Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 12076 |
tcp |
trojans |
Premium scan |
GJamer, MSH.104b trojans |
| 10100 |
tcp,udp |
trojans |
not scanned |
backdoor.ranky.o, Control Total, GiFt trojan, Scalper, Slapper |
| 10086 |
tcp |
trojans |
Members scan |
Syphillis trojan, W32.Mytob |
| 6939 |
tcp |
trojans |
Premium scan |
Indoctrination, Gatecrasher.a trojans |
| 6771 |
tcp |
trojans |
Premium scan |
DeepThroat, Foreplay, Reduced Foreplay |
| 6767 |
tcp |
trojans |
Premium scan |
KiLo, Pasana, UandMe, NT Remote Control trojans |
| 6006 |
tcp |
trojans |
Premium scan |
Trojans: Bad Blood, The Thing, APStrojan (TCP)
TalkSwitch also uses port 6006 (TCP/UDP)
ldm in Linux Terminal Server Project (LTSP) 0.99 and 2 passes the -ac option to the X server on each LTSP client, which allows remote attackers to connect to this server via TCP port 6006 (aka display :6).
References: [CVE-2008-1293] [BID-28960] [SECUNIA-30099]
X Windows System (IANA official) |
| 5550 |
tcp |
trojans |
Premium scan |
Xtcp 2, Pizza
Hewlett-Packard Data Protector, GeoVision TwinDVR with Webcam (TCP/UDP) also use this port. |
| 4321 |
tcp |
trojans |
Premium scan |
BoBo, Schoolbus 1.0 trojans
Command & Conquer: Red Alert 3 also uses this port.
WRPCServer.exe in WinSoftMagic WinRemotePC (WRPC) Lite 2008 and Full 2008 allows remote attackers to cause a denial of service (CPU consumption) via a crafted packet to TCP port 4321.
References: [CVE-2008-3269], [BID-30236]
Remote Who Is (TCP/UDP) [RFC2167] (IANA official) |
| 2555 |
tcp |
trojans |
Members scan |
Compaq WCP
Lion trojan, T0rn Rootkit |
| 2004 |
tcp |
trojans |
Premium scan |
Duddie, TransScout |
| 1415 |
tcp |
trojans |
Premium scan |
Last 2000, Singularity |
| 1256 |
tcp |
trojans |
Premium scan |
Project nEXT, RexxRave |
| 1222 |
tcp |
trojans |
Premium scan |
D Network, F**k Lamers Backdoor |
| 1183 |
tcp,udp |
trojans |
Members scan |
Balistix is a backdoor Trojan affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 1183, to allow the client system to connect. Balistix could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15148]
Trojans that also use this port: Cyn, SweetHeart |
| 1047 |
tcp |
trojans |
Premium scan |
GateCrasher.b, GateCrasher.c, RemoteNC |
| 99 |
tcp |
trojans |
Premium scan |
Hidden Port, Mandragore, NCX trojans |
| 63809 |
tcp |
trojans |
Premium scan |
Phatbot, W32.hllw.gaobot.dk worm |
| 55666 |
tcp |
trojans |
Premium scan |
Latinus, Pinochet |
| 55665 |
tcp |
trojans |
Premium scan |
Latinus, Pinochet |
| 50776 |
tcp |
trojans |
Premium scan |
Fore, Fore 1.0, Remote Windows Shutdown |
| 50000 |
tcp |
trojans |
Premium scan |
Infector, SubSARI
SVAT CLEARVU1, Serv-U use ports 50000-50004 (TCP/UDP) |
| 33568 |
tcp |
trojans |
Premium scan |
Lion, T0rn Rootkit |
| 33567 |
tcp |
trojans |
Premium scan |
Lion, T0rn Rootkit |
| 31557 |
tcp |
trojans |
Premium scan |
NetBus, Xanadu |
| 31339 |
tcp |
trojans |
Premium scan |
LittleWitch, Net Spy |
| 29292 |
tcp |
trojans |
Premium scan |
BackGate Kit, Backdoor.NTHack |
| 27379 |
tcp |
trojans |
Premium scan |
Backdoor.optix.o4, Optix Lite |
| 25982 |
tcp |
trojans |
Premium scan |
DarkFace, MoonPie trojans |
| 25686 |
tcp |
trojans |
Premium scan |
DarkFace, MoonPie trojans |
| 23477 |
tcp |
trojans |
Premium scan |
DonaldD.Trojan (09.28.1999) - backdoor trojan similar to BlackOrifice. Opens a backdoor and listens for remote commands on ports 23476/tcp and 23477/tcp by default. |
| 23006 |
tcp |
trojans |
Premium scan |
Infinaeon, Oxon, W32.hllw.nettrash
Backdoor.Platrash (2002.10.16) - a trojan horse that can allow unauthorized access to an infected computer. By default, it opens ports 23005 and 23006 to listen for a connection. The trojan is written in Microsoft Visual Basic version 6. |
| 23005 |
tcp |
trojans |
Premium scan |
Infinaeon, Olive, Oxon, W32.hllw.nettrash
Backdoor.Platrash (2002.10.16) - a trojan horse that can allow unauthorized access to an infected computer. By default, it opens ports 23005 and 23006 to listen for a connection. The trojan is written in Microsoft Visual Basic version 6. |
| 22784 |
tcp |
trojans |
Premium scan |
Backdoor-ADM, Intruzzo
Backdoor.Renomb (2002.09.02) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 22784 on the compromised computer. Backdoor.Renomb is written in Microsoft Visual Basic version 5. |
| 22457 |
tcp |
trojans |
Premium scan |
AcidShiver, Backdoor.Bla.Trojan |
| 22456 |
tcp |
trojans |
Premium scan |
Clandestine, Backdoor.Bla.Trojan |
| 21544 |
tcp |
trojans |
Members scan |
Unknown Trojan, Exploiter, Girl Friend, Kid Terror, Matrix, Schwindler, Winsp00fer |
| 21212 |
tcp |
trojans |
Premium scan |
Schwindler, Sensive |
| 14286 |
tcp |
trojans |
Premium scan |
HellDriver, Laocoon |
| 12904 |
tcp |
trojans |
Premium scan |
Akropolis, Rocks trojans |
| 10002 |
tcp |
trojans |
Premium scan |
Ports used by Backdoor.Zdemon.126 - remote access trojan, 05.2003. Affects all current Windows versions.
Lula trojan also uses this port.
Port 10001/tcp is also assigned by IANA to: SCP Configuration Port |
| 9919 |
tcp |
trojans |
Premium scan |
Kryptonic Ghost Command Pro, W32.dabber.a |
| 9899 |
tcp |
trojans |
Premium scan |
Ini-Killer, W32.dabber.a |
| 9612 |
tcp |
trojans |
Premium scan |
Danton, Ghost |
| 9301 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
| 8879 |
tcp |
trojans |
Premium scan |
BackOrifice 2000, Hack Office Armageddon |
| 8302 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
| 8301 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
| 8130 |
tcp |
trojans |
Premium scan |
9_119, Chonker, DLP |
| 8127 |
tcp,udp |
trojans |
not scanned |
9_119, Chonker |
| 8111 |
tcp |
trojans |
Premium scan |
DLP, LoseLove
W32.Eboscro (2006.11.04) - a worm that copies itself to removable drives, opens a back door, and lowers security settings on the compromised computer.
JOSM Remote Control also uses this port |
| 8110 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
| 8033 |
tcp |
trojans |
Premium scan |
RingZero, Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor |
| 7648 |
tcp |
trojans |
Premium scan |
BlackStar, Ghost, XHX
Cu-SeeMe Cornell also uses this port (TCP/UDP). |
| 7626 |
tcp |
trojans |
Premium scan |
Binghe, Glacier, Hyne |
| 7614 |
tcp |
trojans |
Premium scan |
Backdoor.GRM, Wollf |
| 6913 |
tcp |
trojans |
Premium scan |
Danny, Shit Heep |
| 5050 |
tcp |
trojans |
Premium scan |
R0xr4t, RoxRat
Yahoo Messenger also uses this port.
BT Communicator uses ports 5050-5070 (TCP/UDP).
EOSCoreScada.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service (daemon restart) by sending data to TCP port (1) 5050 or (2) 24004.
References: [CVE-2012-1810] |
| 5003 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ (01.26.2005) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445).
Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester.
References: [CVE-2003-0556]
Opens a backdoor on one or more of these ports: 5002, 5003, 1927, 1930. |
| 4836 |
tcp |
trojans |
Premium scan |
Buttman, Power |
| 2774 |
tcp |
trojans |
Premium scan |
trojans: SubSeven, SubSeven 2.1 Gold
Ports are also IANA registered for: RBackup Remote Backup |
| 2339 |
tcp,udp |
trojans |
not scanned |
IRC Contact, Voice Spy, VoiceSpy - OBS!!! |
| 2337 |
tcp |
trojans |
not scanned |
IRC Contact, The Hobbit Daemon |
| 2335 |
tcp |
trojans |
Premium scan |
IRC Contact, backdoor.shellbot |
| 2334 |
tcp |
trojans |
Premium scan |
IRC Contact, Eyeveg.worm.c, Power |
| 2333 |
tcp |
trojans |
not scanned |
IRC Contact, backdoor.shellbot |
| 2332 |
tcp |
trojans |
not scanned |
IRC Contact, Silent Spy |
| 2086 |
tcp |
trojans |
Premium scan |
Corba exploit, Netscape exploit
Port is IANA registered for GNUnet (TCP/UDP). |
| 1984 |
tcp |
trojans |
Premium scan |
Intruzzo, Q-taz
The config method in Henrik Storner Hobbit monitor before 4.1.2p2 permits access to files outside of the intended configuration directory, which allows remote attackers to obtain sensitive information via requests to the hobbit daemon on port 1984/tcp.
References: [CVE-2006-4003], [BID-19317]
Port is also IANA registered for BB. |
| 1560 |
tcp |
trojans |
Premium scan |
Big Gluck, Duddie |
| 1394 |
tcp |
trojans |
Premium scan |
Backdoor G-1, GroFriller |
| 1167 |
tcp |
trojans |
Members scan |
Backdoor.Bandock.A (2007.11.14) - a trojan horse that opens a back door on the compromised computer. The trojan may arrive as a spammed email attachment.
CrazzyNet trojan also uses this port. |
| 1115 |
tcp |
trojans |
Premium scan |
Lurker, Protoss
Backdoor.Hatckel - a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens 15 ports on the infected computer: 1101 to 1115. Backdoor.Hatckel is written in Visual Basic. |
| 1054 |
tcp |
trojans |
Premium scan |
RemoteNC, AckCmd |
| 1041 |
tcp |
trojans |
Premium scan |
Dosh, RemoteNC |
| 1039 |
tcp |
trojans |
Members scan |
Backdoor.Gapin (2003.02.27) - a backdoor trojan that gives an attacker unauthorized access to your computer. By default this backdoor opens TCP port 1039 to allow access to the hacker. This threat is written in the Microsoft Visual Basic programming language.
Dosh trojan uses this port.
Port is also IANA registered for Streamlined Blackhole |
| 1037 |
tcp |
trojans |
Premium scan |
Arctic , Dosh, KWM, MoSucker |
| 1032 |
tcp |
trojans |
Premium scan |
Akosch4, Dosh, ICQ Trojan, KWM
W32.Grifout.Worm (2002.02.27) - a 32-bit Internet worm. It spreads by using MAPI to send email through Microsoft Outlook.
This worm runs in memory at Windows startup and maintains a socket connection across the Internet. The connection is designed to allow a connection from a controlling client application, which can remotely manipulate the infected system . |
| 1031 |
tcp |
trojans |
Premium scan |
KWM, Little Witch, Xanadu, Xot |
| 1030 |
tcp |
trojans |
Members scan |
Gibbon, KWM trojans
Need for Speed 3- Hot Pursuit game |
| 1008 |
tcp |
trojans |
Premium scan |
AutoSpY, li0n |
| 1005 |
tcp |
trojans |
Premium scan |
Pest, Theef |
| 668 |
tcp |
trojans |
Premium scan |
Unicorn, th3r1pp3rz |
| 513 |
tcp |
trojans |
Premium scan |
ADM worm, Grlogin
UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 does not allow users to disable access to (1) SNMP or (2) the rlogin port TCP 513, which allows remote attackers to exploit other vulnerabilities such as CVE-2005-3716, or execute arbitrary shell commands via rlogin, which does not require authentication.
References: [CVE-2005-3718] [SECUNIA-17629] [BID-15476] |
| 510 |
tcp |
trojans |
Premium scan |
T0rnkit sshd backdoor |
| 285 |
tcp |
trojans |
Premium scan |
Delf, WCTrojan |
| 202 |
tcp |
trojans |
Premium scan |
One Windows Trojan, Backdoor.Skun |
| 5 |
tcp |
trojans |
Premium scan |
Incoming Routing Redirect Bomb, yoyo |
| 8889 |
tcp |
trojans |
Premium scan |
W32.Axatak - password stealing virus with remote access trojan capabilities, 08.2002. Affects all current Windows versions, uses ports 8888 and 8889.
Command & Conquer: Theater of War, Blitzkrieg also use this port (TCP/UDP)
Ports also registered with IANA for: ddi-tcp-1 NewsEDGE server |
| 12122 |
tcp |
trojans |
Members scan |
Hellz Addiction, also known as Backdoor.Hellza.110, Backdoor.Hellza.115, and Backdoor.Hellza.120, is a backdoor Trojan affecting Microsoft Windows operating systems.
The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 12122, to allow the client system to connect. Hellz Addiction could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15163] |
| 52978 |
tcp |
trojans |
Members scan |
Gspot, also known as Backdoor.Optix.Downloader, G-Spot, Trojan.Win32.GoBind, TrojanDownloader.Win32.G-Spot.10 and TrojanDownloader.Win32.G-Spot.15, is a backdoor Trojan written in Delphi affecting Microsoft Windows operating systems.
The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 52978, to allow the client system to connect. Gspot could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15165] |
| 1850 |
tcp |
trojans |
Members scan |
Black Angel, also known as Black Angel.13 and Black Angel b5, is a backdoor Trojan affecting Microsoft Windows operating systems. Black Angel uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client.
The trojan is normally stored in the Windows registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. When Black Angel is executed, the server component copies itself as C:\WINDOWS\Iex32dll.exe, and restarts when the Windows operating system is booted up. The server attempts to open a port, typically TCP 1850, to allow the client system to connect. Black Angel could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-14108]
Port is also IANA registered for: GSI |
| 50370 |
tcp |
trojans |
Members scan |
Backdoor.Cycbot - a trojan that opens a back door on TCP port 50370 to listen for inbound connections. It may use this port to act as a proxy server. It modifies the proxy settings of Internet Explorer, Mozilla Firefox, and Opera browsers to point to the proxy server on port 50370.
It may also contact the malicious server and report back what version of itself is running and may download updates. The Trojan may monitor activity on popular websites, such as social networks, search engines, e-commerce, and video websites.
The Trojan also uses a random number to select what server to report back to and may use a specific user-agent string to mark itself. |
| 2627 |
tcp |
trojans |
Members scan |
Backdoor.Rallovs.B (2012.01.10) - a trojan horse that opens a backdoor on TCP port 2627 on the compromised computer.
Port is also IANA registered for Moshe Beeri. |
| 2266 |
tcp |
trojans |
Members scan |
Backdoor.Dawcun (2010.04.01) - a trojan horse that steals confidential information and opens a back door on the compromised computer. It opens a back door by connecting to a remote server on TCP ports 2266 and 3390 to send the confidential information and to download, decrypt and then start the updated rootkit driver.
Port is also IANA registered for M-Files Server |
| 3390 |
tcp |
trojans |
Members scan |
Backdoor.Dawcun (2010.04.01) - a trojan horse that steals confidential information and opens a back door on the compromised computer. It opens a back door by connecting to a remote server on TCP ports 2266 and 3390 to send the confidential information and to download, decrypt and then start the updated rootkit driver.
Hitachi IP5000 VOIP WIFI Phone 1.5.6 does not allow the user to disable access to (1) SNMP or (2) TCP port 3390, which allows remote attackers to modify configuration using [CVE-2005-3722], or access the Unidata Shell to obtain sensitive information or cause a denial of service.
References: [CVE-2005-3723] [SECUNIA-17628]
Port is also IANA registered for Distributed Service Coordinator |
| 19801 |
tcp |
trojans |
Premium scan |
Backdoor.Wnetpols (2008.04.22) - a trojan horse that opens a back door on the compromised computer. |
| 41001 |
tcp |
trojans |
Premium scan |
Backdoor.Pharvest (2007.11.23) - a trojan that steals sensitive information from the compromised computer. |
| 8062 |
tcp |
trojans |
Premium scan |
Backdoor.Toob.B (2006.09.26) - a trojan that opens a back door on the compromised computer on TCP port 8062. The trojan then sends confidential information to a remote attacker. |
| 18354 |
tcp |
trojans |
Premium scan |
Backdoor.Heplane (2005.05.01) - a trojan that allows a remote attacker to have unauthorized access to the compromised computer. It also acts as a proxy server. |
Vulnerabilities listed: 100 (some use multiple ports)
|
