The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |....| 41 
Port(s) Protocol Service Scan level Description
 1149 tcp,udp trojan Premium scan Lala backdoor - a trojan horse that allows unauthorized access to a compromised computer. The Trojan attempts to steal confidential information (such as cached passwords and cookies), log keystrokes, and allow for remote file execution. Opens TCP/UDP port 4627, 1149, or 1877 to allow remote access.

Port is IANA assigned for: BlueView Sonar Service (bvtsonar) [Teledyne BlueView Inc]
 1150 tcp trojan Premium scan Orion
 1151 tcp trojan Premium scan Orion
 1153 tcp,udp c1222-acse not scanned ANSI C12.22 Port [RFC 6142] (IANA official)
 1155 tcp trojans Members scan W32.Reatle.E@mm (08.02.2005) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
 1159 tcp,udp oracle-oms not scanned Oracle OMS
 1160 tcp trojan Premium scan BlackRat
 1166 tcp trojan Premium scan CrazzyNet
 1167 tcp trojans Members scan Backdoor.Bandock.A (2007.11.14) - a trojan horse that opens a back door on the compromised computer. The trojan may arrive as a spammed email attachment.

CrazzyNet trojan also uses this port.
 1167 udp,sctp cisco-ipsla not scanned Cisco IP SLAs Control Protocol

The General Responder implementation in the IP Service Level Agreement (SLA) feature in Cisco IOS 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S allows remote attackers to cause a denial of service (device reload) via crafted (1) IPv4 or (2) IPv6 IP SLA packets on UDP port 1167, aka Bug ID CSCuc72594.
References: [CVE-2013-1148]
 1168 tcp trojans Premium scan W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.

Port is also IANA registered for:
1168/tcp - VChat Conference Service
 1169 tcp trojans Premium scan W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.

Port is also IANA registered for:
1169/tcp - TRIPWIRE
 1170 tcp trojans Premium scan Some eavesdropping/remote access trojans use this port:
Psyber Streaming Audio Server - Remote access trojan.
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.

Voice, Psyber Stream Server trojans also uses port 1170.
 1174 tcp trojan Premium scan DaCryptic
 1177 tcp njrat Members scan njRAT malware default port. The njRAT (remote access tool) can remotely access and control a victimís machine, operate the webcam, log keystrokes, steal credentials stored in browsers, upload and download files, and update itself. It is widely used in the Middle East, and known to be used for cybercriminal activity. njRAT is known to use over 500 control servers and operates over 24,000 infected computers worldwide.
 1180 tcp trojan Premium scan Unin68
 1181 udp games not scanned Heroes of Might and Magic IV
 1182 udp games not scanned Heroes of Might and Magic IV
 1183 tcp,udp trojans Members scan Balistix is a backdoor Trojan affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 1183, to allow the client system to connect. Balistix could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15148]

Trojans that also use this port: Cyn, SweetHeart
 1184 tcp laplink not scanned IANA registered for: LapLink Surf-up
Also used by: Allen-Bradley/Rockwell automation CIP messaging (PCcontroller)
 1194 tcp,udp openvpn not scanned OpenVPN (Virtual Private Networking) - it is newer, secure form of VPN that uses open-source technologies and is preferable to PPTP and L2TP. OpenVPN uses the OpenSSL encryption library and SSL v3/TLS v1 protocols. It listens on port 1194/UDP by default. However, it can be configured to run on any port, like 443/TCP that makes it undistinguishable from HTTPS traffic, for example.

Ooma VoIP service sets a VPN to the Ooma servers on port 1194 UDP for call setup/control. It also uses ports 49000-50000 for actual VoIP data. Other ports used: UDP 3480, UDP 514, TCP 443

QNAP NAS uses port 1194 UDP for OpenVPN connections. QNAP also uses the following ports: 873,8081,8899,1723,13131,20001.
 1200 udp trojan not scanned NoBackO trojan

Half Life 2 Steam, Day of Defeat (TCP/UDP), Counter Strike, Team Fortress 2 also use this port.
 1201 udp trojan not scanned NoBackO trojan
 1201 tcp trojans not scanned Backdoor.actx (2002.05.23) - a Backdoor.Trojan which can allow unauthorized access to your computer.
 1207 tcp,udp trojan Premium scan SoftWAR trojan

Commandos 3: Destination Berlin also uses this port (UDP).
 1208 tcp trojans Premium scan Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000
 1211 tcp,udp groove-dpp not scanned Groove DPP

CoDeSys Gateway Server is vulnerable to a heap-based buffer overflow, caused by the failure to check for a signed value. By sending a specially-crafted packet to TCP port 1211, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-82254], [CVE-2012-4706], [BID-58032]
 1212 tcp trojan Premium scan Kaos trojan
 1214 tcp Kazaa Members scan Kazaa - peer-to-peer file sharing, some known vulnerabilities, and at least one worm (Benjamin) targeting it.

FastTrack, Apple iMesh also uses port 1214 (TCP/UDP).

iMesh is vulnerable to a buffer overflow. By connecting to the TCP port 1214 that iMesh listens on and sending a long string of data, a remote attacker can overflow a buffer and execute arbitrary code on the vulnerable system.
References: [BID-1576], [CVE-2000-0706], [OSVDB-1513], [XFDB-4829]

File-sharing application Morpheus contains a security vulnerability that allows remote users to obtain the Morpheus username of other users by establishing a telnet connection to port 1214 of a machine running Morpheus.
 1215 tcp trojan Premium scan Force

OpenFT also uses port 1215 (TCP/UDP).
 1216 tcp,udp applications not scanned OpenFT
 1218 tcp trojans Premium scan Trojans that use this port:
Backdoor.Sazo - remote access trojan, 06.2002. Affects Windows
Force/Feardoor - VB6 remote access trojan, 07.2002. Affects Windows.

Port is also IANA registered for: aeroflight-ads
 1219 tcp trojan Premium scan Force trojan
 1220 tcp qt-serveradmin not scanned The port is used for administration of QuickTime Streaming Server

Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than [CVE-2003-0502].
References: [CVE-2003-0421]

Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than [CVE-2003-0421].
References: [CVE-2003-0502]
 1221 tcp trojan Premium scan F**k Lamers Backdoor

SAM2 Broadcaster also uses port 1221 (TCP/UDP)
 1222 tcp trojans Premium scan D Network, F**k Lamers Backdoor
 1225 tcp trojan Premium scan Scarab trojan
 1227 tcp,udp applications not scanned DNS2Go
 1232 tcp,udp first-defense not scanned Defense Remote systems monitoring [Nexum] (IANA official)
 1234 tcp trojans Premium scan Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.

Some other trojans using this port: SubSeven 2.0, Bagle.AF.

Port is also IANA registered for: Infoseek Search Agent
 1234 udp games not scanned Command and Conquer Renegade

The xdrDecodeString function in XNFS.NLM in Novell Netware 6.5 before SP8 allows remote attackers to cause a denial of service (abend) or execute arbitrary code via a crafted, signed value in a NFS RPC request to port UDP 1234, leading to a stack-based buffer overflow.
References: [CVE-2010-4227], [BID-46535]

Green Dam could allow a remote attacker to bypass security restrictions, caused by an error when handling UDP packets. By sending a specially-crafted request to UDP port 1234, an attacker could exploit this vulnerability to set the system time.
References: [XFDB-51513], [BID-35557], [OSVDB-55533], [SECUNIA-35664]

Janitza UMG 508, 509, 511, 604, and 605 devices allow remote attackers to obtain sensitive network-connection information via a request to UDP port (1) 1234 or (2) 1235.
References: [CVE-2015-3969]
 1235 udp games not scanned Command and Conquer Renegade

Janitza UMG 508, 509, 511, 604, and 605 devices allow remote attackers to obtain sensitive network-connection information via a request to UDP port (1) 1234 or (2) 1235.
References: [CVE-2015-3969]
 1236 udp games not scanned Command and Conquer Renegade
 1237 tcp,udp tsdos390 not scanned Port is IANA assigned to tsdos390. Also used by Command and Conquer, Dune2000.
 1239 tcp applications not scanned The debug interface on Janitza UMG 508, 509, 511, 604, and 605 devices does not require authentication, which allows remote attackers to read or write to files, or execute arbitrary JASIC code, via a session on TCP port 1239.
References: [CVE-2015-3971]
 1241 tcp,udp nessus not scanned Nessus
 1243 tcp trojans Members scan Some trojans use this port: SubSeven/BackDoor-G, Tiles
 1245 tcp trojans Premium scan Port used by GabanBus, NetBus, Voodoo trojans.
 1250 tcp worms not scanned W32.Explet.A@mm (2004.06.02) - a mass-mailing worm that also spreads through network shares and the Kazaa file-sharing network. The worm exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin [MS04-011]) and the DCOM RPC vulnerability (described in Microsoft Security Bulletin [MS03-026]) through TCP ports 135 and 445. It may also lower security settings and download remote files.

Port is also IANA registered for swldy-sias.
 1255 tcp trojan Premium scan Scarab trojan
 1256 tcp trojans Premium scan Project nEXT, RexxRave
 1257 tcp trojan Premium scan Sub Seven v2.1
 1269 tcp trojans Premium scan port used by Maverick's Matrix remote access trojan (different variants from May 1999 to January 2004). This trojan provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the victim's machine.
 1272 tcp trojan Premium scan The Matrix trojan
 1275 tcp,udp applications not scanned Directory traversal vulnerability in the web server used in RealPlayer 6.0.7, and possibly other versions, may allow local users to read files that are accessible to RealPlayer via a .. (dot dot) in an HTTP GET request to port 1275.
References: [BID-4221], [CVE-2002-0415], [XFDB-8336]

Port is also IANA registered for ivcollector.
 1280 tcp,udp games not scanned Dark Ages of Camelot
 1291 udp games not scanned Heroes of Might and Magic IV
 1300 tcp,udp h323 not scanned H.323 Secure Call Control Signalling (IANA official)
 1301 tcp applications not scanned IANA registered for: Palmer Performance OBDNet
 1309 tcp jtag-server Premium scan Backdoor.Jittar (2003.10.03) - a backdoor trojan horse that gives its creator remote access to and complete control over a compromised system. By default it uses ports 1309 and 2699 to listen for commands from the trojan's creator. The existence of the file dm_mgr.exe or linxup.exe is an indication of a possible infection.

Port is also IANA registered for: Altera Quartus jtagd
 1310 tcp worm not scanned W32.Pandem.B.Worm (2009.09.15) - a worm that spreads through file-sharing networks. It may also open a back door and download more malware on to the compromised computer.

Port is also IANA registered for Husky.
 1311 tcp applications not scanned IANA registered for: Dell OpenManage HTTPS
 1313 tcp trojan Premium scan NETrojan
 1314 tcp trojan Premium scan Daodan

The default configuration of Centre for Speech Technology Research (CSTR) Festival on Gentoo Linux, SUSE Linux, and possibly other distributions, is run locally with elevated privileges without requiring authentication, which allows local and remote attackers to execute arbitrary commands via the local daemon on port 1314.
References: [CVE-2007-4074], [BID-25069]

Port is also IANA registered for Photoscript Distributed Printing System.
 1315 tcp applications not scanned solid.exe in IBM solidDB 6.5.0.3 and earlier does not properly perform a recursive call to a certain function upon receiving packet data containing many integer fields with two different values, which allows remote attackers to cause a denial of service (invalid memory access and daemon crash) via a TCP session on port 1315.
References: [CVE-2010-4057]

solid.exe in IBM solidDB 6.5.0.3 and earlier does not properly perform a recursive call to a certain function upon receiving packet data containing a single integer field, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TCP session on port 1315.
References: [CVE-2010-4056] [SECUNIA-41873]

Stack consumption vulnerability in solid.exe in IBM solidDB 6.5.0.3 and earlier allows remote attackers to cause a denial of service (memory consumption and daemon crash) by connecting to TCP port 1315 and sending a packet with many integer fields, which trigger many recursive calls of a certain function.
References: [CVE-2010-4055] [SECUNIA-41873]

Port also IANA registered for E.L.S., Event Listener Service.
 1328 tcp applications Members scan Backdoor.Darkmoon.F (2007.10.29) - a trojan horse that opens a back door on TCP port 1328 on the compromised computer.

EchoServer also uses this port.
Port is IANA registered for EWALL
 1337 tcp trojan Premium scan Shadyshell
WASTE Encrypted File Sharing Program also uses this port.

1337 means "elite" in hacker/cracker spelling (1=L, 3=E, 7=T, "LEET"="ELITE"). Because of the reference, it may be used by some backdoors.

Port is IANA assigned for menandmice DNS.
 1338 tcp Premium scan Millenium Worm, affects Unix/Linux.
 1344 tcp icap not scanned Stack-based buffer overflow in Symantec Decomposer, as used in certain Symantec antivirus products including Symantec Scan Engine, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed RAR file to the Internet Content Adaptation Protocol (ICAP) port 1344.
References: [CVE-2008-0309], [BID-27913]

Symantec Decomposer, as used in certain Symantec antivirus products including Symantec Scan Engine 5.1.2 and other versions before 5.1.6.31, allows remote attackers to cause a denial of service (memory consumption) via a malformed RAR file to the Internet Content Adaptation Protocol (ICAP) port (1344/tcp).
References: [CVE-2008-0308] [BID-27911] [SECUNIA-29140]

ICAP (IANA official)
 1346 udp applications not scanned Multiple vulnerabilities in Symantec Ghost Solution Suite allow remote attackers to cause a denial of service (client or server crash) via malformed requests to the daemon port, 1346/udp or 1347/udp.
References: [CVE-2007-3132], [BID-24323]

Port is also IANA registered for Alta Analytics License Manager.
 1347 udp applications not scanned Multiple vulnerabilities in Symantec Ghost Solution Suite allow remote attackers to cause a denial of service (client or server crash) via malformed requests to the daemon port, 1346/udp or 1347/udp.
References: [CVE-2007-3132], [BID-24323]

Port is also IANA registered for Multi media conferencing.
 1349 udp trojan not scanned BO DLL trojan
 1351 tcp applications not scanned Unspecified vulnerability in Microsoft Dynamics GP (formerly Great Plains) 9.0 and earlier allows remote attackers to cause a denial of service (crash) via an invalid magic number in a Distributed Process Server (DPS) message.
Reverences: [CVE-2006-5265] [CVE-2006-5266] [BID-29991]

Digital Tool Works (MIT) (IANA official)
 1352 tcp,udp applications not scanned Lotus Notes

Unspecified vulnerability in Microsoft Dynamics GP (formerly Great Plains) 9.0 and earlier allows remote attackers to cause a denial of service (crash) via an invalid magic number in a Distributed Process Server (DPS) message.
Reverences: [CVE-2006-5265] [CVE-2006-5266] [BID-29991]
 1369 tcp trojan Premium scan SubSeven 2.2
 1380 tcp applications not scanned Warhammer Online - Age of Reckoning
IANA registered for: Telesis Network License Manager
 1386 tcp trojan Premium scan Dagger
 1394 tcp trojans Premium scan Backdoor G-1, GroFriller
 1407 tcp tibet-server not scanned TIBET Data Server (IANA official)
 1409 tcp trojans Premium scan Backdoor.IRC.Bifrut (2004.08.11) - remote access trojan, can affect all current Windows versions. Opens a backdoor on port 1409/tcp bound to the command shell.
Backdoor.Brakkeshell (2005.09.20) - a trojan horse that opens a back door on the compromised computer and waits for commands.

Port is IANA registered for: Here License Manager
 1415 tcp trojans Premium scan Last 2000, Singularity
 1417 tcp,udp applications not scanned Timbuktu Pro Windows

The authentication protocol in Timbuktu Pro 2.0b650 allows remote attackers to cause a denial of service via connections to port 407 and 1417.
References: [CVE-2000-0142]

Timbuktu Service 1 Port (IANA official)
 1418 tcp,udp applications not scanned Timbuktu Pro Windows
 1419 tcp,udp applications not scanned Timbuktu Pro Windows
 1420 tcp,udp applications not scanned Timbuktu Pro Windows
 1433 tcp,udp ms-sql-s Members scan Microsoft SQL Server.

Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm. The Gaobot family of worms also exploit this port.

See also: Microsoft Security Bulletin [MS02-061].

Digispid.B.Worm (05.21.2002) - worm that spreads to computers running MS SQL server and have blank SQL admin password. Uses port 1433/tcp.
W32.Kelvir.R (04.12.2005) - worm that spreads through MSN messenger and drops a variant of W32.Spybot.Worm. It spreads using several known MS vulnerabilities, including MS security Bulletin [MS02-061] Microsoft SQL Server 2000 or MSDE 2000 audit using port 1434/udp.

Buffer overflow in the authentication function for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 allows remote attackers to execute arbitrary code via a long request to TCP port 1433, a.k.a. the "Hello" overflow.
References: [CVE-2002-1123], [BID-5411]

The database server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a request to TCP port 1433.
References: [CVE-2014-4684]
 1434 tcp,udp ms-sql-s Premium scan Microsoft SQL Server.

Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm. The Gaobot family of worms also exploit this port.

See also: Microsoft Security Bulletin [MS02-061].

Digispid.B.Worm (05.21.2002) - worm that spreads to computers running MS SQL server and have blank SQL admin password. Uses port 1433/tcp.
W32.Kelvir.R (04.12.2005) - worm that spreads through MSN messenger and drops a variant of W32.Spybot.Worm. It spreads using several known MS vulnerabilities, including MS security Bulletin [MS02-061] Microsoft SQL Server 2000 or MSDE 2000 audit using port 1434/udp.

Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.
References: [CVE-2003-0353] [BID-8455]
 1437 tcp,udp applications not scanned Kohan Immortal Sovereigns
 1441 tcp trojan Premium scan RemoteStorm trojan
 1443 tcp,udp ies-lm not scanned Integrated Engineering Software (IANA official)

Siemens SIMATIC WinCC and PCS7 could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an error in the Database Server. By sending a specially-crafted command to TCP port 1443, an attacker could exploit this vulnerability to gain elevated privileges on the system.
References: [CVE-2014-4684] [BID-68880]
 1444 tcp trojans Premium scan Backdoor.Homutex (07.18.2005) - a trojan with backdoor capabilities. Opens a backdoor and listens for remote commands on port 1444/tcp. Also attempts to sends information about the infected computer on port 1443/tcp.
 1451 tcp,udp games not scanned Action PC Football 2006 (APF2006) - Dave Koch
 1459 tcp,udp proshare1 not scanned Prosahre Notebook Application
 1460 tcp,udp proshare2 not scanned Proshare Notebook Application
 1476 tcp,udp applications not scanned Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to TCP port 1701 in JBoss 3.2.1, and port 1476 in JBoss 3.0.8.
References: [CVE-2003-0845], [BID-8773]
 1477 tcp applications not scanned Microsoft Host Integration Server is vulnerable to a denial of service, caused by the improper processing of malicious network traffic by the snabase.exe service. By sending a specially-crafted packet to TCP ports 1477 and 1478 or UDP port 1478, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
References: [CVE-2011-2007]

Port is also IANA registered for ms-sna-server
 1478 tcp,udp applications not scanned Microsoft Host Integration Server is vulnerable to a denial of service, caused by the improper processing of malicious network traffic by the snabase.exe service. By sending a specially-crafted packet to TCP ports 1477 and 1478 or UDP port 1478, a remote attacker could exploit this vulnerability to cause the application to stop responding.
References: [CVE-2011-2008]

Port is also IANA registered for ms-sna-base
 1480 tcp trojan Premium scan RemoteHack
 1490 tcp applications not scanned VocalTec Internet Phone
 1492 tcp trojans Premium scan FTP99CMP - remote access trojan, 05.1999. Runs an FTP server on port 1492.

Back.Orifice.FTP also uses port 1492.

CivNet game also uses this port

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About