News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About
The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot your password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 |....| 39 
Port(s) Protocol Service Scan level Description
 0 tcp,udp not scanned This port is technically illegal, but possible. It is often used to fingerprint machines, because different operating systems respond to this port in different ways.
 1 udp tcpmux not scanned IANA assigned to TCP Port Service Multiplexer.

Sockets des Troie remote access trojan uses this port (a.k.a. Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan, TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000.
 1 tcp tcpmux Premium scan Scans against this port are commonly used to test if a machine runs SGI Irix (as SGI is the only system that typically has this enabled). This service is almost never used in practice.

CERT: CA-95.15.SGI.lp.vul

RFC1078 -TCPMUX acts much like Sun's $/Exploits/Ports/111$portmapper$ or Microsoft's $/Exploits/Ports/135$end-point mapper$ in that it allows services to run on abitrary ports. In the case of TCPMUX, however, after the "lookup" phase, all further communication continues to run over that port.

builtins.c in Xinetd before 2.3.15 does not check the service type when the tcpmux-server service is enabled, which exposes all enabled services and allows remote attackers to bypass intended access restrictions via a request to tcpmux port 1 (TCP/UDP).
References: [CVE-2012-0862] [BID-53720] [OSVDB-81774]

Trojans that use this port: Breach.2001, SocketsDeTroie
 2 tcp compressnet Premium scan trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg

America's Army, Operation Flashpoint also use this port.

Port 2 is also registered with IANA for compressnet management utility.
 3 tcp,udp compressnet not scanned SynDrop trojan uses this port.
Delta Force also uses port 3 (TCP).
IANA assigned for: Compression Process
Port also used by: Midnight Commander
 4 tcp sfs Basic scan Self-Certifying File System(SFS) sfssd acceps connections on TCP port 4 and passes them to the appropriate SFS daemon. SFS is a secure, global file system with completely decentralized control. SFS uses NFS 3 as the underlying protocol for file access.

America's Army also uses this port.

Midnight Commander sometimes uses port 4/tcp as well.
 5 tcp trojans Premium scan Incoming Routing Redirect Bomb, yoyo
 7 tcp Echo Members scan Echo Service, somewhat outdated by ICMP echo. Port just echoes whatever is sent to it. This feature can be used in many attacks, such as fraggle.

See also: [RFC862]
ICP - Internet Caching Protocol - This protocol is used by HTTP caching proxies in order to coordinate working together in a cluster. Part of this implementation includes bouncing packets off the echo port in order to test if the peers are alive.

Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288]
 8 tcp trojan Premium scan Ping Attack
 9 tcp,udp,sctp Discard Members scan Discard server - this protocol is only installed on machines for test purposes. The service listening at this port (both TCP and UDP) simply discards any input.

Railroad Tycoon 3 also uses this port (TCP).

See also: [RFC 863], [CVE-1999-0060]

Intrusions: Ascend kill
This exploit kills Ascend routers by sending them a specially formatted malformed TCP packet. On certain versions of the Ascend operating system, the router can be forced to cause an internal error, resulting in the router rebooting.
 10 tcp games not scanned Dark Ages of Camelot
 11 tcp,udp systat Premium scan system / active users information.

On some UNIX machines, creating a TCP connection to this port will dump the active processes and who launched them. The original intent for this was to make remote management of UNIX easier. However, intruders will query the systat information in order to map out the system.
This service is rarely available anymore because of these security concerns.
On UNIX, there are also local commands that show this information, such as systat or ps.

Skun trojan also uses this port.

See also: [RFC866]
 12 tcp games not scanned Dark Ages of Camelot
 13 tcp,udp Daytime Members scan Daytime service [RFC 867] - responds with the current time of day. Different machines respond with slightly different date/time format, so port can be used to fingerprint machines.

Dark and Light also uses thi port.
 15 tcp,udp netstat Premium scan Port used by netstat (a variant of systat, see port 11). Rarely available because of security concerns. It can be used to list active processes and who launched them on some UNIX machines.

Port also used by B2 trojan.
 16 tcp trojan Premium scan Skun
 17 tcp,udp qotd not scanned Responds with Quote of the Day. See [RFC 865]

Skun trojan also uses this port.
 18 tcp,udp msp not scanned Message Send Protocol
Also: Remote Write Protocol (RWP)
Related RFCs: [RFC 1159] [RFC 1312] [RFC 1756]

Skun trojan also uses this port.
 19 tcp,udp Chargen Members scan Generates and replies with a stream of characters (TCP) or a packet containing characters (UDP). Should be disabled if there is no specific need for it, source for potential attacks. [RFC 864]

Skun trojan also uses this port.
 20 tcp,udp,sctp FTP - data Basic scan File Transfer Protocol - Data

The default configuration of BenHur Firewall release 3 update 066 fix 2 allows remote attackers to access arbitrary services by connecting from source port 20.
References: [CVE-2002-2307] [BID-5279]

Some trojans also use this port: Amanda, Senna Spy FTP server.
 21 tcp FTP Basic scan File Transfer Protocol.

List of some trojan horses/backdoors that also use this port: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm, W32.Sober.N@mm.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C (01.11.2006)

FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service (network connectivity loss) via a connection to port 21 with a large amount of random data.
References: [CVE-2002-0779]
 21 udp FSP Basic scan FSP/FTP
 22 udp PC-Anywhere Basic scan Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port 22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22 decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that pcAnywhere had a byte-swapping bug that led to its incorrect use of port 22.
 22 tcp,sctp SSH Basic scan Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service.

freeSSHd 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a SSH2_MSG_NEWKEYS packet to TCP port 22, which triggers a NULL pointer dereference.
References: [CVE-2008-0852] [BID-27845] [SECUNIA-29002]

The SSH service on Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48, and 5324 2.0.1.4 switches allows remote attackers to cause a denial of service (device reset) or possibly execute arbitrary code by sending many packets to TCP port 22.
References: [CVE-2013-3594], [XFDB-90595], [BID-65070]

Some trojans also use this port: InCommand, Shaft, Skun
 23 tcp telnet Basic scan Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities.

Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (109.26.2005)

Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23.
References: [CVE-2012-1222] [BID-52061]

Buffer overflow in the Remote command server (Rcmd.bat) in IpTools (aka Tiny TCP/IP server) 0.1.4 allows remote attackers to cause a denial of service (crash) via a long string to TCP port 23.
References: [CVE-2012-5345]
 23 udp games not scanned Dungeon Siege II
 24 tcp priv-mail not scanned Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port
 25 tcp SMTP Basic scan SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.

Integer overflow in Apple Safari [CVE-2010-1099], Arora [CVE-2010-1100], Alexander Clauss iCab [CVE-2010-1101], OmniWeb [CVE-2010-1102], Stainless [CVE-2010-1103] allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25.

List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock (01.12.2006) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries.

NJStar Communicator is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MiniSMTP server when processing packets. By sending a specially-crafted request to TCP port 25, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-4040], [XFDB-71086], [BID-50452]
 25 udp games not scanned Final Fantasy XI
 26 tcp rsftp Members scan Port used by RSFTP - a simple FTP-like protocol.

Sometimes also used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol).
 26 udp games not scanned Dungeon Siege II
 27 tcp trojan Premium scan Assasin
 28 tcp Premium scan AltaVista Firewall97 accepts connections on ports 26,27,28 and 29, this can be used to fingerprint the type of firewall in use.


Amanda trojan uses port 28/tcp.
 30 tcp trojans Premium scan Agent 40421 trojan. Also uses port 40421/tcp

ATC Battlefield 1942 (TCP/UDP), ATC Ghost Recon 2 (TCP/UDP), ATC Splinter Cell Chaos Theory (TCP/UDP), developer: Foolish Entertainment
 31 tcp msg-auth Members scan MSG Authentication

Delta Force also uses this port.

The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun
 34 tcp,udp remote not scanned Remote File (RF) - used for file transfer between machines
 35 udp games not scanned Delta Force
 37 tcp worm Basic scan Officially assigned for use by TIME protocol [RFC 868] [RFC 956]
TIME (port 37/tcp) can pose a DOS subnet threat because it has embedded functions used for the identification of critical processing time intervals and the ability to re-issue its output to port 7.

W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
W32.Sober.J@mm (01.30.2005)
W32.Sober.O@mm (05.02.2005)
W32.Sober.X@mm (12.12.2005)
 39 tcp trojan Premium scan SubSARI
 41 tcp trojans Members scan Some trojans use this port: Deep Throat , Foreplay
 42 tcp,udp WINS Members scan Port used by WINS (Windows Internet Naming Service).
Worms can exploit a recently announced buffer overflow vulnerability within WINS using this port.

See:
Microsoft - How to help protect against a WINS security issue
Technical Analysis by Steve Frield

W32.Dasher.D (12.19.2005) - a worm that exploits the following MS vulnerabilities: [MS05-051] (on port 53/tcp) and [MS04-045] (on port 42/tcp).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp.

The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
References: [CVE-2004-1080] [BID-11763] [OSVDB-12378] [SECUNIA-13328]

City of Heroes also uses this port (TCP).

Port was originally assigned to the obsolete ARPA Host name server protocol (pre-DNS).
 43 tcp,udp whois not scanned WHOIS protocol
 44 tcp trojan Premium scan Arctic
 48 tcp auditd Premium scan DRAT remote access trojan (11-1999) uses ports 48,50.

Port is also IANA assigned for: Digital Audit Daemon
 49 tcp,udp TACACS Members scan Login Host Protocol (TACACS)

Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
 50 tcp re-mail-ck Members scan Some trojans that also use this port: DRAT remote access trojan (11-1999). Uses ports 48,50.

Dark Ages of Camelot, Vodafone Sure Signal use this port.
 51 tcp vpn Premium scan F**k Lamers Backdoor uses this port.
 52 tcp trojan Premium scan MuSka52, Skun
 53 tcp,udp DNS Basic scan DNS (Domain Name Service) is used for domain name resolution.

Apple MacDNS, FaceTime also use this port.

There are some attacks that target vulnerabilities within DNS servers. Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52, Trojan.Esteem.C (05.12.2005), W32.Spybot.ABDO (12.12.2005).

W32.Dasher.B (12.16.2005) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp.

Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.

Bonk (DoS) trojan horse also uses port 53 (TCP).

Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly other versions, allows remote attackers to cause a denial of service (device restart and loss of configuration) by connecting to TCP port 53, then closing the connection.
References: [CVE-2009-1152] [BID-34220]

Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than [CVE-2007-1465].
References: [CVE-2007-1866] [SECUNIA-24688]

Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53.
References: [CVE-2003-1491] [BID-7436]
 54 tcp,udp xns-ch Premium scan Port is officially assigned to XNS (Xerox Network Services) Clearinghouse.

Port is also used by the MuSka52 trojan.

Unspecified vulnerability in SLMail.exe in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (UDP service outage) via a large packet to UDP port 54.
References: [CVE-2008-1691], [BID-28505]
 57 tcp,udp applications not scanned AudioReQuest
 58 tcp trojan Premium scan DMSetup trojan
 59 tcp trojans Premium scan Backdoor.Sdbot.AJ (01.10.2005) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 59/tcp.

DMSetup trojan also uses port 59.
 66 tcp trojan Premium scan AL-Bareki

EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to cause a denial of service (application crash) via a sequence of carriage returns sent to TCP port 66.
References: [CVE-2004-1696], [BID-11226]
 67 udp bootp server Basic scan Bootstrap protocol server. Used by DHCP servers to communicate addressing information to remote DHCP clients.

NCP Secure Enterprise Client (aka VPN/PKI client) 8.30 Build 59, and possibly earlier versions, when the Link Firewall and Personal Firewall are both configured to block all inbound and outbound network traffic, allows context-dependent attackers to send inbound UDP traffic with source port 67 and destination port 68, and outbound UDP traffic with source port 68 and destination port 67.
References: [CVE-2006-3551]

ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source port of 67, which allows remote attackers to bypass the firewall rules.
References: [CVE-2000-0339] [BID-1137] [OSVDB-1294]

Apple NetBoot also uses this port.
 67 tcp applications not scanned Falco LX-4PRO
 68 udp bootp client Basic scan Bootstrap protocol client. Used by client machines to obtain dynamic IP addressing information from a DHCP server.

The Avaya 4602 SW IP Phone (Model 4602D02A) with 2.2.2 and earlier SIP firmware allows remote attackers to cause a denial of service (device reboot) via a flood of packets to the BOOTP port (68/udp).
References: [CVE-2007-3321] [SECUNIA-25747] [OSVDB-38117]

NCP Secure Enterprise Client (aka VPN/PKI client) 8.30 Build 59, and possibly earlier versions, when the Link Firewall and Personal Firewall are both configured to block all inbound and outbound network traffic, allows context-dependent attackers to send inbound UDP traffic with source port 67 and destination port 68, and outbound UDP traffic with source port 68 and destination port 67.
References: [CVE-2006-3551]

Apple NetBoot also uses this port.
 68 tcp trojan Premium scan Backdoor.SubSeven
Falco LX-4PRO also uses this port.
 69 udp TFTP Basic scan Trivial File Transfer Protocol - A less secure version of FTP, generally used in maintaining and updating systems, for configuration file transfers between LAN systems, firmware updates on routers, etc.

Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm, Storm worm, Theef...
W32.Blaster.Worm is a widely spread worm that exploits the MS DCOM RPC vulnerability described in MS Security Bulletin [MS03-026]. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm - a wildly spread worm that removes the W32.Blaster.Worm and installs a TFTP server.
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a bacdoor on remote compromised computers on port 8594/tcp. Port 69/udp also used by the W32.Zotob.H variant of the worm.
W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.

Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via a long request on UDP port 69. NOTE: this issue might overlap [CVE-2006-4781] or [CVE-2005-1812].
References: [CVE-2007-1645]

The Arecont Vision AV1355DN MegaDome camera allows remote attackers to cause a denial of service (video-capture outage) via a packet to UDP port 69.
References: [CVE-2013-0139]
 70 tcp trojans Members scan W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef

Note: port 69/udp is used by TFTP.
 73 udp games not scanned Dungeon Siege II
 77 tcp,udp priv-rje not scanned IANA assigned for any private RJE service, netjrs.

The error message "TK_SPACE undeclared" is common to this port. This occurs when installed ports keep bombing out on sqlite3.
 79 tcp,udp Finger Members scan Finger

Finger Security Concerns: Provides key host info to attacker - Fingered host can be DOSd if hit with a recursive finger script till its memory and swap space fill. - Fingering clients can be DOSd if they finger a maliciously configured host (returns data overload - causing client to beep continually - etc.). - If fingering clients allow programmable keys - a maliciously configured host can return a finger response that maps a key to rm -rf /-. Disable on all host unless finger service is stubbed to only provide scripted data response (eg: system admin contact info - etc.).

Trojans that also use this port: ADM worm, Back Orifice 2000 (BO2K), CDK trojan (ports 79, 15858), Firehotcker (ports 79, 5321)
 80 udp trojans Members scan W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.

W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.

Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a denial of service (web-interface outage) via crafted HTTP requests to port 80 (TCP/UDP).
References: [CVE-2014-2733]

Port 80 udp is also used by some games, like Alien vs Predator (Activision).
 80 tcp http Basic scan Hyper Text Transfer Protocol (HTTP) - port used for web traffic. See also TCP ports 81, 8080, 8081.

Some broadband routers (Linksys, etc.) run a web server on port 80 or 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.

If you're not running web services, keep in mind that Code Red and Nimda worms also propagate via TCP port 80 (HTTP). Also, a number of trojans/backdoors use these ports: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
Trojan.Webus.C
W32.Beagle.AO@mm - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S (01.30.2005) - runs proxy on port 80.
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
Backdoor.Darkmoon.B (10.21.2005) - a backdoor trojan with keylogger capabilities. Opens a backdoor and listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Trojan.Lodear.F (12.18.2005) - trojan that attempts to download remote files.
W32.Feebs (01.07.2006)

Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.

Some Apple applications also use port 80 (TCP): MobileMe, Sherlock, QuickTime Installer, iTunes Store and Radio, Software Update, RAID Admin, Backup, iCal calendar publishing, iWeb, MobileMe Web Gallery Publishing, WebDAV (iDisk), Final Cut Server.
 81 udp trojans Premium scan W32.Beagle.AR@mm (9.29.2004) - mass mailing worm with backdoor functionality on port 81/tcp & udp. Affects all current Windows versions.
 81 tcp http Basic scan Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See also TCP ports 80, 8080, 8081.

Some common uses for port 81/tcp include web administration (cobalt cube), web proxy servers, etc.

If you're not running web services on this port, keep in mind it is also used by some trojans:
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default.
W32.Beagle.AR@mm (09.29.2004) - port 81.

Stack-based buffer overflow in the RespondeHTTPPendiente function in the HTTP server for SUMUS 0.2.2 allows remote attackers to execute arbitrary code via a large packet sent to TCP port 81.
References: [CVE-2005-1110]

RemoConChubo trojan and Blue Iris also use this port.
 82 tcp trojans Members scan W32.Netsky.X@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 82/tcp to receive and execute a file from an attacker.

The W32.Netsky.Y@mm variant also opens port 82/tcp.
ET TROJAN LD Pinch Checkin uses port 82/udp.
 85 tcp trojan Premium scan Common Port for phishing scam sites

Multiple directory traversal vulnerabilities in src/acloglogin.php in Wangkongbao CNS-1000 and 1100 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) lang or (2) langid cookie to port 85.
References: [CVE-2012-4031] [BID-54267] [SECUNIA-49776] [OSVDB-83636]

MIT ML Device (IANA official)
 86 tcp applications not scanned BroadCam Video Streaming Server
 87 tcp terminal link Members scan terminal link - a talk/chat style protocol. Port commonly used by intruders
 88 udp Kerberos Premium scan KDC (Kerberos key distribution center) server.
Related ports: 464,543,544,749,751

Xbox LIVE uses ports 53 tcp/udp, 80 tcp, 88 udp, 3074 tcp/udp.
 88 tcp trojan Premium scan Pwsteal.likmet.a, BackDoor-AXC

BroadWave Streaming Audio Server also uses this port
 90 tcp trojan Premium scan Hidden Port 2.0
 96 tcp,udp applications not scanned Express Invoice
 97 tcp,udp applications not scanned Inventoria Stock Manager
 98 tcp applications not scanned This signature detects TCP port probes directed at port 98, which may indicate that an attacker is scanning to determine if the Linux remote configuration service is available on the system.

Port is also IANA registered for TAC News
 99 udp metagram Members scan Metagram Relay, gnutella

Seapine Software TestTrack server allows a remote attacker to cause a denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe by connecting to port 99 and disconnecting without sending any data.
References: [CVE-1999-1567]
 99 tcp trojans Premium scan Hidden Port, Mandragore, NCX trojans
 101 tcp,udp hostname not scanned Hostnames NIC Host Name Server. [RFC953] [RFC811]

Skun trojan also uses this port (TCP).
 102 tcp,udp iso-tsap Members scan Port used by X.400, X.500, ITOT, ISO-TSAP (Transport Service Access Point) protocol.

Microsoft Exchange uses this port for X.400 mail messaging traffic. No known vulnerabilities, but similar to data-driven attacks common to smtp plus possible direct attacks, such as with sendmail. Always static route inbound mail to a protected/hardened email server.

X.500 Directory Service - Used to distribute user names, user info and public keys.
Security Concerns: Depending on vendor implementation probes can reveal valuable user info for follow-on attacks. On poorly configured servers attackers can replace public keys for data capture or DOS purposes.

[RFC1006] [RFC2126]

Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cause a denial of service (defect-mode transition and control outage) via crafted packets to TCP port 102 (aka the ISO-TSAP port).
References: [CVE-2013-0700]

Delf, Skun trojans also use this port (TCP).
 103 tcp,udp gppitnp not scanned Port IANA registered for Genesis Point-to-Point Trans Net
Also sometimes used with MS Exchange X.400 mail messaging traffic.

Known trojans that use this port: Skun
 105 tcp,udp ccso not scanned IANA assigned to CCSO name server protocol (mailbox name nameserver). [RFC2378]

Backdoor.Nerte also uses this port (TCP).

Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.
References: [CVE-2005-4411], [BID-16396]
 106 tcp poppassd not scanned (TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:

S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite

Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash.

Apple Mac OS X Password Server and City of Heroes also use this port.

Mail Management Agent (MAILMA) (a.k.a. Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106.
References: [CVE-2006-0129]

Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.
References: [CVE-1999-1113] [BID-75]
 107 tcp trojan Premium scan Backdoor.Skun
 109 tcp,udp pop2 not scanned Post Office Protocol 2 (obsolete). While POP2 has largely been replaced by POP3, hackers still scan for this port because many older POP servers have vulnerabilities associated with them. [RFC937]

ADM trojan also uses this port (TCP).
 110 udp pop-or-not Basic scan POP3 server traffic (should be TCP only?)

Final Fantasy XI also uses this port.
 110 tcp POP3 Basic scan POP3 (Post Office Protocol - Version 3)

Security Concerns: Re-usable cleartext password, no auditing of connections & attempts thus subject to grinding. Some POP3 server versions have had buffer overflow problems. CERT Advisories: CA-97.09

ADM, ProMail trojans also use port 110 (TCP).

Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, 6, and 6 SP1; Windows Live Mail on Windows XP SP2 and SP3, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; and Windows Mail on Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote e-mail servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) POP3 or (2) IMAP response, as demonstrated by a certain +OK response on TCP port 110, aka "Outlook Express and Windows Mail Integer Overflow Vulnerability."
References: [CVE-2010-0816] [BID-40052]

Integer overflow in eXtremail 2.1.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long USER command containing "%s" sequences to the pop3 port (110/tcp), which are expanded to "%%s" before being used in the memmove function, possibly due to an incomplete fix for [CVE-2001-1078].
References: [CVE-2007-5467] [BID-26074] [SECUNIA-27220]
 111 tcp,udp SunRPC Basic scan Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.

Port 111 was designed by the Sun Microsystems as a component of their Network File System. It is also known as Open Network Computing Remote Procedure Call (ONC RPC). Port 111 is a port mapper with similar functions to Microsoft's port 135 or DCOM DCE.

Security Concerns: Provides rpc port map without auth, has no filtering or logging, rpcinfo probes can quickly find your Unix hosts. Shut down portmapper on any hosts not requiring rpcs, ensure it is blocked at net perimeters.

Trojans that use this port: ADM worm, MscanWorm, Sadmind/IIS Worm

NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to cause a denial of service (resource exhaustion) via certain packets, possibly with the Urgent (URG) flag set, to port 111.
References: [CVE-1999-1349]

PORTSERV.exe in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to cause a denial of service (daemon crash) via a crafted (1) TCP or (2) UDP packet to port 111.
References: [CVE-2012-1816] [BID-53591] [SECUNIA-49210] [OSVDB-82012]
 113 tcp,udp IDENT Basic scan Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...

Port 113 can be probed by attackers and it poses some security concerns, but the problem with filtering/stealthing port 113 is that if legitimate requests get no response at all from port 113 queries, the connection to them (which initiated their query in the first place) will be delayed or perhaps even completely abandoned.

The simplest solution is to close, rather than filter port 113.

Some trojans also use this port: ADM worm, Alicia, Cyn, DataSpy Network X, Dosh, Gibbon, Invisible Identd Deamon, Kazimas, Taskman,W32.Korgo.F
W32.Bofra.C@mm (11.11.2004) - It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Linkbot.A (11.05.2004) - worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability. It also creates an IRC backdoor and attempts to install adware on the infected machine. It can affect all current Windows versions. Listens on port 113/tcp for remote commands.
W32.Spybot.LZI (04.06.2005) - worm that attempts to exploit the MS DCOM RPC vulnerability on ports 135, 445 & 1025. Opens a backdoor on port 113.
W32.Linkbot.M (05.24.2005) - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.

Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.
References: [CVE-2007-2711] [BID-23981] [SECUNIA-25248] [OSVDB-36053]
 118 udp trojan not scanned Infector 1.4.2 trojan horse
 119 udp NNTP Basic scan NNTP (Network News Transfer Protocol) control messages.
 119 tcp trojan Premium scan Happy99/Ska trojan
 120 tcp trojan Premium scan Backdoor.Skun
 121 tcp erpc Premium scan trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)

Port is also IANA registered for: Encore Expedited Remote Pro.Call
 123 udp NTP Basic scan Network Time Protocol (NTP) - used for time synchronization

Security Concerns:
It provides both information and possible avenue of attack for intruders. Info gathered can include system uptime, time since reset, time server pkt, I/O & memory statistics and ntp peer list. If a host is susceptible to time altering via ntp an attacker can possibly:
1) Run replay attacks using captured OTP and Kerberos tickets before they expire.
2) Stop security-related cron jobs from running or cause them to run at incorrect times.
3) Make system and audit logs unreliable since time is alterable.

Vodafone Sure Signal also uses this port
 123 tcp trojan Premium scan Net Controller trojan
 125 tcp misc not scanned Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25.
 127 udp games not scanned Command and Conquer Generals
 133 tcp trojan Premium scan Farnaz

Vulnerabilities listed: 100 (some use multiple ports)