The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |....| 54 
Port(s) Protocol Service Scan level Description
 991 tcp trojan Premium scan Snape
 992 tcp trojan Members scan SoftEther VPN (Ethernet over HTTPS) uses TCP Ports 443, 992 and 5555

Malware using port 992 TCP: Snape trojan

Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443
 993 tcp IMAP-SSL Basic scan IMAP over SSL
 994 tcp ircs Members scan Secure IRC (over TLS/SSL)

Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443
 995 tcp POP3-SSL Basic scan Incoming POP3 mail over SSL
used by Gmail

Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443
 996 tcp,udp vsinet not scanned Central Point Software Xtree License Server (TCP)

vsinet (IANA official)
 997 tcp,udp maitrd not scanned Maitrd
 998 tcp busboy not scanned Busboy
 998 udp puparp not scanned Puparp
 999 tcp garcon Members scan Garcon, ScimoreDB Database System, Puprouter (TCP/UDP)

Trojans that run on this port: DeepThroat (a.k.a. DTV2, DTV3, BackDoor-J), F0replay (a.k.a. WiNNUke eXtreame), WinSatan

Delta Force game also uses port 999 (TCP/UDP)
 999 udp applix not scanned Applix ac (IANA official)
 1000 tcp trojans Members scan Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)

Cadlock / Cadlock2

Trojans using this port: Der Spaeher, Direct Connection, GOTHIC Intruder, Theef

Veritas Backup Exec Agents could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free vulnerability in multiple agents. By sending specially crafted NDMP data over SSL to TCP port 1000, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
References: [CVE-2017-8895], [XFDB-125969], [BID-98386], [EDB-42282]
 1000 udp games not scanned Cadlock2 / Ock

Burnout Paradise - The Ultimate Box (game, developer: Criterion Games)
 1001 tcp trojans Members scan Trojans using this port: Der Spaeher, Le Guardien, Silencer, WebEx, GOTHIC Intruder, Lula, One Windows Trojan, Theef

The Sabserv client component in Sabre Desktop Reservation Software 4.2 through 4.4 allows remote attackers to cause a denial of service via malformed input to TCP port 1001.
References: [CVE-2002-1191], [BID-5974]

Stack-based buffer overflow in Ubisoft Rayman Legends before 1.3.140380 allows remote attackers to execute arbitrary code via a long string in the "second connection" to TCP port 1001.
References: [CVE-2014-4334]

IANA registered for: HTTP Web Push
 1001 udp games not scanned Tom Clancy's H.A.W.X., developer: Ubisoft Romania
 1002 tcp ms-ils Basic scan Opsware agent (aka cogbot)

Windows Internet Locator Server service, used by MS NetMeeting. ILS is a MS NetMeeting service that is now preferred by MS over the Internet standard LDAP service (port 389). This port does not appear in "netstat" command listings.
 1003 tcp fortinet Premium scan Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)



BackDoor 2.0x trojan horse
 1005 tcp trojans Premium scan Trojan.Nitedrem
[trojan] Pest (remote access, keyloger, steals passwords, backdoor)
[trojan] Theef - anti-protection, remote access, keylogger, port proxy, FTP server, a.k.a. Backdoor.Theef, BackDoor.QW, Bkdr_Delf.AX

ipcserver - Mac OS X RPC-based services. Used by NetInfo, for example.
 1008 tcp trojans Premium scan AutoSpY, li0n

Backdoor.Win32.Autospy.10 / Unauthenticated Remote Command Execution - the malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.
References: [MVID-2024-0671]
 1010 tcp thinklinc Premium scan ThinLinc Web Administration

Doly trojan v 1.3/v1.35 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)
CafeIni 0.9 trojan

Surf (IANA official)
 1010 udp surf not scanned Surf
 1011 tcp trojans Premium scan Doly trojan v1.1/v1.2 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)

Backdoor.Win32.Augudor.a / Unauthenticated Remote File Write Code Execution - Augudor.a drops an empty file named "zy.exe" and listens on TCP port 1011. Attackers who can reach the infected host can write any binary file they like to the empty "zy.exe" file on the system and it will execute as soon as the binary transfer has completed.
References: [MVID-2021-0083]

Backdoor.Win32.Augudor.a / Unauthenticated Remote File Write - RCE - Augudor.a drops an empty file named "zy.exe" and listens on TCP port 1011. Attackers who can reach the infected host can write any binary file they like to the empty "zy.exe" file on the system and it will execute as soon as the binary transfer has completed.
References: [MVID-2022-0501]
 1012 tcp trojan Premium scan Doly trojan v1.5 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)
 1015 tcp trojans Premium scan Doly trojan v1.6 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)

Backdoor.Win32.Wollf.16 / Authentication Bypass - the malware listens on TCP port 1015 and has an FTPD feature that when enabled listens on TCP port 21. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0462]

Backdoor.Win32.Wollf.16 / Weak Hardcoded Credentials - the malware runs with SYSTEM integrity, listens on TCP port 1015 and is protected by Armadillo(3.00a-3.70a) & UPX(1.07)NRV,brute. However, the password "ddr_bkdoor" is weak and can be found at offset 0019F58C.
References: [MVID-2022-0463]
 1016 tcp trojan Premium scan Doly trojan (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)
 1020 tcp trojans Premium scan Vampire remote access trojan (1999) - affects Windows 9x/NT, uses ports 1020 and 6669.
 1021 tcp trojans Premium scan Trojan.Webus.H [Symantec-2005-070318-0714-99] (2005.07.03) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands.
 1023 tcp trojan Premium scan Sasser.e FTP

The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when used in conjunction with a Baxter Spectrum v8.x (model 35700BAX2), operates a Telnet service on Port 1023 with hard-coded credentials.
References: [CVE-2020-12045], [XFDB-183637]
 1024 tcp kdm Basic scan K Display Manager (KDE version of xdm)

Trojans taht use this port: Jade, Latinus, Lithium, NetSpy, Ptakks, RAT, YAI
Backdoor.Lingosky [Symantec-2005-032311-2503-99] (2005.03.23) - trojan with backdoor capabilities. Opens a backdoor on port 1024/tcp.

Applications using this port: AIM Video IM, ICUII, NetMeeting with H323, Lingo VoIP, Battlefield 2142, Everquest

The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.
References: [CVE-1999-0816]
 1024 udp applications not scanned The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT. It is possible to replay Sinilink aka SINILINK521 protocol (udp/1024) commands interfacing directly with the target device. This, in turn, allows for an attack to control the onboard relay without requiring authentication via the mobile application. This might result in an unacceptable temperature within the target device's physical environment.
References: [CVE-2022-43704]
 1025-1029 tcp,udp nfc-iis Basic scan Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.

Ports 1026-1027/udp were historically used for Windows Messenger popup spam
 1025 tcp nfc-iis not scanned NFS
IIS
Teradata
ShopPro accounting software

Trojans that use this port: NetSpy, Maverick's Matrix, RemoteStorm (TCP/UDP)

Backdoor.Win32.Ramus / Unauthenticated Remote Code Execution - the malware listens on TCP port 1025. Third-party attackers who can reach an infected system can execute arbitrary code further compromising the host. To call programs use "executa" which translated from Romanian is execute and the target program wrapped in quotes E.g. executa "PROGRAM".
References: [MVID-2021-0427]

network blackjack (TCP/UDP) (IANA official)
 1026 tcp,udp cap not scanned Microsoft DCOM services often uses ports 1026/tcp and 1029/tcp

CAP - Calendar Access Protocol (IANA official)
 1027 tcp trojans not scanned Infostealer.ABCHlp [Symantec-2003-060511-5140-99] (2003.06.05) - a password-stealing, Backdoor trojan horse. The program attempts to send password information from a compromised computer to an address in China. By default it makes use of port 1027.

ICKiller trojan uses this port

Microsoft operating systems tend to allocate one or more publicly exposed services (DCOM, etc.) among the first few ports immediately above the end of the system ports (1024+).
 1027 udp 6a44 not scanned IPv6 behind IPv4-to-IPv4 NAT Customer Premises Equipment CPEs [IESG] (IANA official) [RFC 6751]
 1029 tcp dcom not scanned Microsoft DCOM services often uses ports 1026/tcp and 1029/tcp

Trojans that use this port: InCommand (TCP/UDP)

Email-Worm.Win32.Kipis.a / Unauthenticated Remote Code Execution - the malware listens on TCP port 1029 and writes incoming packets to an executable file that is renamed as "winlogins.exe". Third-party attackers who can reach the infected host can use socket utils like netcat to transfer files which get stored in the Windows\SysWOW64 dir, this may result in remote code execution.
References: [MVID-2021-0250]

Backdoor.IRC.Subhuman / Unauthenticated Open Proxy - the malware listens on TCP port 1029. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0418]
 1030 tcp trojans Members scan Gibbon, KWM trojans

Need for Speed 3- Hot Pursuit game

The Project administration application in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, has a hardcoded encryption key, which allows remote attackers to obtain sensitive information by
extracting this key from another product installation and then employing this key during the sniffing of network traffic on TCP port 1030.
References: [CVE-2014-4686]

Backdoor.Win32.Bushtrommel.122 / Authentication Bypass - the malware listens on TCP port 31745 runs an ftp server on port 1030. Attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.
References: [MVID-2022-0629]

Backdoor.Win32.Bushtrommel.122 / Unauthenticated Remote Command Execution - the malware listens on TCP port 31745 and 1030. Adversaries who can reach infected hosts can run commands made available by the backdoor. The "*RUN" command calls CreateProcess() based on CL input, errors will result in a pop up dialog on the infected host:
"CreateProcess() in function () GetConsoleOuput() failed!". Correct syntax is as follows *RUN"calc.exe", successful code execution results in the response "*EVA*" from the backdoored host.
References: [MVID-2022-0630]
 1031 tcp trojans Premium scan KWM, Little Witch, Xanadu, Xot
 1032 tcp trojans Premium scan Akosch4, Dosh, ICQ Trojan, KWM

W32.Grifout.Worm [Symantec-2002-030510-2009-99] (2002.02.27) - a 32-bit Internet worm. It spreads by using MAPI to send email through Microsoft Outlook.

This worm runs in memory at Windows startup and maintains a socket connection across the Internet. The connection is designed to allow a connection from a controlling client application, which can remotely manipulate the infected system .
 1033 tcp trojans Premium scan Port used by Netspy2, Dosh, ICQ Trojan, KWM, Little Witch, Net Advance, NetSpy trojans
 1034 tcp trojans Members scan Backdoor.Systsec [Symantec-2002-021314-3507-99] (2002.02.13) - remote acess trojan. Affects all current Windows versions.
Backdoor.Zincite.A [Symantec-2004-072615-3305-99] (2004.07.26) - backdoor server program that allows unauthorized access to the compromised computer. It runs and listens for remote commands on port 1034/tcp.
W32.Mydoom.CI@mm [Symantec-2005-092711-1028-99] (2005.09.26) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine.

KWM trojan also uses this port.
 1035 tcp trojans Premium scan Backdoor.Sedepex [Symantec-2005-103109-2236-99] (2005.10.31) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.

Some other trojans using this port: Dosh, KWM, Multidropper, Truva Atl,
RemoteNC [Symantec-2002-042414-1825-99]
 1036 tcp trojan Premium scan KWM
 1037 tcp trojans Premium scan Arctic , Dosh, KWM, MoSucker
 1038 tcp,udp mtqp not scanned Message Tracking Query Protocol (IANA official) [RFC 3887]
 1039 tcp trojans Members scan Backdoor.Gapin [Symantec-2003-022717-3418-99] (2003.02.27) - a backdoor trojan that gives an attacker unauthorized access to your computer. By default this backdoor opens TCP port 1039 to allow access to the hacker. This threat is written in the Microsoft Visual Basic programming language.

Dosh trojan uses this port.

Port is also IANA registered for Streamlined Blackhole
 1040 tcp trojans Members scan Backdoor.Sedepex [Symantec-2005-103109-2236-99] (2005.10.31) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.

Backdoor.Medias [Symantec-2004-032713-0001-99] (2004.03.27) - a trojan horse that installs itself as a Browser Helper Object.

WebCam Monitor also uses port 1040 (TCP/UDP).
 1041 tcp trojans Premium scan Dosh, RemoteNC [Symantec-2002-042414-1825-99]
 1042 tcp trojans Premium scan ASUS Armoury Crate "NodeJS Web Framework" process uses TCP ports 1042 and 1043

Trojans that use this port: Bla1.1, MyDoom.L [Symantec-2004-071915-0829-99]
 1042 udp games not scanned Battlestations: Midway
 1043 tcp trojan Premium scan ASUS Armoury Crate "NodeJS Web Framework" process uses TCP ports 1042 and 1043

Dosh

Backdoor.Win32.Mhtserv.b / Missing Authentication - Mhtserv.b listens on TCP port 1043, apparently there is no authentication required to access this backdoor. Accessing the backdoor using telnet you are greeted with a "Command" prompt, issuing a lowercase "L" char will get you a dir listing of system32.
References: [MVID-2021-0059]
 1044 tcp,udp trojan not scanned Ptakks
 1045 tcp trojan Premium scan Rasmin trojan
 1047 tcp trojans Premium scan GateCrasher.b, GateCrasher.c, RemoteNC [Symantec-2002-042414-1825-99]
 1049 tcp trojans Premium scan [trojan] /sbin/initd - reported on Linux hosts as a hacked backdoor along with tcp port 65534
 1050 tcp trojans Basic scan MiniCommand trojan

MS DNS Server on Windows Server 2003 machines may possibly use this port for DNS if other ports are being blocked by a firewall. See MS KB 198410, registry key "SendOnNonDnsPort" (unconfirmed).

Fortinet FortiNAC could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization of untrusted data vulnerability. By sending a specially crafted request to the tcp/1050 service, an attacker could exploit this vulnerability to execute arbitrary code or commands on the system.
References: [CVE-2023-33299], [XFDB-258701]

CORBA Management Agent (IANA official)
 1052 tcp trojans Members scan W32.Reatle.mm@mm [Symantec-2005-071510-0336-99] (2005.07.15) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability ([MS04-011]) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.

W32.Reatle.C@mm [Symantec-2005-071521-3122-99] (2005.07.15) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp.

W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.

Fire HacKer, Slapper, The Hobbit Daemon trojans also use this port.

Linux.Slapper.Worm [Symantec-2002-091311-5851-99] (2002.09.13) - family of worms that use an "OpenSSL buffer overflow exploit [CVE-2002-0656] to run a shell on a remote computer. Targets vulnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp. Opens backdoors on the following ports: 2002/udp (.A variant), 1978/udp (.B variant), 4156/udp and 1052/tcp periodically (.C variant).
 1053 tcp trojan Premium scan The Thief
 1054 tcp trojans Premium scan RemoteNC [Symantec-2002-042414-1825-99], AckCmd
 1058 tcp,udp nim not scanned nim, IBM AIX Network Installation Manager (NIM) (IANA official)
 1059 tcp,udp nimreg not scanned nimreg, IBM AIX Network Installation Manager (NIM) (IANA official)
 1068 udp games not scanned Will Rock game (developer: Saber Interactive)
 1069 udp games not scanned Will Rock game (developer: Saber Interactive)

Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure
 1069 tcp cognex not scanned Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure
 1070 tcp cognex not scanned Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure

IANA registered for: GMR Update Service
 1071 tcp applications not scanned DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow.
References: [CVE-2005-2305], [BID-14263]

Port is also IANA registered for BSQUARE-VOIP
 1073 tcp applications not scanned DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow.
References: [CVE-2005-2305], [BID-14263]

Port is also IANA registered for Bridge Control
 1075 tcp rdrmshc not scanned Backdoor.Win32.LanaFTP.k / Heap Corruption - the malware listens on TCP port 1075. Third-party attackers who can reach the server can send a specially crafted sequential payload causing a heap corruption.
References: [MVID-2021-0369]

RDRMSHC (IANA official)
 1080 tcp socks Members scan Socks Proxy is an Internet proxy service, potential spam relay point.

Common programs using this port: Wingate

Trojans/worms that use this port as well:
Bugbear.xx [Symantec-2003-060423-5844-99] - wide-spread mass-mailing worm, many variants.
SubSeven - remote access trojan, 03.2001. Afects all current Windows versions.
WinHole - remote access trojan, 01.2000 (a.k.a. WinGate, Backdoor.WLF, BackGate). Affects Windows 9x.
Trojan.Webus.C [Symantec-2004-101212-0903-99] - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080.

Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.

Backdoor.Lixy [Symantec-2003-100816-5051-99] (2003.10.08) - a backdoor trojan horse that opens a proxy server on TCP port 1080.

W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.

WinHole, Wingate, Bagle.AI trojans also use this port.

Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]

Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080.
References: [CVE-2004-0315] [BID-9721]

HEUR.Backdoor.Win32.Generic / Unauthenticated Open Proxy - the backdoor creates a Windows service backed by an executable named "1314.exe", it lives under C:\WINDOWS and listens on TCP ports 1080 and 8080. Third-party adversaries who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. The relay does not
require authentication or any special User-agent check and leverages the HTTP Host header in the request to connect to third-party systems.
References: [MVID-2021-0176]

Backdoor.Win32.Small.gs / Unauthenticated Remote Command Execution - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can execute OS commands and or run arbitrary programs.
References: [MVID-2021-0336]

Backdoor.Win32.Agent.aer / Remote Denial of Service - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can send a specially crafted junk payload for the logon credentials to trigger an exception and crash.
References: [MVID-2021-0346]

Backdoor.Win32.Agent.bxxn / Open Proxy - the malware listens on TCP port 1080. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2022-0522]

Backdoor.Win32.Aphexdoor.LiteSock / Remote Stack Buffer Overflow (SEH) - the malware drops an extensionless PE file named "3" which listens on TCP port 1080. Third-party attackers who can reach an infected host can send a specially crafted packet to port 1080, that will trigger a stack buffer overflow overwriting ECX register and SEH.
References: [MVID-2022-0653]
 1081 tcp trojans Premium scan Backdoor.Zagaban [Symantec-2005-110314-5204-99] (2005.11.03) - a trojan that allows the compromised computer to be used as a covert proxy. Allows the attacker to modify the hosts file. Starts a covert proxy and listens on port 1081/tcp.

WinHole trojan also uses port 1081.
 1082 tcp trojan Members scan Backdoor.Sincom [Symantec-2003-100909-4135-99] (2003.10.09) - a backdoor trojan horse that gives the trojan's author unauthorized access to an infected computer. It allows the author to control the system through a TCP connection, through an FTP server, or have the backdoor program reconnect to the attacker's computer.

WinHole trojan

Port is IANA registered for: AMT-ESD-PROT
 1083 tcp trojan Premium scan WinHole trojan
 1088 tcp trojans Premium scan Trojan.Webus.D [Symantec-2004-111216-2213-99] (2004.11.12) - remote access trojan, affects all current Windows versions. Opens a backdoor by connecting via port 1088 to IRC servers serv.gigaset.org or gimp.robobot.org. It then can receive a range of commands, including downloading and executing remote files. It can also open another random tcp port for incoming connections.

Trojan.Webus.E [Symantec-2005-040511-3347-99] (2005.04.05) - trojan that opens a backdoor and connects to IRC servers for remote access on port 1088/tcp.

Trojan.Webus.H [Symantec-2005-070318-0714-99] (2005.07.03) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands.
 1089 tcp malware not scanned Trojan-Proxy.Win32.Delf.ai / Remote SEH Buffer Overflow - the malware listens on TCP port 1089. Attackers who can reach the infected system can send a specially crafted HTTP TRACE request to trigger a classic SEH buffer overflow.
References: [MVID-2021-0115]
 1090 tcp trojans Premium scan Port used by Xtreme remote access trojan with keylogger capabilities. It also installs NetBus 2.1 Pro in the background.

Jana Server is vulnerable to a denial of service attack. A remote attacker could send specially-crafted data to the http-server module listening on TCP port 2506 and the pna-proxy module listening on TCP port 1090 to cause the server to enter into an infinite loop.
References: [BID-11780], [XFDB-18308]

Port is also IANA registered for FF Fieldbus Message Specification (TCP/UDP)
 1092 tcp trojan Premium scan Hvl RAT
 1095-1099 tcp trojans Members scan Some trojans use these ports: Blood Fest Evolution, Hvl RAT (also uses port 2283), Remote Administration Tool - RAT
 1098 tcp rmiactivation not scanned Trojans that use this port: Rat (TCP)

HP Business Service Management (BSM) 9.12 does not properly restrict the uploading of .war files, which allows remote attackers to execute arbitrary JSP code within the JBOSS Application Server component via a crafted request to TCP port 1098, 1099, or 4444.
References: [CVE-2012-2561]

The BlackBerry Universal Device Service in BlackBerry Enterprise Service (BES) 10.0 through 10.1.2 does not properly restrict access to the JBoss Remote Method Invocation (RMI) interface, which allows remote attackers to upload and execute arbitrary packages via a request to port 1098.
References: [CVE-2013-3693], [SECUNIA-55187]

RMI Activation (IANA official)
 1099 tcp rmiregistry not scanned HP Business Service Management (BSM) 9.12 does not properly restrict the uploading of .war files, which allows remote attackers to execute arbitrary JSP code within the JBOSS Application Server component via a crafted request to TCP port 1098, 1099, or 4444.
References: [CVE-2012-2561]

Siemens SPPA-T3000 Application Server could allow a remote attacker to execute arbitrary code on the system. By sending specifically crafted packets to 1099/tcp, an attacker could exploit this vulnerability to execute arbitrary code on the system.
References: [CVE-2019-18316], [XFDB-173422]

Siemens SPPA-T3000 Application Server could allow a remote attacker to obtain sensitive information. By sending specifically crafted packets to 1099/tcp, a remote attacker could exploit this vulnerability to obtain sensitive information.
References: [CVE-2019-18331], [XFDB-173415]

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.
References: [CVE-2020-11969]

If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case.
References: [CVE-2020-13931]

IANA registered for: RMI Registry (TCP/UDP)
 1100 tcp trojan Premium scan CafeIni 0.9 trojan horse

HP StorageWorks Storage Mirroring (SWSM) software is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the DoubleTake.exe process when handling authentication requests. By sending an encoded authentication request to TCP ports 1100, 1106 and UDP port 1105, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-1661]

Port is also IANA registered for MCTP
 1101 tcp applications not scanned ZenSysSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (service crash) or possibly execute arbitrary code via a series of connections and disconnections on TCP port 1101, aka Reference Number 25212.
References: [CVE-2011-4534], [BID-51897]

Backdoor.Hatckel [Symantec-2002-120515-0748-99] - a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens 15 ports on the infected computer: 1101 to 1115. Backdoor.Hatckel is written in Visual Basic.
 1104 udp trojan not scanned RexxRave trojan
 1105 udp applications not scanned HP StorageWorks Storage Mirroring (SWSM) software is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the DoubleTake.exe process when handling authentication requests. By sending an encoded authentication request to TCP ports 1100, 1106 and UDP port 1105, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-1661]

Port is also IANA registered for FTRANHC
 1106 tcp applications not scanned HP StorageWorks Storage Mirroring (SWSM) software is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the DoubleTake.exe process when handling authentication requests. By sending an encoded authentication request to TCP ports 1100, 1106 and UDP port 1105, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-1661]
 1109 tcp kpop not scanned Kerberos Post Office Protocol (KPOP)
 1110 udp nfsd not scanned EasyBits School network discovery protocol (for Intel's CMPC platform)

nfsd-keepalive Client status info (IANA official)

 1110 tcp webadmstart not scanned Cluster status info (nfsd-status)

Start web admin server (IANA official)
 1111 tcp trojans Members scan Trojans that use this port:
Backdoor.AIMvision [Symantec-2002-101713-3321-99] (2002.10.17) - remote access trojan. Affects all current Windows versions.
Backdoor.Ultor [Symantec-2002-061316-4604-99] (2002.06.13) - remote access trojan. Affects Windows, listens on port 1111 or 1234.
Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows.
W32.Suclove.A@mm [Symantec-2005-092612-2130-99] (2005.09.25) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.

Daodan, Tport trojans also use this port.

The Administration Service (FMSAdmin.exe) in Macromedia Flash Media Server 2.0 r1145 allows remote attackers to cause a denial of service (application crash) via a malformed request with a single character to port 1111.
References: [CVE-2005-4216], [BID-15822]

Backdoor.Win32.Agent.cy / Weak Hardcoded Credentials - the malware listens on TCP port 1111, drops an executable named "Spoolsw.exe" under SysWOW64 dir that runs with SYSTEM integrity. The password "TrFsB-RuleZ" is stored in plaintext and can be easily found running strings util against the malware executable.
References: [MVID-2021-0207]

Backdoor.Win32.Jokerdoor / Remote Stack Buffer Overflow - The malware listens on TCP port 1111 and drops an randomly named executable E.g. xmutfeb.exe etc. Third party attackers who can reach an infected system can send a junk payload and trigger a classic stack buffer overflow overwriting the EBP, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS" as running commands result in error.
References: [MVID-2021-0390]

Backdoor.Win32.SubSeven.c / Remote Stack Buffer Overflow - the malware listens on TCP port 1111. Third-party attackers who can reach an infected system can send a specially crafted packet prefixed with "DOS". This will trigger a classic stack buffer overflow overwriting ECX, EIP registers and structured exception handler (SEH).
References: [MVID-2022-0448]

LM Social Server (IANA official)
 1112 tcp,udp icp not scanned ESET virus update (TCP)

Intelligent Communication Protocol (IANA official)
 1113 tcp,udp ltp-deepspace not scanned Licklider Transmission Protocol (IANA official) [RFC 5326]
 1115 tcp trojans Premium scan Lurker, Protoss

Backdoor.Hatckel [Symantec-2002-120515-0748-99] - a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens 15 ports on the infected computer: 1101 to 1115. Backdoor.Hatckel is written in Visual Basic.
 1116 tcp trojan Premium scan Lurker trojan
 1117 tcp trojans Premium scan W32.Zotob.D [Symantec-2005-081609-4733-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
 1118 tcp,udp sacred not scanned SACRED (IANA official) [RFC 3767]
 1119 tcp,udp games not scanned Blizzard Downloader
Starcraft II: Wings of Liberty (Blizzard)
 1120 tcp games not scanned Starcraft II: Wings of Liberty, developer: Blizzard
 1122 tcp,udp trojans Premium scan Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)

Port is also IANA registered for: availant-mgr
 1128 tcp applications not scanned The GetComputerSystem method in the HostControl service in SAP Netweaver 7.03 allows remote attackers to obtain sensitive information via a crafted SOAP request to TCP port 1128.
References: [CVE-2013-3319] [SECUNIA-54277]

Privilege Escalation Vulnerabilities (UNIX Insecure File Handling) in SAP Host Agent (saposcol) - multiple vulnerabilities were identified that could allow a local attacker authenticated as adm to escalate privileges on SAP UNIX systems. No additional user authentication is required to exploit these issues. The vulnerabilities are due to the privileged saposcol
process generating files in its default working directory (/usr/sap/tmp; defined by profile parameter DIR_PERF) owned by the adm user (sapsys group), and following symbolic links (symlinks) when trying to open/create these files. Note that in some environments the directory might not be owned by the adm user account but be writable for all users of group sapsys including adm.
References: [CVE-2022-35295]
 1129 tcp trojans Members scan Backdoor.Anyserv [Symantec-2004-032516-5704-99] (2004.03.25) - a trojan horse that gives the author unauthorized remote access to an infected computer. Due to bugs in the code of Backdoor.Anyserv, some operations may not complete successfully.

Port is IANA registered for: SAPHostControl over SOAP/HTTPS
 1130 tcp trojan Premium scan Noknok trojan

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About