.12.19) - a worm that exploits the following MS vulnerabilities: [MS05-051] (on port 53/tcp) and [MS04-045] (on port 42/tcp). Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp.

Backdoor.Win32.Ncx.bt / Remote Stack Buffer Overflow - the malware listens on TCP port 42, sending a single HTTP GET request with a packet size of 10140 bytes, will trigger the buffer overflow overwriting both EIP and structured exception handler (SEH)
References: [MVID-2021-0026]

City of Heroes also uses this port (TCP).

Port was originally assigned to the obsolete ARPA Host name server protocol (pre-DNS).
 43 tcp,udp whois not scanned WHOIS protocol
 44 tcp trojan Premium scan Arctic

MPM FLAGS Protocol (TCP/UDP) (IANA official)
 45 tcp,udp mpm not scanned Message Processing Module (receive) (IANA official)
 46 tcp,udp mpm-snd not scanned MPM [default send] (IANA official)
 48 tcp auditd Premium scan DRAT remote access trojan (11-1999) uses ports 48,50.

Port is also IANA assigned for: Digital Audit Daemon
 49 tcp,udp TACACS Members scan TACACS Login Host Protocol

Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
 50 tcp re-mail-ck Members scan Some trojans that also use this port: DRAT remote access trojan (11-1999). Uses ports 48,50.

Dark Ages of Camelot, Vodafone Sure Signal use this port.
 51 tcp vpn Premium scan IANA reserved: IMP Logical Address Maintenance (removed 2013-05-24)

F**k Lamers Backdoor uses this port.
 52 tcp trojan Premium scan MuSka52, Skun
 53 tcp,udp DNS Basic scan DNS (Domain Name Service) used for domain name resolution. There are some attacks that target vulnerabilities within DNS servers.

Cisco Webex Teams services uses these ports:
443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls)

Xbox 360 (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP

Apple MacDNS, FaceTime also use this port.

Some trojans also use this port: ADM worm, Bonk (DoS) trojan, li0n, MscanWorm, MuSka52, Trojan.Esteems.C [Symantec-2005-051212-1727-99] (2005.05.12), W32.Spybot.ABDO [Symantec-2005-121014-3510-99] (2005.12.10).

W32.Dasher.B [Symantec-2005-121610-5037-99] (2005.12.16) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp.

Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53.
References: [CVE-2003-1491] [BID-7436]

Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than [CVE-2007-1465].
References: [CVE-2007-1866] [SECUNIA-24688]

Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly other versions, allows remote attackers to cause a denial of service (device restart and loss of configuration) by connecting to TCP port 53, then closing the connection.
References: [CVE-2009-1152] [BID-34220]

Cisco IOS is vulnerable to a denial of service, caused by an error in NAT of DNS. By sending specially-crafted DNS packets to TCP port 53, a remote attacker could exploit this vulnerability to cause the device to reload.
References: [CVE-2013-5479], [XFDB-87455]

haneWIN DNS Server is vulnerable to a denial of service attack. A remote attacker could send a large amount of data to port 53 and cause the server to crash.
References: [XFDB-90583], [BID-65024], [EDB-31014]

named in ISC BIND 9.x (before 9.9.7-P2 and 9.10.x before 9.10.2.-P3) allows remote attackers to cause denial of service (DoS) via TKEY queries. A constructed packet can use this vulnerability to trigger a REQUIRE assertion failure, causing the BIND daemon to exit. Both recursive and authoritative servers are vulnerable. The exploit occurs early in the packet handling, before checks enforcing ACLs or configuration options that limit/deny service.
See: [CVE-2015-5477]

Tftpd32 is vulnerable to a denial of service, caused by an error when processing requests. If the DNS server is enabled, a remote attacker could send a specially-crafted request to UDP port 53 to cause the server to crash.
References: [XFDB-75884] [BID-53704] [SECUNIA-49301]

TP-Link TL-WR886N 7.0 1.1.0 devices allow remote attackers to cause a denial of service (Tlb Load Exception) via crafted DNS packets to port 53/udp.
References: [CVE-2018-19528]

MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated remote attacker to cause a denial of service by connecting to TCP port 53 and sending data that begins with many '\0' characters, possibly related to DNS.
References: [CVE-2017-17537], [EDB-43200]
 54 tcp,udp xns-ch Premium scan Port is officially assigned to XNS (Xerox Network Services) Clearinghouse.

Port is also used by the MuSka52 trojan.

Unspecified vulnerability in SLMail.exe in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (UDP service outage) via a large packet to UDP port 54.
References: [CVE-2008-1691], [BID-28505]
 57 tcp,udp applications not scanned AudioReQuest
 58 tcp trojan Premium scan DMSetup trojan
 59 tcp trojans Premium scan Backdoor.Sdbot.AJ [Symantec-2005-011009-1754-99] (2005.01.10) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 59/tcp.

DMSetup trojan also uses port 59.

any private file service (IANA official)
 61 tcp,udp ni-mail not scanned NI Mail
 62 tcp,udp acas not scanned ACA Services (IANA official)
 63 tcp,udp whoispp not scanned whois++ (IANA official)
 65 tcp,udp tacacs-ds not scanned TACACS-Database Service (IANA official)
 66 tcp oracle Premium scan AL-Bareki trojan

EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to cause a denial of service (application crash) via a sequence of carriage returns sent to TCP port 66.
References: [CVE-2004-1696], [BID-11226]

Oracle SQL*NET (TCP/UDP) (IANA official)
 67 udp bootp server Basic scan Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients [RFC 951]

NCP Secure Enterprise Client (aka VPN/PKI client) 8.30 Build 59, and possibly earlier versions, when the Link Firewall and Personal Firewall are both configured to block all inbound and outbound network traffic, allows context-dependent attackers to send inbound UDP traffic with source port 67 and destination port 68, and outbound UDP traffic with source port 68 and destination port 67.
References: [CVE-2006-3551]

ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source port of 67, which allows remote attackers to bypass the firewall rules.
References: [CVE-2000-0339] [BID-1137] [OSVDB-1294]

Apple NetBoot also uses this port.
 67 tcp applications not scanned Falco LX-4PRO
 68 udp bootp client Basic scan Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.

The Avaya 4602 SW IP Phone (Model 4602D02A) with 2.2.2 and earlier SIP firmware allows remote attackers to cause a denial of service (device reboot) via a flood of packets to the BOOTP port (68/udp).
References: [CVE-2007-3321] [SECUNIA-25747] [OSVDB-38117]

NCP Secure Enterprise Client (aka VPN/PKI client) 8.30 Build 59, and possibly earlier versions, when the Link Firewall and Personal Firewall are both configured to block all inbound and outbound network traffic, allows context-dependent attackers to send inbound UDP traffic with source port 67 and destination port 68, and outbound UDP traffic with source port 68 and destination port 67.
References: [CVE-2006-3551]

Apple NetBoot also uses this port.
 68 tcp trojan Premium scan Backdoor.SubSeven [Symantec-2001-020114-5445-99] (1999.06.06)
Falco LX-4PRO also uses this port.
 69 udp TFTP Basic scan Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.

Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm [Symantec-2003-081113-0229-99] is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin [MS03-026]. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm [Symantec-2003-081815-2308-99] - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
W32.Cycle [Symantec-2004-051015-4731-99] (2004.05.10). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a bacdoor on remote compromised computers on port 8594/tcp. Port 69/udp also used by the W32.Zotob.H [Symantec-2005-081717-2017-99] variant of the worm.
W32.Evala.Worm [Symantec-2002-071017-5735-99] (2002.07.10) - backdoor trojan. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.

Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via a long request on UDP port 69. NOTE: this issue might overlap [CVE-2006-4781] or [CVE-2005-1812].
References: [CVE-2007-1645]

The Arecont Vision AV1355DN MegaDome camera allows remote attackers to cause a denial of service (video-capture outage) via a packet to UDP port 69.
References: [CVE-2013-0139]

Hillstone Software HS TFTP Server is vulnerable to a denial of service, caused by an error when processing TFTP requests. By sending a specially-crafted READ/WRITE request packet containing an overly long filename to UDP port 69, a remote attacker could exploit this vulnerability to cause the TFTP service to crash.
References: [XFDB-71609], [BID-50886], [EDB-18188]

SolarWinds TFTP (Trivial File Transfer Protocol) Server is vulnerable to a denial of service, caused by an error when handling Read Request requests. By sending a specially-crafted Read Request to UDP port 69, a remote attacker could exploit this vulnerability to cause the server process to crash.
References: [CVE-2010-2115], [XFDB-58782], [BID-40333]

The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks data\configurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file.
References: [CVE-2017-7237], [EDB-41825]

MobaXterm Personal Edition could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted request to the TFTP server port 69 containing "dot dot" sequences (/../) in the request to retrieve arbitrary files on the system.
References: [CVE-2017-6805], [XFDB-123199]

A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to port 69/udp could modify the administrative client stored on the device. If a legitimate user downloads and executes the modified client from the affected device, then he/she could obtain code execution on the client system.
References: [CVE-2018-4854], [BID-104672]

A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to port 69/udp could modify the firmware of the device.
References: [CVE-2018-4853], [BID-104672]
 69 tcp malware not scanned Backdoor.Win32.Psychward.03.a / Weak Hardcoded Password - the malware listens in TCP port 69. The password "tyme" is
weak and stored in plaintext with the executable.
References: [MVID-2022-0548]
 70 tcp trojans Members scan W32.Evala.Worm [Symantec-2002-071017-5735-99] (2002.07.10) - backdoor trojan. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef

Note: port 69/udp is used by TFTP.
 73 udp games not scanned Dungeon Siege II
 75 tcp,udp priv-dial not scanned any private dial out service
 76 tcp,udp deos not scanned Distributed External Object Store (IANA official)
 77 tcp,udp priv-rje not scanned IANA assigned for any private RJE service, netjrs.

The error message "TK_SPACE undeclared" is common to this port. This occurs when installed ports keep bombing out on sqlite3.
 78 tcp,udp vettcp not scanned vettcp (IANA official)
 79 tcp,udp Finger Members scan Finger

Finger Security Concerns: Provides key host info to attacker - Fingered host can be DOSd if hit with a recursive finger script till its memory and swap space fill. - Fingering clients can be DOSd if they finger a maliciously configured host (returns data overload - causing client to beep continually - etc.). - If fingering clients allow programmable keys - a maliciously configured host can return a finger response that maps a key to rm -rf /-. Disable on all host unless finger service is stubbed to only provide scripted data response (eg: system admin contact info - etc.).

Trojans that also use this port: ADM worm, Back Orifice 2000 (BO2K), CDK trojan (ports 79, 15858), Firehotcker (ports 79, 5321)

The legacy finger service (TCP port 79) is enabled by default on various older Lexmark devices.
References: [CVE-2019-10059]
 80 udp trojans Members scan W32.Beagle.AO@mm [Symantec-2004-080911-3251-99] - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.

W32.Bobax.AF@mm [Symantec-2005-081611-4121-99] (2005.08.15) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.

Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a denial of service (web-interface outage) via crafted HTTP requests to port 80 (TCP/UDP).
References: [CVE-2014-2733]

Multiple directory traversal vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80.
References: [CVE-2014-2732]

Multiple directory traversal vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80.
Reference: [CVE-2014-2731]

Port 80 udp is also used by some games, like Alien vs Predator (Activision).
 80 tcp http Basic scan Hyper Text Transfer Protocol (HTTP) - port used for web traffic.

Some broadband routers run a web server on port 80 or 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.

AnyDesk remote desktop software uses TCP ports 80, 443, 6568, 7070 (direct line connection)

If you're not running web services, keep in mind that a number of trojans/worms/backdoors propagate via TCP port 80 (HTTP):
Code Red, Nimda, 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
Trojan.Webus.C [Symantec-2004-101212-0903-99]
W32.Beagle.AO@mm [Symantec-2004-080911-3251-99] - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S [Symantec-2005-013015-4228-99] (2005.01.30) - runs proxy on port 80.
W32.Crowt.A@mm [Symantec-2005-012310-2158-99] (2005.01.23) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
Backdoor.Darkmoon.B [Symantec-2005-102115-3914-99] (2005.10.21) - a backdoor trojan with keylogger capabilities. Opens a backdoor and listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.16) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E [Symantec-2005-121516-1510-99]. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Trojan.Lodear.F [Symantec-2005-121513-5818-99] (2005.12.18) - trojan that attempts to download remote files.
W32.Feebs [Symantec-2006-013122-5631-99] (2006.01.07)

Xbox 360 (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP

Some Apple applications also use port 80 (TCP): MobileMe, Sherlock, QuickTime Installer, iTunes Store and Radio, Software Update, RAID Admin, Backup, iCal calendar publishing, iWeb, MobileMe Web Gallery Publishing, WebDAV (iDisk), Final Cut Server.

Siemens SIPROTEC 4 and SIPROTEC Compact is vulnerable to a denial of service, caused by an error in the EN100 Ethernet module. By sending specially-crafted HTTP packets to TCP port 80, a remote attacker could exploit this vulnerability to cause the device to go into defect mode.
References: [CVE-2016-7113] [XFDB-116647]

A vulnerability was discovered in Siemens ViewPort for Web Office Portal before revision number 1453 that could allow an unauthenticated remote user to upload arbitrary code and execute it with the permissions of the operating-system user running the web server by sending specially crafted network packets to port 443/TCP or port 80/TCP.
References: [CVE-2017-6869], [BID-99343]
 81 udp trojans Premium scan W32.Beagle.AR@mm [Symantec-2004-092811-5825-99] (2004.9.28) - mass mailing worm with backdoor functionality on port 81/tcp & udp. Affects all current Windows versions.
 81 tcp http Basic scan Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See also TCP ports 80, 8080, 8081.

Some common uses for port 81/tcp include web administration (cobalt cube), web proxy servers, McAfee Framework Service, TigerVPN (servers speed check), etc.

If you're not running web services on this port, keep in mind it is also used by some trojans:
Backdoor.Asylum [Symantec-2000-121815-0609-99] (2000.05.02) - remote access trojan, uses ports 81, 2343, 23432 by default.
W32.Beagle.AR@mm [Symantec-2004-092811-5825-99] (2004.09.28) - port 81.

Stack-based buffer overflow in the RespondeHTTPPendiente function in the HTTP server for SUMUS 0.2.2 allows remote attackers to execute arbitrary code via a large packet sent to TCP port 81.
References: [CVE-2005-1110]

RemoConChubo trojan and Blue Iris also use this port.
 82 tcp trojans Members scan W32.Netsky.X@mm [Symantec-2004-042010-3056-99] (2004.04.20) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 82/tcp to receive and execute a file from an attacker.

The W32.Netsky.Y@mm [Symantec-2004-042011-2621-99] variant also opens port 82/tcp.
ET TROJAN LD Pinch Checkin uses port 82/udp.
 83 tcp,udp mit-ml-dev not scanned MIT ML Device (IANA official)
 84 tcp,udp ctf not scanned Common Trace Facility (IANA official)
 85 tcp trojan Premium scan Common Port for phishing scam sites

Multiple directory traversal vulnerabilities in src/acloglogin.php in Wangkongbao CNS-1000 and 1100 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) lang or (2) langid cookie to port 85.
References: [CVE-2012-4031] [BID-54267] [SECUNIA-49776] [OSVDB-83636]

An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.
References: [CVE-2020-15492]

MIT ML Device (IANA official)
 86 tcp applications not scanned BroadCam Video Streaming Server

Micro Focus Cobol (TCP/UDP) (IANA official)
 87 tcp terminal link Members scan terminal link - a talk/chat style protocol. Port commonly used by intruders

Backdoor.Win32.Agent.ad / Insecure Credential Storage - the malware listens on TCP port 87, its default password "hoanggia" is stored in the Windows registry in cleartext under "clrprv.oo" in "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\System\NPP". The password is also set as cookie value "Cookie: pass=hoanggia; day=14; month=11; year=2021", which also gets sent over the network in plaintext. Third party attackers who can access the system or sniff traffic can grab the password, then execute any programs and or run commands made available by the backdoor.
References: [MVID-2021-0406]
 88 udp Kerberos Premium scan KDC (Kerberos key distribution center) server.
Related ports: 464,543,544,749,751

Xbox 360 (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP
 88 tcp trojan Premium scan Pwsteal.likmet.a, BackDoor-AXC

BroadWave Streaming Audio Server also uses this port
 89 tcp,udp su-mit-tg not scanned SU/MIT Telnet Gateway (IANA official)
 90 tcp trojan Premium scan Hidden Port 2.0
 91 tcp,udp mit-dov not scanned MIT Dover Spooler (IANA official)
 92 tcp,udp npp not scanned Network Printing Protocol (IANA official)
 93 tcp,udp dcp not scanned Device Control Protocol (IANA official)
 94 tcp,udp objcall not scanned Tivoli Object Dispatcher (IANA official)
 95 tcp,udp supdup not scanned SUPDUP (IANA official)
 96 tcp,udp dixie not scanned Express Invoice

DIXIE Protocol Specification (IANA official)
 97 tcp,udp swift-rvf not scanned Inventoria Stock Manager

Swift Remote Virtual File Protocol (IANA official)
 98 tcp applications not scanned This signature detects TCP port probes directed at port 98, which may indicate that an attacker is scanning to determine if the Linux remote configuration service is available on the system.

TAC News (IANA registered)
 99 udp metagram Members scan Metagram Relay, gnutella

Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data.
References: [CVE-1999-1567]
 99 tcp trojans Premium scan Hidden Port, Mandragore, NCX trojans

Backdoor.Win32.Ncx.b / Remote Stack Buffer Overflow - the malware listens on TCP port 99. Third-party attackers who can reach an infected system can send a large junk payload and trigger a classic stack buffer overflow overwriting the EIP, ECX registers and structured exception handler (SEH).
References: [MVID-2021-0388]

Backdoor.Win32.Ncx.b / Unauthenticated Remote Command Execution - the malware listens on TCP port 99. Third-party attackers who can reach an infected system can execute OS commands further compromising the host.
References: [MVID-2021-0389]

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About