| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 0 |
tcp,udp |
|
not scanned |
This port is technically illegal, but possible. It is often used to fingerprint machines, because different operating systems respond to this port in different ways. |
| 1 |
udp |
tcpmux |
not scanned |
IANA assigned to TCP Port Service Multiplexer.
Sockets des Troie remote access trojan uses this port (a.k.a. Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan, TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000. |
| 1 |
tcp |
tcpmux |
not scanned |
Scans against this port are commonly used to test if a machine runs SGI Irix (as SGI is the only system that typically has this enabled). This service is almost never used in practice.
CERT: CA-95.15.SGI.lp.vul
RFC1078 -TCPMUX acts much like Sun's $/Exploits/Ports/111$portmapper$ or Microsoft's $/Exploits/Ports/135$end-point mapper$ in that it allows services to run on abitrary ports. In the case of TCPMUX, however, after the "lookup" phase, all further communication continues to run over that port. |
| 2 |
tcp |
compressnet |
Premium scan |
trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg
Port 2 is also registered with IANA for compressnet management utility. |
| 7 |
tcp |
Echo |
Members scan |
Echo Service, somewhat outdated by ICMP echo. Port just echoes whatever is sent to it. This feature can be used in many attacks, such as fraggle.
See also: [RFC862]
ICP - Internet Caching Protocol - This protocol is used by HTTP caching proxies in order to coordinate working together in a cluster. Part of this implementation includes bouncing packets off the echo port in order to test if the peers are alive. |
| 9 |
tcp,udp |
Discard |
Members scan |
Discard server - this protocol is only installed on machines for test purposes. The service listening at this port (both TCP and UDP) simply discards any input.
See also: [RFC863], CVE-1999-0060
Intrusions: Ascend kill
This exploit kills Ascend routers by sending them a specially formatted malformed TCP packet. On certain versions of the Ascend operating system, the router can be forced to cause an internal error, resulting in the router rebooting. |
| 11 |
tcp,udp |
systat |
Premium scan |
system / active users information.
On some UNIX machines, creating a TCP connection to this port will dump the active processes and who launched them. The original intent for this was to make remote management of UNIX easier. However, intruders will query the systat information in order to map out the system.
This service is rarely available anymore because of these security concerns.
On UNIX, there are also local commands that show this information, such as systat or ps.
See also: [RFC866] |
| 13 |
tcp,udp |
Daytime |
Members scan |
Daytime service [RFC 867] - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines. |
| 15 |
tcp,udp |
netstat |
Premium scan |
netstat (a variant of systat, see port 11). Rarely available because of security concerns. It can be used to list active processes and who launched them on some UNIX machines. |
| 17 |
tcp,udp |
qotd |
not scanned |
Responds with Quote of the Day. See [RFC 865] |
| 18 |
tcp,udp |
msp |
not scanned |
Message Send Protocol
Also: Remote Write Protocol (RWP)
Related RFCs: [RFC 1159] [RFC 1312] [RFC 1756] |
| 19 |
tcp,udp |
Chargen |
Members scan |
Generates and replies with a stream of characters (TCP) or a packet containing characters (UDP). Should be disabled if there is no specific need for it, source for potential attacks.
[RFC 864] |
| 20 |
tcp |
FTP - data |
Members scan |
File Transfer Protocol - Data |
| 20 |
udp |
? |
Basic scan |
|
| 21 |
tcp |
FTP |
Basic scan |
File Transfer Protocol.
List of some trojan horses/backdoors that also use this port: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm, W32.Sober.N@mm.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C (01.11.2006) |
| 21 |
udp |
FSP |
Basic scan |
FSP/FTP |
| 22 |
udp |
PC-Anywhere |
Basic scan |
Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22. |
| 22 |
tcp |
SSH |
Members scan |
Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service.
Some trojans also use this port: InCommand, Shaft, Skun |
| 23 |
tcp |
telnet |
Basic scan |
Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities.
Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (109.26.2005) |
| 25 |
tcp |
SMTP |
Basic scan |
SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.
List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock (01.12.2006) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries. |
| 30 |
tcp |
trojans |
Premium scan |
Agent 40421 trojan. Also uses port 40421/tcp |
| 31 |
tcp |
msg-auth |
Members scan |
MSG Authentication
The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun |
| 37 |
tcp |
worm |
Basic scan |
Officially assigned for use by TIME protocol [RFC 868] [RFC 956]
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
W32.Sober.J@mm (01.30.2005)
W32.Sober.O@mm (05.02.2005)
W32.Sober.X@mm (12.12.2005) |
| 41 |
|
trojans |
Members scan |
Some trojans use this port: Deep Throat , Foreplay |
| 42 |
tcp,udp |
WINS |
Members scan |
Port used by WINS (Windows Internet Naming Service).
Worms can exploit a recently announced buffer overflow vulnerability within WINS using this port.
See:
Microsoft - How to help protect against a WINS security issue
Technical Analysis by Steve Frield
W32.Dasher.D (12.19.2005) - a worm that exploits the following MS vulnerabilities: MS05-051 (on port 53/tcp) and MS04-045 (on port 42/tcp).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp. |
| 48 |
tcp |
auditd |
Premium scan |
DRAT remote access trojan (11-1999) uses ports 48,50.
Port is also IANA assigned for: Digital Audit Daemon |
| 49 |
udp |
TACACS |
Basic scan |
Login Host Protocol (TACACS) |
| 50,51 |
tcp |
re-mail-ck |
Premium scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
Some trojans that also use this port: DRAT remote access trojan (11-1999). Uses ports 48,50. |
| 53 |
tcp,udp |
DNS |
Basic scan |
DNS (Domain Name Service) is used for domain name resolution.
There are some attacks that target vulnerabilities within DNS servers. Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52, Trojan.Esteem.C (05.12.2005), W32.Spybot.ABDO (12.12.2005).
W32.Dasher.B (12.16.2005) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin MS05-051).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp.
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp. |
| 59 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AJ (01.10.2005) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 59/tcp. |
| 67 |
udp |
bootp server |
Basic scan |
Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients. |
| 68 |
udp |
bootp client |
Basic scan |
Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server. |
| 69 |
udp |
TFTP |
Basic scan |
Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.
Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a bacdoor on remote compromised computers on port 8594/tcp. Port 69/udp also used by the W32.Zotob.H variant of the worm. |
| 69,70 |
tcp |
trojans |
Premium scan |
W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef
Note: port 69/udp is used by TFTP. |
| 79 |
tcp,udp |
Finger |
Members scan |
Finger
Trojans that also use this port: ADM worm, CDK trojan (ports 79, 15858), Firehotcker (ports 79, 5321) |
| 80 |
udp |
trojans |
Premium scan |
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
Port 80 udp is also used by some games, like Alien vs Predator (Activision). |
| 80 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - port used for web traffic. See also TCP ports 81, 8080, 8081.
Some broadband routers (Linksys, etc.) run a web server on port 80 or 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.
If you're not running web services, keep in mind that Code Red and Nimda worms also propagate via TCP port 80 (HTTP). Also, a number of trojans/backdoors use these ports: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
Trojan.Webus.C
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S (01.30.2005) - runs proxy on port 80.
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
Backdoor.Darkmoon.B (10.21.2005) - a backdoor trojan with keylogger capabilities. Opens a backdoor and listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Trojan.Lodear.F (12.18.2005) - trojan that attempts to download remote files.
W32.Feebs (01.07.2006)
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp. |
| 81 |
udp |
trojans |
Premium scan |
W32.Beagle.AR@mm (9.29.2004) - mass mailing worm with backdoor functionality on port 81/tcp & udp. Affects all current Windows versions. |
| 81 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See also TCP ports 80, 8080, 8081.
Some common uses for port 81/tcp include web administration (cobalt cube), web proxy servers, etc.
If you're not running web services on this port, keep in mind it is also used by some trojans:
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default.
W32.Beagle.AR@mm (09.29.2004) - port 81. |
| 82 |
tcp |
trojans |
Members scan |
W32.Netsky.X@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 82/tcp to receive and execute a file from an attacker.
The W32.Netsky.Y@mm variant also opens port 82/tcp. |
| 87 |
tcp |
terminal link |
Members scan |
terminal link - a talk/chat style protocol. Port commonly used by intruders |
| 88 |
udp |
Kerberos |
Premium scan |
KDC (Kerberos key distribution center) server.
Related ports: 464,543,544,749
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp. |
| 99 |
udp |
metagram |
Basic scan |
metagram relay, gnutella? |
| 101 |
tcp |
hostname |
not scanned |
Hostnames server. [RFC953] [RFC811] |
| 102 |
tcp,udp |
iso-tsap |
Premium scan |
Port used by ISO, X.400, ITOT
ISO-TSAP (Transport Service Access Point) protocol
Microsoft Exchange uses this port for X.400 traffic.
[RFC1006] [RFC2126] |
| 105 |
tcp,udp |
ccso |
not scanned |
IANA assigned to CCSO name server protocol. [RFC2378] |
| 106 |
tcp |
poppassd |
not scanned |
(TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:
S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite
Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash. |
| 109 |
tcp,udp |
pop2 |
not scanned |
Post Office Protocol 2. While POP2 has largely been replaced by POP3, hackers still scan for this port because many older POP servers have vulnerabilities associated with them. [RFC937] |
| 110 |
udp |
pop-or-not |
Basic scan |
POP3 server traffic (should be TCP only?) |
| 110 |
tcp |
POP3 |
Basic scan |
POP3 (Post Office Protocol - Version 3) |
| 111 |
udp |
SunRPC |
Basic scan |
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
Trojans that use this port: ADM worm, MscanWorm |
| 113 |
tcp,udp |
IDENT |
Basic scan |
Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.
The simplest solution is to close, rather than filter port 113.
Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman
W32.Bofra.C@mm (11.11.2004) - It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Linkbot.A (11.05.2004) - worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability. It also creates an IRC backdoor and attempts to install adware on the infected machine. It can affect all current Windows versions. Listens on port 113/tcp for remote commands.
W32.Spybot.LZI (04.06.2005) - worm that attempts to exploit the MS DCOM RPC vulnerability on ports 135, 445 & 1025. Opens a backdoor on port 113.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp. |
| 119 |
udp |
NNTP |
Basic scan |
NNTP (Network News Transfer Protocol) control messages. |
| 121 |
tcp |
erpc |
Premium scan |
trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)
Port is also IANA registered for: Encore Expedited Remote Pro.Call |
| 123 |
udp |
NTP |
Basic scan |
Network Time Protocol (NTP) |
| 125 |
tcp |
misc |
not scanned |
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25. |
| 135 |
tcp |
loc-srv |
Basic scan |
Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.
There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is a patch downloadable from Microsoft), or you can close port 135.
MS Security Bulletin MS03-026 outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin MS03-026). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp.
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 135 |
udp |
loc-srv |
Basic scan |
Port used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp. |
| 137-139 |
tcp,udp |
NetBIOS |
Basic scan |
NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.
NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:
1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.
Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.
There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin MS03-026
The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin MS03-026) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444. |
| 143 |
tcp,udp |
IMAP |
Basic scan |
IMAP mail server uses this port. See also port 993/tcp.
Numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when Red Hat enabled the service by default on its distributions. This port is also used for IMAP2, but that version wasn't very popular. Several people have noted attacks from port 0 to port 143, which appears to be from some attack script. |
| 146 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 161,162 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162. |
| 177 |
tcp |
xdmcp |
Premium scan |
Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed. |
| 194 |
tcp,udp |
IRC |
Members scan |
Internet Relay Chat Protocol |
| 256 |
udp |
trojans |
not scanned |
Trojan.SpBot (04.05.2005) - trojan horse that opens a compromised computer to be used as an email relay. Opens a backdoor on port 256/udp. |
| 321 |
tcp |
trojans |
Members scan |
W32.Looksky.A@mm (10.25.2005) - a mass-mailing worm that lowers security settings and logs keystrokes on the compromised computer. It also gathers and sends out personal information. Opens a backdoor and listens for remote commands on port 321/tcp. It also periodically connects to proxy4u.ws on port 8080/tcp to check for updates.
Port also used by other variants:
W32.Looksky.A@mm
W32.Looksky.H@mm (01.17.2006). |
| 389 |
tcp |
LDAP |
Basic scan |
LDAP (Lightweight Directory Access Protocol) - an Internet protocol, used my MS Active Directory,as well as some email programs to look up contact information from a server.
Both Microsoft Exchange and NetMeeting install a LDAP server on this port. |
| 443 |
tcp |
HTTPS |
Members scan |
HTTPS / SSL - encrypted web traffic.
Port also used by some trojans:
W32.Kelvir.M (04.05.2005) - worm that spreads through MSN Messanger and drops a variant of the W32.Spybot.Worm. Connects to IRC servers on the s.defonic2.net and s.majesticwin.com domains, and listens for commands on port 443/tcp. |
| 445 |
tcp |
microsoft-ds |
Basic scan |
TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.
Leaving port 445 open will leave you vulnerable to some worms, such as W32.Deloader and IraqiWorm (aka Iraq_oil.exe ), W32.HLLW.Moega, W32.Sasser.Worm, W32.Korgo.AB (09.24.2004), Backdoor.Rtkit.B (10.01.2004), Trojan.Netdepix.B (01.16.2005), as well as the Windows Null Session Exploit.
MS Security Bulletin MS03-026 outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
See also: Microsoft Security Bulletin MS03-049 and Microsoft Security Bulletin MS03-043
W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. Port 445/tcp also used by the W32.Zotob.H variant of the worm. |
| 456 |
tcp |
trojans |
Premium scan |
used by Hackers Paradise trojan (also uses port 31) |
| 464 |
tcp,udp |
kpasswd |
not scanned |
Kerberos (v5)
Related ports: 88,543,544,749 |
| 500 |
udp |
ipsec |
Members scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
See also:
port 1701 (L2TP)
port 1723 (PPTP)
|
| 511 |
tcp |
|
Premium scan |
Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port. |
| 514 |
tcp |
shell |
Premium scan |
Used by rsh and (also rcp), interactive shell without any logging.
Some vulnerabilities of this port: RPC Backdoor, Whacky |
| 515 |
tcp |
printer |
not scanned |
Printing services, listening for incoming connections |
| 520 |
udp |
router |
Premium scan |
RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.
References: RFC1058 & RFC2453 |
| 520 |
tcp |
efs |
not scanned |
Extended File Name Server |
| 531 |
tcp |
chat |
Premium scan |
Port used by IRC chat |
| 535 |
udp |
CORBA IIOP |
Premium scan |
Common Object Request Broker Architecture (CORBA) is an object-oriented remote procedure call (RPC) system. If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA broadcasts send out information that can often be used to hack back into the systems generating these broadcasts. |
| 540 |
tcp |
uucp |
Members scan |
a famous file transfer service, potential vulnerability. |
| 543 |
tcp |
klogin |
not scanned |
Kerberos login
Related ports: 88,464,544, 749 |
| 544 |
tcp |
kshell |
not scanned |
Kerberos remote shell
Related ports: 88,464,543,749 |
| 546 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Client |
| 547 |
tcp,udp |
DHCP |
Premium scan |
DHCP(v6) Server |
| 555 |
tcp |
dsf |
Members scan |
Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy |
| 559 |
tcp |
trojans |
Premium scan |
Port used by Domwis remote access trojan. Creates a backdoor and spam proxy on port 559. |
| 593 |
tcp |
|
Members scan |
MS Security Bulletin MS03-026 outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet. |
| 635 |
tcp,udp |
NFS mount |
Members scan |
RPC Remote filesystem access mount service - a very popular attack vector, often scanned for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it's just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049. |
| 636 |
tcp |
ldaps |
not scanned |
LDAP over TLS/SSL |
| 639 |
tcp,udp |
msdp |
not scanned |
MSDP - Multicast Source Discovery Protocol |
| 641 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (control/listening): A proxy gateway connecting remote control traffic |
| 653 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (data): A proxy gateway connecting remote control traffic |
| 654 |
tcp |
trojans |
Premium scan |
Official use by AODV (Ad-hoc On-demand Distance Vector)
Port also used by HoaVelu trojan
|
| 665 |
tcp |
trojans |
Members scan |
W32.Netsky.Z@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 665/tcp to receive and execute a file from an attacker. |
| 666 |
tcp,udp |
doom |
Members scan |
Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors.
Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers).
Backdoor.FTP_Ana.C - backdoor trojan, 03.2003. Affects all current Windows versions.
Backdoor.Checkesp - backdoor trojan, 06.2003. Affects all current Windows versions.
Backdoor.Private - backdoor trojan, 05.2003. Affects all current Windows versions.
W32.Dreffort (04.05.2005) - Infects .exe and .scr files, deletes files on Dec. 29th. Also opens a backdoor on the 29th of each month on port 666/tcp.
Backdoor.Microkos (08.10.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp. |
| 667 |
tcp |
trojans |
Premium scan |
SniperNet remote access trojan, 02.2000. Affects Windows 9x |
| 669 |
tcp |
trojans |
Premium scan |
Trojans that use this port: DP trojan , SniperNet
Port is also IANA assigned for: MeRegister |
| 674 |
tcp |
ACAP |
Premium scan |
ACAP -- Application Configuration Access Protocol
References: RFC2244, RFC2595, RFC2636 |
| 700 |
udp |
buddyphone |
not scanned |
Port used by BuddyPhone Internet Telephony software. Also uses TCP range 5000-5111. |
| 749 |
tcp,udp |
kerberos |
not scanned |
Kerberos administration
Related ports: 88,464,543,544 |
| 777 |
tcp |
multiling-http |
Members scan |
Trojans that use this port: AimSpy (AIM trojan), Un-Detected ( a.k.a. Backdoor.TDS, 4Fuk, Trojan.Win32.TrojanRunner.Levil, U4 ). |
| 901,902,903 |
tcp |
trojans |
Premium scan |
NetDevil - remote access trojan, 02.2002. Affects Windows 9x/Me/NT/2k/XP
ports are also IANA assigned to:
901 - SMPNAMERES
902 - IDEAFARM-CHAT
|
| 911 |
tcp |
trojans |
Premium scan |
used by Dark Shadow trojan. |
| 912 |
tcp |
apex |
Members scan |
Port assigned to the APEX (Application Exchange Core) protocol. It is an XML-based protocol designed for sending instant messages based on the Blocks Extensible Exchange Protocol (BEEP).
APEX also uses TCP port 913 as its endpoint-relay service. The APEX protocol has been replaced by the SIP, SIMPLE and XMPP protocols. Port 912 is used primarily to receive and send messages that are originated via the end-points located in port 913. Information sent and received via port 912 includes the endpoint that created it, a URI reference point, the endpoints that will receive it and other options. |
| 943 |
tcp |
silverlight |
Members scan |
Port not officially assigned, used by Silverlight Microsoft plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser. Port 943 was first used in Silverlight version 2 beta 2 release.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 950 |
tcp |
rpc.statd |
Members scan |
Port used by rpc.statd background process. This daemon is a part of the Network File System (NFS) protocol. This protocol was developed by Sun Microsystems to allow a client to access files that are shared on a network. The rpc.statd daemon is a subsystem of NFS used mostly on UNIX and Linux platforms.
Port 950 can also be used in a malicious way. The port allows direct access to the syslog() function, which may be manipulated by unauthorized users.
The port has been used historically to start a buffer overflow and launch Distributed Denial of Service attacks. |
| 993 |
tcp,udp |
IMAP-SSL |
Premium scan |
IMAP over SSL |
| 995 |
tcp,udp |
POP3-SSL |
not scanned |
POP3 over SSL |
| 999 |
tcp |
garcon |
Members scan |
Port used by ScimoreDB Database System
Trojans that run on this port: DeepThroat (a.k.a. DTV2, DTV3, BackDoor-J), F0replay (a.k.a. WiNNUke eXtreame), WinSatan |
| 1000 |
tcp |
trojans |
Members scan |
Trojans using this port: Der Spaeher, Direct Connection |
| 1001 |
tcp |
trojans |
Members scan |
Trojans using this port: Der Spaeher, Le Guardien, Silencer, WebEx |
| 1002 |
tcp |
ms-ils |
Basic scan |
Windows Internet Locator Server service, used by MS NetMeeting. ILS is a MS NetMeeting service that is now preferred by MS over the Internet standard LDAP service (port 389). This port does not appear in "netstat" comand listings. |
| 1010,1011,1015 |
tcp |
trojans |
Premium scan |
Used by Doly trojan (v1.35 uses port 1010, v1.5 uses port 1015) |
| 1020 |
tcp |
trojans |
Premium scan |
Port used by Vampire remote access trojan, 06.1999. Works on Windows 9x/NT. Uses ports 1020 and 6669. |
| 1021 |
tcp |
trojans |
Premium scan |
Trojan.Webus.H (07.12.2005) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
| 1024 |
tcp |
kdm |
Members scan |
K Display Manager (KDE version of xdm)
Trojans also using this port: Jade, Latinus, NetSpy, YAI
Backdoor.Lingosky 04.28.2005 - trojan with backdoor capabilities. Opens a backdoor on port 1024/tcp. |
| 1025-1029 |
tcp,udp |
NFS, IIS, etc. |
Basic scan |
Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
Ports 1026/udp - 1027/udp are usually used by Messenger Popup Spam as well. |
| 1033 |
tcp |
trojans |
Premium scan |
port used by Netspy2 trojan. |
| 1034 |
tcp |
trojans |
Members scan |
Backdoor.Systsec - remote acess trojan, 02.2002. Affects all current Windows versions.
Backdoor.Zincite.A (07.27.2004) - backdoor server program that allows unauthorized access to the compromised computer. It runs and listens for remote commands on port 1034/tcp.
W32.Mydoom.CI@mm (09.27.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine. |
| 1035 |
tcp |
trojans |
Premium scan |
Backdoor.Sedepex (11.01.2005) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
|
| 1040 |
tcp |
trojans |
Premium scan |
Backdoor.Sedepex (11.01.2005) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
|
| 1042 |
tcp |
trojans |
Premium scan |
port used by Bla1.1 trojan.
MyDoom.L |
| 1050 |
tcp |
trojans |
Premium scan |
Port used by MiniCommand remote access trojan 10.1999. |
| 1052 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm (07.15.2005) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability (MS04-011) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm (07.19.2005) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp.
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 1080 |
tcp |
socks |
Members scan |
Socks Proxy is an Internet proxy service, potential spam relay point.
Common programs using this port: Wingate
Trojans/worms that use this port as well:
Bugbear.xx - wide-spread mass-mailing worm, many variants. More info
SubSeven - remote access trojan, 03.2001. Afects all current Windows versions.
WinHole - remote access trojan, 01.2000 (a.k.a. WinGate, Backdoor.WLF, BackGate). Affects Windows 9x.
Trojan.Webus.C - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
|
| 1081 |
tcp |
trojans |
Premium scan |
Backdoor.Zagaban (11.04.2005) - a trojan that allows the compromised computer to be used as a covert proxy. Allows the attacker to modify the hosts file. Starts a covert proxy and listens on port 1081/tcp. |
| 1088 |
tcp |
trojans |
Premium scan |
Trojan.Webus.D (11.12.2004) - remote access trojan, affects all current Windows versions. Opens a backdoor by connecting via port 1088 to IRC servers serv.gigaset.org or gimp.robobot.org. It then can receive a range of commands, including downloading and executing remote files. It can also open another random tcp port for incoming connections.
Trojan.Webus.E (04.05.2005) - trojan that opens a backdoor and connects to IRC servers for remote access on port 1088/tcp.
Trojan.Webus.H (07.12.2005) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
| 1090 |
tcp |
trojans |
Premium scan |
Port used by Xtreme remote access trojan with keylogger capabilities. It also installs NetBus 2.1 Pro in the background. |
| 1095-1099 |
tcp |
trojans |
Premium scan |
Some trojans use these ports: Blood Fest Evolution, Hvl RAT (also uses port 2283), Remote Administration Tool - RAT |
| 1111 |
tcp |
trojans |
Members scan |
Trojans that use this port:
Backdoor.AIMvision - remote access trojan, 10.2002. Affects all current Windows versions.
Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.
Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows.
W32.Suclove.A@mm (09.26.2005) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.
Port is also IANA registered for: LM Social Server |
| 1117 |
tcp |
trojans |
Premium scan |
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp. |
| 1122 |
tcp,udp |
trojans |
Premium scan |
Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
Port is also IANA registered for: availant-mgr |
| 1155 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 1168,1169 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM - mass mailing worm with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
ports are also IANA registered for:
1168/tcp - VChat Conference Service
1169/tcp - TRIPWIRE
2536/tcp - btpp2audctr1 |
| 1170 |
tcp |
trojans |
Premium scan |
Some eavesdropping/remote access trojans use this port:
Psyber Streaming Audio Server - Remote access trojan.
W32/Colevo@MM - mass mailing worm with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536. |
| 1208 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 1214 |
tcp |
Kazaa |
Members scan |
Kazaa - peer-to-peer file sharing, some known ulnerabilities, and at least one worm (Benjamin) targeting it. |
| 1218 |
tcp |
trojans |
Premium scan |
Trojans that use this port:
Backdoor.Sazo - remote access trojan, 06.2002. Affects Windows
Force/Feardoor - VB6 remote access trojan, 07.2002. Affects Windows.
Port is also IANA registered for: aeroflight-ads |
| 1234 |
tcp |
trojans |
Premium scan |
Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.
port is also IANA registered for: Infoseek Search Agent |
| 1243 |
tcp |
trojans |
Members scan |
Some trojans use this port: SubSeven/BackDoor-G, Tiles |
| 1245 |
tcp |
trojans |
Premium scan |
Port used by Voodoo trojan. |
| 1269 |
tcp |
trojans |
Premium scan |
port used by Maverick's Matrix remote access trojan (different variants from May 1999 to January 2004). This trojan provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the victim's machine. |
| 1338 |
tcp |
|
Premium scan |
Millenium Worm, affects Unix/Linux. |
| 1409 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Bifrut (11.08.2004) - remote access trojan, can affect all current Windows versions. Opens a backdoor on port 1409/tcp bound to the command shell. |
| 1433,1434 |
tcp,udp |
MS SQL Server |
Premium scan |
Microsoft SQL Server.
Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm. The Gaobot family of worms also exploit this port.
See also: Microsoft Security Bulletin MS02-061.
Digispid.B.Worm (05.21.2002) - worm that spreads to computers running MS SQL server and have blank SQL admin password. Uses port 1433/tcp.
W32.Kelvir.R (04.12.2005) - worm that spreads through MSN messenger and drops a variant of W32.Spybot.Worm. It spreads using several known MS vulnerabilities, including MS security Bulletin MS02-061 Microsoft SQL Server 2000 or MSDE 2000 audit using port 1434/udp. |
| 1444 |
tcp |
trojans |
Premium scan |
Backdoor.Homutex (07.18.2005) - a trojan with backdoor capabilities. Opens a backdoor and listens for remote commands on port 1444/tcp. Also attempts to sends information about the infected computer on port 1443/tcp. |
| 1492 |
tcp |
trojans |
Premium scan |
FTP99CMP - remote access trojan, 05.1999. Runs an FTP server on port 1492. |
| 1494 |
tcp |
citrix |
not scanned |
Citrix WinFrame. Also uses port 1604 udp. |
| 1509 |
tcp |
trojans |
Premium scan |
Port used by Psyber Streaming Server - remote access trojan. |
| 1524 |
tcp |
backdoor |
Premium scan |
Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). Connections to port 600/pcserver also have this problem. [Cert IN-99-04] |
| 1533 |
tcp |
trojans |
Premium scan |
Backdoor.Miffice - remote access trojan, 08.2002. Affects all current Windows versions.
Port is also registered with IANA for: Virtual Places Software |
| 1600 |
tcp |
trojans |
Premium scan |
Port used by some trojans: Shiva Burka, Backdoor.DirectConnection (remote access trojan, uses ports 1000, 1600-1602) |
| 1604 |
udp |
citrix |
not scanned |
Citrix WinFrame. Also uses port 1494 tcp. |
| 1639 |
tcp |
trojans |
Members scan |
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm that exploits the MS Internet Explorer IFRAME vulnerability. Affects all current Windows versions.
Runs as an HTTP server on port 1639/tcp, Attempts to connect to IRC servers on port 6667/tcp.
W32.Bofra.C@mm (11.11.2004) - another variant of the Bofra worm. It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004).
W32.Bofra.D@mm (11.08.2004). |
| 1640 |
tcp |
trojans |
Premium scan |
W32.Bofra.C@mm (11.11.2004) - mass-mailing worm that exploits the MS Internet Explorer IFRAME Vulnerability. Also spreads by sending email to addresses found on the infected computer. It can affect all current Windows versions.
It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp. |
| 1645,1646 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFCs 2865 and 2866 ) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 1701 |
tcp |
|
Premium scan |
L2TP VPN (Virtual Private Networking)
See also:
port 500/udp (IPSec IKE)
port 1723/tcp (PPTP) |
| 1720 |
tcp |
h323 |
Premium scan |
H.323 used for voice-over IP call set-up. Port most commonly used by Microsoft NetMeeting. |
| 1723 |
tcp,udp |
PPTP |
Members scan |
PPTP VPN (Point-to-Point Tunneling Protocol Virtual Private Networking). For additional information, see the MS VPN FAQ.
See also:
port 500/udp (IPSec IKE)
port 1701/tcp (L2TP)
|
| 1751 |
tcp |
trojans |
Members scan |
W32.Loxbot.D (01.06.2006) - a worm that opens a backdoor on the compromised computer. SPreads through AOL Instant Messenger, uses rootkit capabilities to hide its process in memory. Opens a backdoor and listens for remote commands on port 1751/tcp.
|
| 1772 |
tcp,udp |
trojans |
Premium scan |
Backdoor.Netcontrole - remote access trojan, 06.2002. Affects all current Windows versions.
port is also registered with IANA for: EssWeb Gateway |
| 1807 |
tcp |
trojans |
Premium scan |
Port used by SpySender (a.k.a Backdoor.Delf.hp)- remote access trojan, 05.2002. Uses ports 1807, 3418 |
| 1812,1813 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFCs 2865 and 2866 ) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 1863 |
tcp,udp |
msnp |
Basic scan |
Port used by MSN Messenger
W32.Mytob.IE@mm (07.26.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It uses its own SMTP engine. Opens a backdoor and listens for remote commands on port 1863/tcp. |
| 1879 |
tcp |
virus |
Premium scan |
W32.Zori.B (04.02.2005) - virus that spreads through network shares and prepends .exe files. It deletes files from all disks 9 days after the original infection.
It also opens a backdoor on port 1879/tcp and listens for remote commands from an attacker. |
| 1900 |
tcp,udp |
SSDP, UPnP |
Premium scan |
IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol).
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders.
See UPnP vulnerabilities (port 5000). |
| 1906,1907 |
tcp |
trojans |
Premium scan |
Backdoor.Verify (4.08.2005) - backdoor trojan that that allows remote access to the compromised computer.
Opens ports 1906/tcp and 1907/tcp for remote access. |
| 1927,1930 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ (01.26.2005) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445).
Opens a backdoor on one or more of these ports: 5002, 5003, 1927, 1930. |
| 1967 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: For Your Eyes Only , WM FTP Server
Port is also IANA registered for: SNS Quote |
| 1971 |
tcp |
trojans |
Premium scan |
Backdoor.Bifrose - remote access trojan, 10.12.2004. Affects all current Windows versions. |
| 1978 |
udp |
worm-linux |
Premium scan |
Linux.Slapper.Worm (09.13.2002) - family of worms that use an OpenSSL buffer overflow exploit to run a shell on a remote computer. Targets vilnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp.
Opens backdoors on the following ports:
The .A variant of the worm listens on port 2002/udp.
The .B variant listens on port 1978/udp.
The .C variant listens on port 4156/udp (and port 1052/tcp periodically). |
| 1979,1980 |
tcp |
trojans |
Premium scan |
Port used by ZSpyII 0.99b (a.k.a. BackDoor-AGK, Backdoor.ZSpy) - key logger, 02.2004. |
| 1981 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: Bowl, Shockrave
Port is also IANA registered for: p2pQ |
| 1999 |
tcp |
tcp-id-port |
Members scan |
Cisco identification port.
Some trojans also use this port: Back Door, SubSeven, TransScout
Backdoor.Bifrose.C (05.19.2005) - trojan that opens a backdoor on port 1999/tcp, and sends information to a remote server. |
| 2000 |
tcp |
callbook |
Members scan |
"RemoteAnywhere" installs a webserver on this port. NeWS/OpenWin (Sun's older variation of X-Windows) uses this port.
A number of trojan horses/backdoors use this port: Der Späher / Der Spaeher, Fear, Force, GOTHIC Intruder, Insane Network, Last 2000, Real 2000, Remote Explorer 2000, Senna Spy Trojan Generator, Singularity
Backdoor.Fearic - remote access trojan, 08.2002. Affects all current Windows versions, opens ports 2000, 3456, 8811.
Trojan.Esteems.D (05.16.2005) - trojan with keylogger capabilities. Uses port 2000/tcp to communicate with a remote host and send logged information. |
| 2001 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Der Späher / Der Spaeher, Duddie, Glacier, Protoss, Senna Spy Trojan Generator, Singularity, Trojan Cow. Port also used by FreeBSD.Scalper.Worm (07.01.2002) - FreeBSD Apache worm.
|
| 2002 |
tcp |
trojans |
Premium scan |
W32.Beagle.AX@mm (11.15.2004) - mass-mailing worm, also spreads through file-sharing networks. Affects all current Windows versions. The worm opens a backdoor on port 2002/tcp, allowing the machine to be used as an open email relay. Also uses port 80 to contact "webmoney.net".
Some other trojans/backdoors that also use this port: Duddie, Senna Spy Trojan Generator, Sensive |
| 2002 |
udp |
worm-linux |
Premium scan |
Linux.Slapper.Worm (09.13.2002) - family of worms that use an OpenSSL buffer overflow exploit to run a shell on a remote computer. Targets vilnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp.
Opens backdoors on the following ports:
The .A variant of the worm listens on port 2002/udp.
The .B variant listens on port 1978/udp.
The .C variant listens on port 4156/udp (and port 1052/tcp periodically). |
| 2005 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability (MS03-026) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 2020 |
tcp |
trojans |
Premium scan |
Port used by Backdoor.Rockse - remote access trojan, 05.2003. Affects all current Windows versions, opens a server on port 2020 or 2525. |
| 2023 |
tcp |
trojans |
Premium scan |
port used by Ripper Pro trojan (a.k.a BackDoor-AL, Backdoor.Ripper) - key logger, steals passwords, 01.1999 |
| 2049 |
tcp,udp |
NFS |
Members scan |
Network File System (NFS) - remote filesystem access. (RFC 1813). A commonly scanned and exploited attack vector. Normally, access to portmapper is needed to find which port this service runs on, but since most installations run NFS on this port, hackers/crackers can bypass portmapper and try this port directly. |
| 2050 |
tcp |
trojans |
Premium scan |
PWSteal.Ldpinch.C - password stealing trojan horse program, 10.04.2004. Affects all current Windows versions. May open a backdoor allowing shell commands on port 2050/tcp |
| 2080 |
tcp |
trojans |
Premium scan |
Backdoor.Curdeal (11.11.2004) - backdoor trojan horse program. It can affect all current Windows versions. Notifies website on the domain currentdeal.biz through port 2080/tcp, and opens a random port to listen for remote commands.
Some versions of WinGate 3.0 contain a bug that allows the service to be crashed by connecting to this port and sending 2000 characters. |
| 2090 |
tcp |
trojans |
Premium scan |
Backdoor.Expjan - remote access trojan, 08.2002. Affects all current Windows versions.
Port is also IANA registered for: Load Report Protocol |
| 2094 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm (06.20.2005) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp. |
| 2130 |
udp |
trojans |
not scanned |
Mini Backlash remote access and password stealing trojan. Affects Windows 9x/ME. Uses ports 2130/udp and 3150/udp. |
| 2140 |
tcp,udp |
trojans |
Premium scan |
Some trojans use this port: Deep Throat, Foreplay, The Invasor |
| 2189 |
tcp |
trojans |
Premium scan |
Port used by one of the Backdoor.Delf variants - remote access and keylogging trojan family, 05.2003.
variant 1 listens on port 2444
variant 2 listens on port 27378
variant 3 listens on port 2189
variant 4 listens on port 23 |
| 2283 |
tcp |
trojans |
Members scan |
Dumaru.Y (01.23.2004) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Hvl RAT - remote access trojan, 05.1999. Coded in VB5, also uses ports 1095-1099.
Port is also registered for Lotus Notes LNVSTATUS |
| 2343 |
tcp |
trojans |
Premium scan |
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default. |
| 2414 |
tcp |
trojans |
Premium scan |
VBS.Shania - remote access trojan, 02.02.2004. Affects all current Windows versions, listens on port 2414. |
| 2442 |
tcp |
trojans |
Premium scan |
W32.Spybot.NYT (04.18.2005) - worm with DDoS (distributed denial of service) and backdoor capabilities. Spreads through network shares, exploits multiple vulnerabilities, and opens a backdoor via IRC channels on port 2442/tcp.
|
| 2444 |
tcp |
trojans |
Premium scan |
Port used by one of the Backdoor.Delf variants - remote access and keylogging trojan family, 05.2003.
variant 1 listens on port 2444
variant 2 listens on port 27378
variant 3 listens on port 2189
variant 4 listens on port 23 |
| 2525 |
tcp |
trojans |
Premium scan |
Port used by Backdoor.Rockse - remote access trojan, 05.2003. Affects all current Windows versions, opens a server on port 2020 or 2525.
Backdoor.Berbew.R (05.19.2005) - remote access trojan that steals passwords and opens backdoors on ports 2525/tcp and 4495/tcp.
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP blocking port 25. |
| 2535 |
tcp |
trojans |
Members scan |
W32.Beagle.W@mm and W32.Beagle.X@mm variants - mass mailing worm and backdoor trojan, 04.2004. Affects all current Windows versions, opens a backdoor (it listens on TCP port 2535) and attempts to spread through file-sharing networks.
Port 2556 was used by earlier variants of the worm, like W32.Beagle.M@mm and W32.Beagle.N@mm. |
| 2536 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM - mass mailing worm with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
ports are also IANA registered for:
1168/tcp - VChat Conference Service
1169/tcp - TRIPWIRE
2536/tcp - btpp2audctr1 |
| 2556 |
tcp |
trojans |
Members scan |
W32.Beagle.M@mm - mass mailing worm and backdoor trojan, 03.13.2004. Affects all current Windows versions, opens a backdoor (it listens on TCP port 2556) and attempts to spread through file-sharing networks.
Port also used by other variants of the worm, like W32.Beagle.N@mm. |
| 2745 |
tcp |
trojans |
Members scan |
Beagle.C (02.27.2004) through Beagle.K (03.03.2004) - mass mailing worms that use their own SMTP engine and open a backdoor on port 2745. They spread through email and file-sharing networks. |
| 2773,2774 |
tcp |
trojans |
Premium scan |
trojans: SubSeven, SubSeven 2.1 Gold
Ports are also IANA registered for: RBackup Remote Backup |
| 2784 |
tcp |
trojans |
Members scan |
Backdoor.Sdbot.AO (01.30.2005) - worm with backdoor capabilities. Gives remote access to the compromised PC, via IRC channels on port 2784. |
| 2817 |
tcp |
trojans |
Premium scan |
W32.Mytob.FI@mm (06.20.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 2817/tcp. |
| 3030 |
tcp |
trojans |
Premium scan |
W32.Mytob.ET@mm (06.15.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine to spread. Connects to an IRC server and listens for remote commands on port 3030/tcp.
Port also used by the W32.Mytob.EQ variant of the worm. |
| 3074 |
tcp,udp |
xbox |
Premium scan |
Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp. |
| 3101 |
tcp |
bes |
Premium scan |
Port used by Blackberry Enterprise Server (BES). Also uses port 3500/tcp. |
| 3127 |
tcp |
worm |
Premium scan |
W32.Novarg.A@mm - mass-mailing worm with remote access trojan, 01.2004. Affects all current Windows versions. A.K.A W32/Mydoom@MM.
When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, compromissing the entire system. |
| 3128 |
tcp |
ndl-aas |
Members scan |
Port used by some proxy servers. Common web proxy server ports: 8080, 80, 3128, 6588
Officiall assignment: Active API Server Port
Trojans and backdoors that use this port: Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080. |
| 3129 |
tcp |
trojans |
Premium scan |
Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426
Port 3129 is also registered with IANA for: NetPort Discovery Port |
| 3150 |
tcp,udp |
nm-asses-admin |
Members scan |
Netmike assessor administrator port.
Some trojans that also use this port: The Invasor (TCP), Deep Throat, Foreplay (UDP), Mini Backlash (uses ports 2130/udp and 3150/udp). |
| 3195 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Whisper.B (01.17.2005) - backdoor trojan. Connects to an IRC channel for remote access on port 3195/tcp. |
| 3256 |
tcp |
trojans |
Premium scan |
W32.HLLW.Dax - worm with remote access capabilities, 09.2002. Affects all current Windows versions.
port is also registered with IANA for: Compaq RPM Agent Port |
| 3306 |
tcp,udp |
mysql |
Members scan |
MySQL database server |
| 3332 |
tcp |
trojans |
Premium scan |
Port is registered with IANA for: MCS Mail Server
Some trojans that use this port:
Q0 BackDoor trojan
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp. |
| 3333 |
tcp |
trojans |
Premium scan |
W32.Bratle.A (07.31.2005) - worm that exploits the MS Windows LSASS Buffer Overrun vulnerability (MS04-011). Opens a FTP server on port 3333/tcp. |
| 3344 |
tcp |
trojans |
Premium scan |
W32.Mytob.GP@mm (06.30.2005) - mass mailing worm that opens a backdoor on the compromised computer. Contacts IRC servers and listens for remote commands on port 3344/tcp. |
| 3351 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm (08.01.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability (MS04-011). Opens backdoors on ports 3351/tcp and 8190/tcp. |
| 3372 |
tcp |
msdtc |
Members scan |
MS DTC (Microsoft Distributed Transaction Coordinator) is a Microsoft transaction processing technology. The service is installed by default in Windows 2000 and can be used by MS SQL Server and Microsoft Message Queue Server (MSMQ).
The port is vulnerable to potential DDoS attacks. A remote user may be able to crash the MS DTC service by sending 1024 bytes of random data on TCP port 3372.
If you do not need MS DTC you can set your firewall to block access to port 3372. It is possible for MS DTS to use other ports so you might need to also set your firewall to block any activity by the MS DTS service. |
| 3385 |
tcp |
trojans |
Premium scan |
W32.Mytob.KP@mm (10.21.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands by connecting to an IRC server on the rax.oucihax.info domain on port 3385/tcp. |
| 3388 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.S (12.22.2005) - trojan that opens a backdoor and runs a proxy server. The trojan can periodically connect to remote websites and send gathered information from the compromised computer. Opens a backdoor, acts as a SOCKS 4 proxy, and listens for remote commands on port 3388/tcp. |
| 3389 |
tcp |
rdp |
Basic scan |
Port registered as ms-wbt-server, used for Windows XP Remote Desktop and Remote Assistance connections (RDP - Remote Desktop Protocol). Also used by Windows NT/2k/2k3 Terminal Server.
See also: MS Security Bulletin MS02-051 and MS01-040. |
| 3398 |
tcp |
trojans |
Premium scan |
PWSteal.Bancos.AA (08.04.2005) - a trojan that steals passwords and logs keystrokes (mainly entered into a number of e-comerce and banking websites). The trojan runs a proxy server on port 3398/tcp. It also emails information from the compromised computer using its own SMTP server. |
| 3410 |
tcp |
trojans |
Premium scan |
Backdoor.Optixpro - remote access trojan, 08.2002. Affects all current Windows versions.
This port is also registered for NetworkLens SSL Event |
| 3418 |
tcp |
trojans |
Premium scan |
Port used by SpySender (a.k.a Backdoor.Delf.hp)- remote access trojan, 05.2002. Uses ports 1807, 3418 |
| 3436,3437 |
tcp |
trojans |
Premium scan |
Backdoor.Netjoe (11.16.2004)- remote access trojan. Affects all current Windows versions, opens TCP ports 3436 and 3437. |
| 3456 |
tcp |
trojans |
Premium scan |
Backdoor.Fearic - remote access trojan, 08.2002. Affects all current Windows versions, opens ports 2000, 3456, 8811. |
| 3457 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429 |
| 3459 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Eclipse 2000, Sanctuary
Port IANA registered for: TIP Integral |
| 3478 |
tcp,udp |
stun |
Premium scan |
Simple Traversal of UDP Through NAT (STUN) port. It operates on port 3478 tcp/udp. It is usually supported by newer VoIP devices. |
| 3500 |
tcp |
bes |
Premium scan |
Port used by Blackberry Enterprise Server (BES). Also uses port 3101/tcp. |
| 3632 |
tcp,udp |
distcc |
not scanned |
3632 is default listen port for distcc daemon (distributed C/C++ compiler). It only supports IP based authentication and defaults to allow from all, which means anyone can use it. It does no other harm than letting others to use your hardware (at +5 nice) to speed up their compilation process. |
| 3689 |
tcp |
itunes |
not scanned |
iTunes |
| 3700 |
tcp |
LRS NetPage |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
3700/tcp is also registered with IANA for: LRS NetPage |
| 3724 |
tcp |
games |
Premium scan |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 6112. |
| 3737 |
tcp |
trojans |
Premium scan |
Backdoor.Helios - remote access trojan, 09.2002. Affects all current Windows versions. |
| 3784 |
tcp,udp |
ventrilo |
not scanned |
Ventrilo |
| 4000,7871,11271 |
udp |
trojans |
Members scan |
Trojan.Peacomm (2007-03-02) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271 |
| 4095 |
tcp |
trojans |
Members scan |
W32.Randex.EUS (08.16.2005) - a worm that spreads through weak passwords in network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 4095/tcp. |
| 4123 |
tcp |
trojans |
Members scan |
W32.Bratle.B (08.02.2005) - a worm that spreads by exploiting the MS LSASS Buffer Overrun Vulnerability (MS04-011). It opens a backdoor by running an FTP server on port 4123/tcp. |
| 4156 |
udp |
worm-linux |
Premium scan |
Linux.Slapper.Worm (09.13.2002) - family of worms that use an OpenSSL buffer overflow exploit to run a shell on a remote computer. Targets vilnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp.
Opens backdoors on the following ports:
The .A variant of the worm listens on port 2002/udp.
The .B variant listens on port 1978/udp.
The .C variant listens on port 4156/udp (and port 1052/tcp periodically). |
| 4191 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AH (11.22.2004) - a network aware worm with backdoor functionality. Affects all current Windows versions. It spreads via network shares and allows remote access on port 4191. |
| 4367 |
tcp |
trojans |
Premium scan |
W32.Spybot.NLX (04.12.2005) - wom that exploits a number of MS vulnerabilities. It has distributed denial of service (DDoS), and backdoor capabilities. Opens a backdoor by connecting to an IRC channel using port 4367/tcp. |
| 4444 |
tcp |
trojans |
Basic scan |
W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin MS03-026) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444. |
| 4495 |
tcp |
trojans |
Premium scan |
Backdoor.Berbew.R (05.19.2005) - remote access trojan that steals passwords and opens backdoors on ports 2525/tcp and 4495/tcp. |
| 4500 |
udp |
ipsec |
Premium scan |
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
See also:
port 1701 (L2TP)
port 1723 (PPTP)
|
| 4502-4534 |
tcp |
silverlight |
not scanned |
Ports are used by the Microsoft Silverlight plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 4564 |
tcp |
trojans |
Premium scan |
W32.Spybot.RDW (06.30.2005) - a worm with DDoS (distributed denial of service) and backdoor capabilities. Spreads by exploiting common vulnerabilities and through network shares with weak passwords. Opens an IRC backdoor on port 4564/tcp. |
| 4661 |
tcp |
trojans |
Premium scan |
Trojan.Gamqowi (10.21.2005) - a backdoor trojan that lowers security settings on the compromised computer. It blocks access to some security-related websites, and attempts to end security-related processes. Opens a backdoor and listens for remote commands by connecting to an IRC server on port 4661/tcp. |
| 4662 |
tcp |
edonkey |
Members scan |
Edonkey 2000 P2P file sharing service. http://www.edonkey2000.com/ |
| 4664 |
tcp |
Google |
Basic scan |
Port used by Google desktop's built-in HTTP server / indexing software.
Port also used by Rimage Messaging Server. Port is responsible for providing the underlying foundation for the transaction among its clients and the messaging server. The network port 4664 is used for the transmission of messaging server alerts, errors and order requests. The initialization of this system port is normally done for version 8 and higher of the Rimage software.
Port also used by: Trojan-Downloader.Win32.Banload.nrd |
| 4672 |
udp |
emule |
Premium scan |
Port 4672/udp is used by the eMule file sharing software |
| 4711 |
tcp |
emule |
Premium scan |
eMule Web Server runs on this port by default. Some versions of this P2P client
are vulnerable to a DecodeBase16 buffer overflow, which would allow an
attacker to execute arbitrary code. |
| 4888 |
tcp |
trojans |
Premium scan |
W32.Opanki (05.24.2005) - IRC worm that spreads through AOL Instant Messenger. Connects to ftpd.there3d.com on port 4888/tcp and opens a backdoor for remote access.
Port also used by the W32.Opanki.D variant of the worm. |
| 4899 |
tcp |
radmin |
Premium scan |
Radmin - remote administration of PCs. Some potenital vulnerabilities, see Radmin Default Installation Security vulnerabilities. |
| 4912 |
tcp |
trojans |
Premium scan |
Backdoor.Mirab - remote access trojan, 06.2002. Affects all current Windows versions. It uses port 4912 for direct control and port 6430 for file transfer by default. |
| 5000 |
tcp,udp |
UPnP |
Basic scan |
Universal Plug and Pray - "Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices." MSKB - Universal PnP
UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. Here is a list of some known vulnerabilities with UPnP:
MS Security Bulletin MS01-054
MS Security Bulletin MS01-059
UPnP Vulnerabilities
Also, the following Trojan Horses use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie
Trojan.Webus.B - DDoS attack trojan, kills antivirus services, 10.05.2004. Uses port 5000/tcp for a DDoS attack.
W32.Mytob.HH@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 26418/tcp. Also opens a backdoor on port 5000/tcp. |
| 5002,5003 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ (01.26.2005) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445).
Opens a backdoor on one or more of these ports: 5002, 5003, 1927, 1930. |
| 5136 |
tcp |
trojans |
Premium scan |
Backdoor.Toob.A (11.03.2005) - a trojan horse with backdoor capabilities. Opens a backdoor and listens for remote commands on port 5136/tcp. |
| 5151 |
tcp |
trojans |
Premium scan |
Backdoor.Optix.04.c - remote access troan, 10.23.2002. Affects all current Windows versions, listens to port 5151 by default.
Port is also IANA assigned to: esri_sde - ESRI SDE Instance |
| 5190-5193 |
tcp,udp |
AIM |
Premium scan |
ICQ, AIM (AOL Instant Messenger) |
| 5222 |
tcp |
jabber |
Members scan |
port used by Jabber instant messenging software. |
| 5232 |
tcp |
trojans |
Members scan |
Backdoor.Lateda.C (04.01.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
W32.Mytob.EP@mm (06.15.2005) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on this port.
W32.Spybot.UBH (08.16.2005) - a worm with backdoor and distributed denial of service (DDoS) capabilities. Spreads by exploiting the MS Plug and Play Buffer Overflow vulnerability (MS05-039).
Opens a backdoor and listens for remote commands via IRC on this port. |
| 5321 |
tcp |
trojans |
Premium scan |
Port used by Firehotcker remote access trojan (uses ports 79, 5321). |
| 5333 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Backage, NetDemon |
| 5400-5402 |
tcp |
trojans |
Premium scan |
Trojans that use these ports: Back Construction, Blade Runner, Digital Spy
Ports are also IANA registered for:
5400/tcp Excerpt Search
5401/tcp Excerpt Search Secure
5402/tcp MFTP |
| 5521 |
tcp |
skype |
Members scan |
Port used by Skype VoIP.
Also used by: Illusion Mailer |
| 5554,9996 |
tcp |
trojans |
Premium scan |
W32.Sasser.Worm - remote access trojan, 05.2004. Affects all current Windows versions, attemts to exploit a vulnerability addressed in Microsoft Security Bulletin MS04-011. There are some issues associated with using the MS04-011 update discussed here: MS KB 835732.
Trojan runs a FTP server on port 5554 on infected systems and attempts to connect to random IPs on TCP port 445. If a connection is established, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. |
| 5555 |
tcp |
|
Members scan |
Backdoor.Darkmoon.E (2007-09-25) - a Trojan horse that opens a back door on TCP port 5555 on the compromised computer. |
| 5588 |
tcp |
trojans |
Premium scan |
Easyserv.11 - remote access trojan, 08,2002. Affects all current Windows versions. |
| 5631,5632 |
udp |
PC-Anywhere |
Members scan |
PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block. |
| 5652 |
tcp |
trojans |
Members scan |
W32.Fanbot.A@mm (10.18.2005) - a mass-mailing worm that lowers security settings on the compromised computer. It can also spread through P@P networks and exploring the MS Plug and Play Buffer Overflow vulnerability described in MS05-039. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 5652/tcp. |
| 5678 |
tcp,udp |
rrac |
Basic scan |
Port used by Linksys (and other) Cable/DSL Routers Remote Administration
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
|
| 5800,5900 |
tcp |
vnc |
Members scan |
VNC (Virtual Network Computing) - remote control program, http://www.realvnc.com/
It can also use ports 5800+ and 5900+ for additional machines. |
| 6000 |
tcp |
trojan |
Members scan |
Port used by W32.LoveGate.ak mass-mailing worm. Uses its own SMTP engine. Affects Windows 2000, Windows NT, Windows Server 2003, Windows XP |
| 6112-6119 |
tcp |
games |
not scanned |
Ports used by Warcraft II and III (Blizzard Downloader). It also uses port 3724. |
| 6129 |
tcp |
dameware |
Premium scan |
DameWare - See CERT Vulnerability Note VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets. |
| 6257 |
udp |
winmx |
Members scan |
port used by the WinMX P2P file sharing software. It also uses port 6699/tcp. |
| 6430 |
tcp |
trojans |
Premium scan |
Backdoor.Mirab - remote access trojan, 06.2002. Affects all current Windows versions. It uses port 4912 for direct control and port 6430 for file transfer by default. |
| 6543 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm (06.20.2005) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp. |
| 6556 |
tcp |
trojans |
Members scan |
W32.Toxbot.C (06.30.2005) - worm that opens a backdoor on the compromised computer. Spreads by exploiting common Windows vulnerabilities. Opens and IRC backdoor on port 6556/tcp.
Also: W32.Toxbot.AL (10.09.2005). |
| 6588 |
tcp |
analogx |
Premium scan |
Port used by AnalogX proxy server. Common web proxy server ports: 8080, 80, 3128, 6588 |
| 6631 |
tcp |
worm |
Premium scan |
Backdoor.Sdbot.AG (11.18.2004) - network-aware worm with backdoor capabilities that spreads through network shares. Affects all current Windows versions.
It opens a backdoor by connecting to an IRC server (ronz1.afraid.org or ronz2.afraid.org) on port 6631/tcp. |
| 6660 |
tcp |
trojans |
Members scan |
W32.Spybot.OBZ 04.25.2005 - worm with DDoS and backdoor capabilities. Exploits multiple vulnerabilities, spreads through network shares. Opens a backdoor on port 6660/tcp. |
| 6663 |
tcp |
trojans |
Premium scan |
W32.Mytob.GA@mm (06.30.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 6663/tcp.
Port also used by the W32.Mytob.HM@mm variant of the worm. |
| 6665-6669 |
tcp,udp |
IRC |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use these ports: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood
Backdoor.Hacarmy.E (10.14.2004) - remote access trojan.
W32.Spybot.EAS (10.01.2004) - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC (10.01.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.E (10.14.2004) - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica (11.03.2004) - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload (11.04.2004) - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.F (11.04.2004) - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004) - uses ports 1639 and 6667/tcp.
Backdoor.Sdbot.AF (11.18.2004) - backdoor trojan, uses port 6667/tcp.
W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W (01.28.2005) - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6670 |
tcp |
vocaltec |
Members scan |
Vocaltec global online directory.
Some trojans also use this port: BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame. |
| 6677 |
tcp |
trojans |
Premium scan |
W32.Mydoom.BT@mm (05.17.2005) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 6677/tcp. |
| 6699 |
tcp |
winmx |
Members scan |
Port used by p2p software, such as WinMX.
Note: WinMX also uses port 6257/udp. |
| 6711 |
tcp |
trojans |
Premium scan |
Some trojans that use this port:
SubSeven/BackDoor-G, VP Killer
Backdoor.Kilo - remote access trojan, 02.2003. Affects Windows, listens on port 6711 and 6718. |
| 6718 |
tcp |
trojans |
Premium scan |
Backdoor.Kilo - remote access trojan, 02.2003. Affects Windows, listens on port 6711 and 6718. |
| 6776 |
tcp |
trojans |
Members scan |
Trojans that use this port: 2000 Cracks, SubSeven/BackDoor-G, VP Killer |
| 6789 |
tcp |
trojans |
Members scan |
W32.Netsky.T@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. It has backdoor and DoS (Denial of Service) capabilities. Listens on port 6789/tcp to receive and execute a file from an attacker.
The W32.Netsky.S@mm variant opens this port as well. |
| 6868 |
tcp |
trojans |
Premium scan |
Backdoor.Darkmoon (08.19.2005) - trojan that opens a backdoor on the compromised computer and has keylogging capabilities. Opens a backdoor and listens for remote commands on ports 6868/tcp and 7777/tcp. |
| 6969 |
tcp |
acmsoda |
Premium scan |
Some older trojans use this port: GateCrasher, IRC 3/IRC Hack, Net Controller, Priority |
| 7000 |
tcp |
afs-fileserver |
Members scan |
afs fileserver
W32.Gaobot.BQJ (11.08.2004) - network-aware worm taht opens a backdoor and can be controlled via IRC. It can affect all current Windows versions. Connects to an IRC server on port 7000/tcp.
W32.Mydoom.BQ@mm (05.11.2005) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 7000/tcp.
W32.Mytob.GC@mm (06.30.2005) - mass-mailing worm that opens a backdoor on port 7000/tcp.
Some older trojan horses/backdoors that also use this port: Exploit Translation Server, Kazimas, Remote Grab, SubSeven |
| 7043 |
tcp |
trojans |
Members scan |
W32.Spybot.YCL (10.04.2005) - a worm with backdoor and distributed denial of service (DDoS) capabilities. It can spread by exploiting a number of vulnerabilities, as well as backdoors left by other malware. Opens a backdoor and listens for remote commands via IRC on port 7043/tcp.
Also: W32.Spybot.YQL (10.18.2005) |
| 7080 |
tcp |
haxdoor |
Premium scan |
Backdoor.Haxdoor.E (08.01.2005) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp. |
| 7215 |
tcp |
trojans |
Premium scan |
trojans: SubSeven, SubSeven 2.1 Gold |
| 7222 |
udp |
worm-linux |
not scanned |
Linux.Plupii (11.10.2005) - a worm with backdoor capabilities. Attempts exploiting several Linux web server related vulnerabilities. Opens a backdoor and listens for remote commands on port 7222/udp. |
| 7300-7308 |
tcp |
trojans |
Premium scan |
trojan(s) that use these ports: NetMonitor (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor) |
| 7329 |
tcp |
trojans |
Premium scan |
Backdoor.Netshadow (02.09.2005) - a trojan horse with backdoor capabilities. Listens on port 7329 by default (port configurable). |
| 7555 |
udp |
worm-linux |
not scanned |
Linux.Plupii.B (11.17.2005) - a worm with backdoor capabilities. Attempts exploiting Linux vulnerabilities. Opens a backdoor and listens for remote commands on port 7555/udp. |
| 7745 |
tcp |
trojans |
Premium scan |
W32.Mytob.HG@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 7745/tcp. |
| 7777 |
tcp |
trojans |
Premium scan |
Backdoor.Darkmoon (08.19.2005) - trojan that opens a backdoor on the compromised computer and has keylogging capabilities. Opens a backdoor and listens for remote commands on ports 6868/tcp and 7777/tcp.
Port 777/tcp is also used by:
iChat server file transfer proxy
Oracle Cluster File System 2
Windows backdoor program tini.exe |
| 7788 |
tcp,udp |
trojans |
Premium scan |
Trojans that use this port: Last 2000, Singularity (Backdoor.Singu) |
| 7812 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AP (03.04.2005) - worm with backdoor capabilities. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 7812/tcp. |
| 7823 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 7999 |
tcp |
worm |
Members scan |
W32.Mytob.LZ@mm (11.20.2005) - a mass-mailing worm with backdoor capabilities. It can spread using network shares and exploiting Windows vulnerabilities. Blocks access to several security-related websites by modifying the hosts file. Opens a backdoor and listens for remote commands by connecting to an IRC server on port 7999/tcp. |
| 8000 |
tcp |
trojans |
Members scan |
W32.Gaobot.CEZ (01.25.2005) - Worm with backdoor capabilities. Spreads trough exploiting various vulnerabilities (ports 80, 135, 445). Blocks access to security-related websites and terminates some processes. Connects to an IRC server and listens on port 8000.
W32.Spybot.OGX (05.02.2005) - network-aware worm with distributed denial of service and backdoor capabilities. Opens a backdoor by connecting to an IRC server on port 8000/tcp.
W32.Mytob.JW@mm (10.04.2005) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm. |
| 8008 |
tcp |
haxdoor |
Premium scan |
Backdoor.Haxdoor.E (08.01.2005) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp. |
| 8076 |
tcp |
trojans |
Members scan |
W32.Spybot.PEN (05.24.2005) - worm with DDoS and backdoor capabilities. Spreads through network shares and by exploiting multiple vulnerabilities. Can be dropped by W32.Kelvir.CG. Opens a backdoor by connecting to IRC channel on port 8076/tcp. Exploits vulnerabilities on port 445/tcp (MS04-011), and 1433/udp (MS02-061).
W32.Mytob.HI@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 8076/tcp. |
| 8080 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic. See also TCP ports 80, 81.
Some broadband routers run a web server on port 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.
If you're not running web services, keep in mind that some trojans also use these ports:
Reverse WWW Tunnel Backdoor - remote access/tunneling software coded in Perl, uses ports 80, 3128, 8080. Works on Unix, Linux, Solaris, AIX and OpenBSD.
RingZero (a.k.a. Ring0, Trojan.PSW.Ring, RingZero.gen, Ring) - uses ports 80, 3128, 8080. Affects Windows 9x.
Screen Cutter (a.k.a. Backdoor.Screencut) - uses ports 80, 8080.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
W32.Spybot.OFN (04.29.2005) - network-aware worm with DDoS and backdoor capabilities. Spreads through network shares and exploiting multiple vulnerabilities. It ay be downloaded by W32.Kelvir variants. Opens a backdoor on port 8080/tcp. Also exploits vulnerabilities on ports 445 and 1433.
W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
Backdoor.Naninf.D (02.01.2006)
Backdoor.Naninf.C (01.31.2006)
W32.Rinbot.A (2007-03-02) - a worm that opens a back door, copies itself to IPC$ shares, connects to an IRC server, and awauts commands on port 8080/tcp. |
| 8080 |
udp |
trojans |
Premium scan |
Backdoor.Tjserv.D (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp. |
| 8081 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic. See also TCP ports 80, 81, 8080.
If you're not running web services on this ports, keep in mind that some trojans also use it:
W32.Bufei (04.18.2005) - virus with backdoor and keylogger capabilities. Attempts to connect to URLs for remote access on port 8081 every 3 minutes. |
| 8126 |
tcp |
trojans |
Members scan |
W32.Pejaybot (01.14.2005) - worm that spreads via file sharing networks. Connects to an IRC server and opens a backdoor on port 8126.
W32.Kelvir.Q (04.12.2005) - worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm. Connects to an IRC server on port 8126/tcp. |
| 8181 |
tcp |
trojans |
Members scan |
W32.Erkez.D@mm (12.15.2004) - mass mailing worm that can terminate processes, lower security settings, and allow remote access to the compromised computer. Opens a backdoor and listens for remote commands on port 8181/tcp. |
| 8190 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm (08.01.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability (MS04-011). Opens backdoors on ports 3351/tcp and 8190/tcp. |
| 8500 |
tcp |
Macromedia |
not scanned |
Port used by Macromedia ColdFusion MX Server (Edition 6) to allow remote access as Web server |
| 8563 |
tcp |
trojans |
Members scan |
W32.Zotob.H (08.19.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 8594 |
tcp |
trojans |
Basic scan |
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. |
| 8719 |
tcp |
trojans |
Premium scan |
Backdoor.WinShell.50 - remote access trojan, 08.05.2003. Affects all current Windows versions, listens on port 8719. It is an earlier variant of Backdoor.WinShell.50.b (port 39581) and usually packed along with Trojan.Stealther.B. |
| 8767 |
udp |
teamspeak |
Premium scan |
Teamspeak default server port (configurable in server.ini). Program can also use port 51234 for server queries, and port 80/tcp or 14534/tcp for administration. |
| 8811 |
tcp |
trojans |
Premium scan |
Backdoor.Fearic - remote access trojan, 08.2002. Affects all current Windows versions, opens ports 2000, 3456, 8811. |
| 8866 |
tcp |
trojans |
Members scan |
Beagle.B (02.17.2004) - mass mailing worm that uses its own SMTP engine and opens a backdoor on port 8866/tcp. |
| 8881 |
tcp |
worm |
Members scan |
W32.Mytob.IK@mm (07.30.2005) - a mass-mailing worm that uses its own SMTP engine, opens a backdoor, and lowers security settings on the compromised computer. Listens for remote commands on port 8881/tcp. |
| 8885 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm (07.15.2005) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability (MS04-011) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm (07.19.2005) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp. |
| 8888,8889 |
tcp |
trojans |
Premium scan |
W32.Axatak - password stealing virus with remote access trojan capabilities, 08.2002. Affects all current Windows versions, uses ports 8888 and 8889.
POrts also registered with IANA for: ddi-tcp-1 NewsEDGE server |
| 8900 |
tcp |
trojans |
Premium scan |
W32.Mytob.EV@mm (06.15.2005) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on port 8900/tcp. |
| 9000 |
tcp |
trojans |
Premium scan |
W32.Randex.CZZ (03.16.2005) - network aware worm that attempts to connect to an IRC server on port 9000/tcp for remote instructions.
W32.Mytob.GK@mm (06.30.2005) - mass-mailing worm that opens a backdoor on port 9000/tcp.
Port 9000 also used by the EverQuest World server. |
| 9030 |
tcp |
trojans |
Members scan |
W32.Beagle.BY@mm (08.04.2005) - a mass-mailing worm that uses its own SMTP engine. It opens a backdoor on the compromised computer and listens for remote commands on port 9030/tcp. |
| 9035 |
tcp |
trojans |
Members scan |
W32.Beagle.CK@mm (10.18.2005) - a mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, stops some anti-virus and security related processes. Opens a backdoor and listens for remote commands on port 9035/tcp.
Port also used by W32.Beagle.CL@mm (10.09.2005) |
| 9040 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp. |
| 9125 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.J (03.26.2005) - back door and a keylogger, periodically sending the stolen info via email. Listens on port 9125/tcp for instructions from a remote attacker.
Backdoor.Nibu.N (08.12.2005) - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp. |
| 9515 |
tcp |
trojans |
Members scan |
W32.Loxbot.A (10.19.2005) - a worm with backdoor capabilities. It can spread using AIM, and it can lower security settings on the comromised computer. Also uses a rootkit to hide its process in memory. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 9515/tcp.
Port also used by the W32.Loxbot.B variant. |
| 9696,9697 |
tcp |
trojans |
Premium scan |
Gholame - remote access trojan, 08,2002. Affects all current Windows versions. |
| 9867 |
tcp |
trojans |
Premium scan |
Backdoor.Sokeven - remote access trojan, 09.22.2004. Affects all current Windows versions, opens a SOCKS proxy on port 9867 by default. Systems can get infected by visiting malicious website with Internet Explorer - exploits IE File Installation Vulnerability. |
| 9872-9875 |
tcp |
trojans |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
Port 9875 also used by the EverQuest Chat server.
Port 9875 tcp is also registered with IANA for Session Announcement v1 - RFC 2974. |
| 9876 |
tcp |
Session Director |
Premium scan |
Session Director.
Some trojans and backdoors use this port ! - Cyber Attacker, Rux, Backdoor.Lolok
Backdoor.Lolok is a backdoor Trojan that uses the mIRC client to give a hacker access to the computer. By default, it establishes an IRC connection to irc.tu-pac.net on port 9876. Usualy spreads through email attachments or disguised as a video file. Discovered on 12.05.2002. |
| 9898 |
tcp |
trojans |
Members scan |
Dabber.A (05.14.2004) and Dabber.B (06.04.2004) - a worm that propagates by exploiting vulnerability in the FTP server component of W32.Sasser.Worm and its variants. It installs a backdoor on port 9898/tcp (if it fails, tries to listen on ports 9899-9999). |
| 9998 |
tcp |
totalbill |
not scanned |
Totalbill (billing and provisioning system for ISPs by Aptis Software) listens on port 9998/tcp (by default) and allows full control over the software. An exploit script for this software has been published in 2000. |
| 9999 |
tcp |
trojans |
Premium scan |
Backdoor.Lateda.B (01.17.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
Backdoor.Lateda.C (04.01.2005) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp. |
| 10000 |
tcp |
trojans |
Members scan |
Dumaru.Y (01.23.2004) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp. |
| 10001,10002 |
tcp |
trojans |
Premium scan |
Ports used by Backdoor.Zdemon.126 - remote access trojan, 05.2003. Affects all current Windows versions.
Port 10001/tcp is also assigned by IANA to: SCP Configuration Port |
| 10008 |
tcp |
worm |
Premium scan |
In early 2001, many exploit scripts for DNS TSIG name overflow would place a root shell on this port. In mid-2001, a worm ("cheese" worm) was created that enters the system via this port (left behind by some other attacker), then starts scanning other machines from this port.
CERT: IN-2001-05 |
| 10027 |
tcp |
trojans |
Premium scan |
W32.Mytob.JW@mm (10.04.2005) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm. |
| 10067,10167 |
udp |
trojans |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 10080 |
tcp |
trojans |
Premium scan |
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080. |
| 10082 |
tcp |
trojans |
Premium scan |
W32.Mytob.CP@mm (05.23.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, spreads by exploiting the MS Security Bulletin MS04-011 vulnerability. Starts an FTP server on a random TCP port. Uses port 10082/tcp to download the worm as "bingoo.exe". |
| 10085 |
tcp |
trojans |
Premium scan |
W32.Mytob.BL@mm 04.25.2005 - mass-mailing worm with backdoor capabilities. Connects to an IRC server on port 6667/tcp, opens a backdoor FTP server on port 10085. |
| 10087 |
tcp |
trojans |
Members scan |
W32.Mytob.AD@mm (04.07.2005) - mass-mailing worm with built-in SMTP engine. Spreads by exploiting the MS DCOM RPC vulnerability (MS03-026) and the MS Windows Local Security Authority Service Remote Buffer Overflow (MS04-011). Opens a backdoor on port 10087/tcp. Also connects to an IRC channel on the ircd.dists.com domain on port 6667 and listens for commands. Compromised PCs can be rebooted remotely, files can be downloaded/executed, and IRC commands can be performed.
W32.Mytob.AA@mm (04.05.2005) - mass-mailing worm that uses its own SMTP engine, and has backdoor capabilities. Uses port 10087 to transfer copies of the worm, and also opens an FTP server that listens on a random TCP port.
W32.Mytob.FP@mm (06.23.2005) - mass-mailing worm that opens backdoors on ports 10087/tcp and 12347/tcp. |
| 10089 |
tcp |
trojans |
Premium scan |
W32.Mytob.AR@mm (04.12.2005) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine. Opens a backdoor on port 10089/tcp, and connects to an IRC server on port 8080. |
| 10099 |
tcp |
trojans |
Premium scan |
W32.Mytob.FX@mm (06.23.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 36311/tcp. Also runs an FTP server on port 10099/tcp. |
| 10102 |
tcp |
backdoor |
Premium scan |
Backdoor.Staprew.B 05.02.2005 - backdoor program, contacts the lowesapr.net domain on port 10102/tcp with the IP of the compromised computer and a number of the random tcp port of the backdoor. |
| 10104 |
udp |
trojans |
Premium scan |
Backdoor.Lowtaper - remote access trojan, 10.14.2004. Affects all current Windows versions.
Uses ports 24681/tcp and 10104/udp |
| 10168 |
tcp |
trojans |
Premium scan |
W32.HLLW.Lovgate - a worm with backdoor trojan capabilities, 06.2003. Affects all current Windows versions. |
| 10752 |
tcp |
backdoor |
Members scan |
Backdoor. One of the many Linux mountd (port 635) exploits installs its backdoor at this port. Origin??? 10751 = 0x2a00, where 0x2a = 42 (proposed by Darren Reed)
The bx.c IRC exploit puts a root shell backdoor listening at this port.
The ADM named v3 attack puts a shell at this port. |
| 10888 |
tcp |
trojans |
Premium scan |
Trojan.Webus.C - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080. |
| 11768 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin MS04-011). Uses tcp ports 11768 and 15118. |
| 11831 |
tcp |
trojans |
Premium scan |
Trojans that use this port:
DarkFace - remote access trojan. Affects Windows
Latinus - remote access trojan, 06.2002. Affects Windows 9x/ME/NT/2k/XP
Pestdoor - remote access trojan, 10.2002. Affects Windows 9x/ME/NT/2k/XP
Vagr Nocker - remote access trojan, 02.2001. Affects Windows |
| 12000 |
tcp |
trojans |
Premium scan |
SatanCrew - remote access trojan, 08.2002. Affects Windows 9x/Me,NT,2K,XP
W32.Mytob.GN@mm (06.30.2005) - mass-mailing worm with its own SMTP engine and backdoor capabilities. Sends itself to email addresses it finds on the compromised computer. Opens and IRC backdoor on port 12000/tcp.
port is also IANA assigned to: entextxid - IBM Enterprise Extender SNA XID Exchange |
| 12345,12346 |
tcp |
NetBus |
Members scan |
NetBus Trojan Horse uses this port.
Because of the common sequence of numbers "1 2 3 4 5" this port is commonly chosen when configuring programs, or as default port number.
Some other trojan horses/backdoors that use this port: Ashley, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, Pie Bill Gates, Whack Job, X-bill
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429
Trend Micro's OfficeScan products use port 12345 as well (see Securityfocus BugtraqID: 1013). |
| 12347 |
tcp |
trojans |
Premium scan |
W32.Mytob.FP@mm (06.23.2005) - mass-mailing worm that opens backdoors on ports 10087/tcp and 12347/tcp. |
| 12348,12349 |
tcp |
BioNet |
Premium scan |
GCI BioNet, a widespread trojan horse |
| 13000 |
tcp,udp |
trojan |
Premium scan |
Senna Spy trojan uses port 13000 udp.
TCP port can also be used by Unreal Tournament 3. |
| 13173 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 14534 |
tcp |
teamspeak |
Premium scan |
Teamspeak server default web administration port (configurable in server.ini). Program also uses port 51234/tcp for server queries, and port 8767/udp. |
| 14690 |
tcp,udp |
applications |
not scanned |
Port used by BitKeeper.
14690/udp is also used by Battlefield 1942. |
| 15118 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin MS04-011). Uses tcp ports 11768 and 15118. |
| 15432 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 15432 and 51234. |
| 15858 |
tcp |
trojans |
Premium scan |
CDK trojan (ports 79, 15858) |
| 16322 |
tcp |
trojans |
Premium scan |
Backdoor.Lastdoor - remote access trojan, 09.2002. Affects all current Windows versions. |
| 16661 |
tcp |
trojans |
Premium scan |
Backdoor.Haxdoor.D (01.25.2005) - backdoor trojan program. Also attempts to log key strokes and steal passwords. Listens on port 16661/tcp, opens two additional high random ports.
Backdoor.Haxdoor.E (08.01.2005) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp.
|
| 17300 |
tcp |
trojans |
Premium scan |
Some backdoors use this port: Milkit (Spybot 3), Kuang2 the_Virus. |
| 17569 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 17940 |
tcp |
trojans |
Members scan |
W32.Imav.A (01.29.2006) - a worm spreading through ICQ messages, may also arrive as a .zip attachment to emails. Disables security-related products and lowers security settings on the compromised computer. Connects to login.icq.com on port 17940/tcp, and sends out messages containing links to copies of the worm. |
| 17988 |
tcp |
hp |
Premium scan |
HP integrated Lights Out Management Feature uses this port.
Also used by HP iLO as Virtual Media port. |
| 18067 |
tcp |
trojans |
Basic scan |
Backdoor.Mousey (08.05.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands via IRC on port 18067/tcp.
W32.Esbot.B (08.17.2005) - a worm that spreads by exploiting the MS Plug and Play Buffer Overflow Vulnerability (MS05-039). Opens a backdoor and listens for remote commands by connecting to IRC servers on port 18067/tcp.
W32.Mocbot.A (10.25.2005) - a worm with backdoor capabilities that exploits the MS Plug and Play Buffer Overflow Vulnerability (MS05-039). Opens a backdoor and listens for remote commands by connecting to an IRC server on port 18067/tcp. |
| 18888 |
tcp,udp |
liquidaudio |
not scanned |
Port used by LiquidAudio servers. |
| 20034 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: NetBus, NetRex, Whack Job |
| 20192 |
tcp |
trojans |
not scanned |
Backdoor.Ranky.V (11.03.2005) - a trojan horse that allows the compromised computer to be used as a covert proxy. Starts a covert proxy on a random tcp port between 1025 and 65535. Uses port 20192/tcp to send notifications of infection. |
| 20742 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.E - Mail Relay trojan, 03.13.2004. Affects all current Windows versions, creates a listening proxy on a configurable high port that allows the ability to relay email. By default, the Trojan listens on port 20742. |
| 21157 |
udp |
games |
not scanned |
Activision gaming protocol [RFC 3027] |
| 21211 |
tcp |
trojans |
Members scan |
W32.Dasher.B (12.16.2005) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin MS05-051).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the MS05-051 exploit on port 1025/tcp. |
| 21554 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Exploiter, Kid Terror, Winsp00fer
Scwhindler remote access trojan - ports 21554, 50766 |
| 22222 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Donald Dick, Prosiak, Ruler, RUX The TIc.K
Viasat (Swedish TV provider) routes traffic to digital boxes for digital TV through this port. |
| 22311 |
tcp |
trojans |
Premium scan |
Backdoor.Simali - remote access trojan, 04.2003. Affects all current Windows versions, listens on port 22311 by default. Notifies attacker via email or ICQ. |
| 22555 |
udp |
vocaltec |
not scanned |
Port used by VocalTec Internet Phone. |
| 22703 |
tcp,udp |
webtv |
not scanned |
WebTV is vulnerable to a DoS exploit on this port that can reboot the machine. |
| 22793 |
tcp |
vocaltec |
not scanned |
VocalTec Internet Phone - tcp connection to VocalTec servers on this port. |
| 23432 |
tcp |
trojans |
Premium scan |
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default. |
| 23456 |
tcp |
trojans |
Members scan |
The following trojans/backdoors use this port: Evil FTP, Ugly FTP, WhackJob |
| 23476,23477 |
tcp |
trojans |
Premium scan |
DonaldD.Trojan (09.28.1999) - backdoor trojan similar to BlackOrifice. Opens a backdoor and listens for remote commands on ports 23476/tcp and 23477/tcp by default. |
| 23523 |
tcp |
trojans |
Premium scan |
W32.Mytob.KM@mm (10.12.2005) - a mass-mailing worm with backdoor capabilities, that also lowers security settings on the compromised computer. Opens a backdoor by connecting to rax.oucihax.info and listens for remote commands on port 23523/tcp. |
| 23560 |
tcp |
trojans |
Premium scan |
Backdoor.Sparta.D (10.02.2005) - a backdoor trojan that can be controlled by a remote attacker via IRC channels. Uses port 23560/tcp. |
| 24000 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 24681 |
tcp |
trojans |
Premium scan |
Backdoor.Lowtaper - remote access trojan, 10.14.2004. Affects all current Windows versions.
Uses ports 24681/tcp and 10104/udp |
| 26000 |
tcp,udp |
quake |
not scanned |
Quake-based games (e.g. Half-Life, Quakeworld, QuakeIII, etc.) use this port. |
| 26418 |
tcp |
trojans |
Premium scan |
W32.Mytob.HH@mm (07.12.2005) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 26418/tcp. Also opens a backdoor on port 5000/tcp. |
| 27328 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.N (08.12.2005) - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp. |
| 27374 |
tcp,udp |
SubSeven |
Basic scan |
One of the most commonly probed ports.
SubSeven Trojan horse uses this port (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.
Other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, SubSeven (many versions), Ttfloader |
| 27378 |
tcp |
trojans |
Premium scan |
Port used by one of the Backdoor.Delf variants - remote access and keylogging trojan family, 05.2003.
variant 1 listens on port 2444
variant 2 listens on port 27378
variant 3 listens on port 2189
variant 4 listens on port 23 |
| 27444 |
udp |
trojans |
Premium scan |
Trinoo and tribe flood network (or TFN) Denial of Service (DoS) tools use this port. See CERT: IN-99-07.
See also: port 27665 (Trinoo master port). |
| 27655 |
tcp |
trojans |
Members scan |
Trinoo Denial of Service (DoS) tool uses this port. See CERT: IN-99-07.
See also: port 27444 |
| 27999 |
tcp |
trojans |
Members scan |
W32.Mytob.EU@mm (06.15.2005) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands on this port.
W32.Mytob.GB@mm (06.30.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 27999/tcp.
W32.Mytob.KE@mm (10.21.2005) |
| 28876 |
tcp |
trojans |
Premium scan |
Trojan.Helemoo (07.25.2005) - a backdoor trojan that exploits a MS IE DHTML Memory Corruption Vulnerability (MS05-020). Opens a backdoor and listens for remote commands on port 28876/tcp (backdoor can also be a random port). |
| 29147 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AI (01.03.2005) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 29147/tcp. |
| 29559 |
tcp |
trojans |
Premium scan |
Backdoor.Ducktoy - remote access trojan, 07.2002. Affects all current Windows versions, listens to ports 29559 and 59211 by default.
Backdoor.Latinus - remote access trojan, 06.2002. Affects Windows 9x/ME/NT/2k/XP. Uses port 11831 for direct control and port 29559 for file transfer. |
| 29999 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 29999 and 47891. |
| 30000 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 30029 |
tcp |
trojan |
Members scan |
AOL Trojan. Aliases: AOL Admin, Backdoor.Cheeser |
| 30100-30103 |
tcp |
trojan |
Members scan |
NetSphere trojan uses these ports.
30100 tcp - the main port that NetSphere connects to.
30101-30103 tcp - NetSphere runs FTP services on these ports, used to transfer various files (e.g. keylog files).
NetSphere infects only Windows 9x systems. A server program called nssx.exe is placed in the C:\Windows\System directory, a "NSSX" value is added to the Run hive of the registry to launch the server. |
| 30303 |
tcp |
trojan |
Premium scan |
Sockets de Troie trojan. Typically uses ports 5000, 5001, 30303, and 50505. Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion. |
| 30464 |
tcp |
exploits |
Members scan |
Port used by Slapper trojan. Numerous exploit scripts bind root shells to this port. See also SMTP ETRN overflow |
| 30722 |
tcp |
trojans |
Basic scan |
W32.Esbot.A (08.15.2005) - a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (MS Security Bulletin MS05-039). Opens a backdoor and listens for remote commands by connecting to IRC servers on port 30722/tcp. |
| 30999 |
tcp |
trojans |
Premium scan |
Backdoor.Novacal (10.02.2005) - a backdoor server prorgrams that allows unauthorized access to a compromised computer. Uses ICQ to notify the remote attacker of the compromised computer. Opens a backdoor and listens for remote commands on port 30999/tcp. |
| 31113 |
tcp |
worms |
Members scan |
W32.Mytob.IH@mm (07.25.2005) - a mass-mailing worm that uses its own SMTP engine, opens a backdoor, and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 31113/tcp. |
| 31332 |
tcp |
trojans |
Premium scan |
Backdoor.Grobodor - backdoor trojan coded in Delphi, 10.06.2003. Affects all current Windows versions, listens on port 31332. |
| 31335 |
udp |
trojan |
not scanned |
Trinoo distributed attack tool port. |
| 31337 |
tcp,udp |
Back Orifice |
Members scan |
This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and because of the special meaning is often used for interesting stuff... Many backdoors/trojans run on this port, the most notable being Back Orifice.
Here are some others that run on the same port: Back Fire, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, icmp_pipe.c, Sockdmini |
| 31789,31790 |
udp |
hackatack |
Members scan |
Windows Hack'a'Tack trojan |
| 32000 |
tcp |
vulnerable |
not scanned |
BugtraqID: 791 - Artisoft XtraMail DoS vulnerability. Control port can be overflown with long usernames. |
| 32100 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: Peanut Brittle, Project nEXT |
| 32768-32770 |
tcp,udp |
first-os-ports |
not scanned |
first ports typically used for outgoing connections by some Linux distros like Red Hat: see /etc/rc.d/init.d/network and /proc/sys/net/ipv4/ip_local_port_range
|
| 32791 |
tcp |
trojans |
Premium scan |
Backdoor.Acropolis - 02.16.2001. Remote access trojan, affects all current Windows versions. listens on ports 32791, 45673. |
| 33322 |
tcp |
trojans |
Members scan |
Trojan.Lodeight.B (01.26.2006) - trojan horse that attempts to download a W32.Beagle variant and opens a backdoor on the compromised computer. Opens a backdoor and listens for remote commands on port 33322/tcp. |
| 33333 |
tcp |
trojans |
Members scan |
W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin MS05-039) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
Backdoor.Selka (11.12.2004) - backdoor program, can affect all current Windows versions. Listens on port 33333.
Some older trojans/backdoors that also use this port: Blakharaz, Prosiak |
| 33434-33523 |
udp |
traceroute |
not scanned |
incoming traceroute |
| 34324 |
tcp |
trojans |
Premium scan |
Port used by BigGluck aka TN, Tiny Telnet Server. |
| 34330 |
tcp |
trojans |
Premium scan |
W32.Myfip.AB (04.08.2005) - network aware worm that steals files from compromised computers. Sends files to a remote server on port 34330/tcp. |
| 36311 |
tcp |
trojans |
Premium scan |
W32.Mytob.FX@mm (06.23.2005) - mass-mailing worm that opens a backdoor and listens for remote commands on port 36311/tcp. Also runs an FTP server on port 10099/tcp. |
| 36794 |
tcp |
trojans |
Premium scan |
port used by W32.Bugbear@mm - mass-mailing worm, also spreading through network shares, 10.2003. Affects all current Windows versions. The worm also attempts to terminate the processes of various antivirus and firewall programs and opens a backdoor service on port 36794. |
| 39581 |
tcp |
trojans |
Premium scan |
Backdoor.WinShell.50.b - remote access trojan, 08.11.2003. Affects all current Windows versions, listens on port 39581. It is a variant of Backdoor.WinShell.50 (port 8719) and usually packed along with Trojan.Stealther.B. |
| 39780 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.O (10.10.2005) - a backdoor trojan that also runs a keylogger.
Opens a backdoor and listens for remote commands on port 39780/tcp. Also logs information and sends captured keystrokes to predetermined websites/emails. |
| 39999 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.C - Mail Relay trojan, 01.20.2004. Affects all current Windows versions, listens on port 39999. Opens a mail relay on your computer (allowing others to use it to send unsolicited commercial email). The Trojan also downloads and executes PWSteal.Ldpinch. |
| 40404 |
tcp |
trojans |
Members scan |
W32.Randex.DFJ (04.06.2005) - network-aware worm that spreads via network shares exploiting weak passwords. Opens a backdoor on port 40404/tcp and connects to IRC server on the tunit.p2p.com.hk doman. It can be remotely controlled via IRC. |
| 40421-40426 |
tcp |
trojans |
Premium scan |
Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426.
Port 40421/tcp also used by Agent 40421 trojan. Check port 30/tcp as well. |
| 43287 |
tcp |
trojans |
Members scan |
W32.Mytob.KU@mm (10.18.2005) - a mass-mailing worm that uses its own SMTP engine, has backdoor capabilities, and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 43287/tcp.
Also: W32.Mytob.KR@mm (10.18.2005) |
| 44280,44390 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 44334 |
tcp,udp |
tiny firewall |
Members scan |
Remote administration port used by Tiny Personal Firewall, and Kerio Personal firewall.
See a possible exploit here: http://www.securiteam.com/exploits/5HP0A2AA1Y.html
Also see: Kerio's hidden "Internal Traffic Rules" for open ports not displayed in the Personal Firewall GUI. |
| 44501 |
tcp |
kerio |
Members scan |
Port used by Kerio Personal Firewall pop-up blocking. It uses a script to send information about blocked pages ?
Also see: Kerio's hidden "Internal Traffic Rules" for open ports not displayed in the Personal Firewall GUI. |
| 45673 |
tcp |
trojans |
Premium scan |
Backdoor.Acropolis - 02.16.2001. Remote access trojan, affects all current Windows versions. listens on ports 32791, 45673. |
| 47387 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 47891 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 29999 and 47891. |
| 48094 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.M (07.12.2005) - a a trojan with backdoor capabilities, that runs a keylogger, sends information periodically to a remote server (via http), and also blocks access to security-related websites. Listens for remote commands on port 48094/tcp. |
| 49495 |
tcp |
trojans |
Premium scan |
Backdoor.Danrit (11.16.2005) - a trojan that opens a backdoor and logs keystrokes. Opens a backdoor on port 49495/tcp. |
| 50505 |
tcp |
trojans |
Premium scan |
Sockets des Trois2 trojan. Typically uses ports 5000, 5001, 30303, and 50505. Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion. |
| 50766 |
tcp |
trojans |
Premium scan |
Fore remote access trojan - ports 21, 50766
Scwhindler remote access trojan - ports 21554, 50766 |
| 51234 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn - remote access trojan, 08.2002. Affects all current Windows versions, listens on ports 15432 and 51234.
Port also used by TeamSpeak server to telnet remotely. |
| 51435 |
tcp |
trojans |
Members scan |
W32.Kalel.A@mm (05.24.2005) - mass-mailing worm that uses its own SMTP engine, also spreads through file-sharing networks. Opens a backdoor for remote access on port 51435/tcp. |
| 51966 |
tcp |
trojans |
Premium scan |
Trojan Cafeini |
| 52179 |
tcp |
trojans |
Premium scan |
Backdoor.Tjserv.D (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp. |
| 52317 |
tcp |
trojans |
Premium scan |
Port used by: Acid Battery 2000 trojan |
| 52901 |
udp |
trojan |
Premium scan |
Possibly the Omega DDoS tool. |
| 53001 |
tcp,udp |
trojans |
Premium scan |
Port used by: Remoteshutdown trojan horse |
| 54321 |
tcp |
trojans |
Premium scan |
Port used by Schoolbus 1.6 trojan. |
| 54321 |
udp |
loadavg |
not scanned |
UDP port used by "loadavg" - a service that replies with the load average of a machine. |
| 55000 |
tcp |
trojans |
Premium scan |
Backdoor.Roxe - remote access trojan, 09.27.2004. Affects all current Windows versions, exploits the MS GDI+ Library vulnerability: MS Seciruty Bulletin MS04-028. Listens on port 55000/tcp. |
| 55165 |
tcp |
trojans |
Premium scan |
Some trojans use this port: File Manager trojan, WM Trojan Generator |
| 56565 |
tcp |
trojans |
Premium scan |
Backdoor.Osirdoor - remote access trojan, 08.2002. Affects all current Windows versions. |
| 57005 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Cirebot - 08.02.2003. Trojan that exploits the MS DCOM vulnerability and installs a backdoor. Uses ports 445 & 69, opens port 57005. |
| 57341 |
tcp |
trojans |
Premium scan |
Port used by NetRaider trojan. |
| 58008,58009 |
tcp |
trojans |
Premium scan |
Backdoor.Tron - remote access trojan, 06.2002.Affects all current Windows versions, has the ability to kill software firewall processes. |
| 58343 |
tcp |
trojans |
Premium scan |
Backdoor.Prorat - Delphi remote access trojan, 06.2003. Affects Windows. It opens port 58343 by default. |
| 58641 |
tcp |
trojans |
Premium scan |
W32.Kalel.B@mm (06.15.2005) - mass-mailing worm with keylogger and backdoor capabilities. Spreads through email and file-sharing networks. Opens a backdoor and listens for remote commands on port 58641/tcp. |
| 58666 |
tcp |
trojans |
Premium scan |
Backdoor.Redkod - remote access trojan, 02.2003. Affects all current Windows versions. |
| 59211 |
tcp |
trojans |
Premium scan |
Backdoor.Ducktoy - remote access trojan, 07.2002. Affects all current Windows versions, listens to ports 29559 and 59211 by default. |
| 60000 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: DeepThroat/BackDoor-J, F0replay/WiNNUke eXtreame, Sockets des Troie |
| 60001 |
tcp |
trojans |
Premium scan |
Some trojans that use this port: Entitee trojan, Trinity trojan - DOS |
| 60008 |
tcp |
trojans |
Premium scan |
Lion Trojan - exploits Linux Bind servers' TSIG vulnerability |
| 60068 |
tcp |
trojans |
Premium scan |
xzip trojan |
| 61000 |
tcp |
trojans |
Premium scan |
Backdoor.Mite - remote access trojan, 09.2002. Affects all current Windows versions, listens on port 61000. |
| 61348 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 61446 |
tcp |
trojans |
Premium scan |
Port used by Telecommando remote access trojan. |
| 61466 |
tcp |
trojans |
Premium scan |
Port used by Telecommando trojan.
|
| 61603 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 63000,63001,30001 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX - Worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. It can affect all current Windows versions, discovered 04-2004.
The worm can act as a backdoor server program and attack other systems, it also attempts to kill the process of many antivirus and security applications. It runs the following services:
Runs the following network services:
HTTP proxy on TCP port 63000
HTTPS proxy on TCP port 63001
SOCKS proxy on TCP port 30001
FTP server on randomly chosen TCP port |
| 63485 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 64101 |
tcp |
trojans |
Premium scan |
Port used by: Taskman trojan |
| 64429 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. |
| 64444 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AM (01.28.2005) - worm with backdoor and denial of service capabilities. Spreads via network shares. Connects via IRC and listens on port 64444/tcp. |
| 65000 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: Devil 13, Sockets des Troie, Stacheldraht |
| 65000 |
udp |
trojans |
not scanned |
Devil Trojan Horse 1.03 |
| 65111 |
tcp |
trojans |
Premium scan |
Backdoor.Microkos (08.10.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp. |
| 65301 |
tcp |
pcanywhere |
Premium scan |
Port used by PC Anywhere |
| 65390 |
tcp |
trojans |
Premium scan |
Port used by: Xylo Eclypse Trojan |
| 65421 |
tcp |
trojans |
Premium scan |
Port used by: Jade trojan packed with neolite |
| 65432 |
tcp |
trojans |
Premium scan |
Port used by The Traitor trojan. Also uses port 65532/udp |
| 65506 |
tcp |
trojans |
Premium scan |
Port 65506 is used by some trojans for a spam email relay.
PhatBot (a.k.a. Agobot, Gaobot) - most variants exploit the MS DCOM RPC vilnerability (MS Security Billetin MS03-026) and the RPC locator vulnerability (MS Security Bulletin MS03-001) to spread. Some variants scan port 65506 for a possible backdoor. |
| 65532 |
udp |
trojans |
Premium scan |
Port used by The Traitor trojan. Also uses port 65432/tcp |
| 65535 |
tcp |
trojans |
Premium scan |
Port used by ShitHeep and Remote Control (RC) trojans. |
