The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 |....| 41 
Port(s) Protocol Service Scan level Description
 41005 games not scanned Far Cry
 31435 games not scanned Arcanum, Arcanum Won.net
 20080 games not scanned Blazing Angels Squadrons of WWII, developer: Ubisoft Romania
 2093 applications not scanned IRLP - Internet Radio Linking Project uses ports 2074-2093
 25793 vocaltec-hos not scanned Vocaltec Address Server
 2066 applications not scanned DLSw
IANA registered for: AVM USB Remote Architecture
 5674 hyperscsi-port not scanned HyperSCSI Port [Data Storage Institut] (IANA official)
 10777 applications not scanned Unreal Tournament 2003 (ut2003) clients and servers allow remote attackers to cause a denial of service via malformed messages containing a small number of characters to UDP ports 7778 or 10777.
References: [CVE-2002-1507]
 24727 flipshare not scanned FlipShare Server uses ports 24726 and 24727 TCP.
 30888 applications not scanned Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.
References: [CVE-2012-5451]
 5034 jtnetd-status not scanned Janstor Status (IANA official)
 1761 applications not scanned Novell ZENworks Desktop Management is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the Remote Management Agent within ZenRem32.exe when processing certain version fields. By sending a specially-crafted packet to TCP or UDP port 1761, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the application to crash.
References: [XFDB-64025] [XFDB-64026] [BID-45379] [BID-45375]
 8080 tcp http Basic scan Common alternative HTTP port used for web traffic. See also TCP ports 80,81,8443. Some broadband routers run a web server on port 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.

Ubiquiti UniFi Controller uses these ports:
8080 tcp - http port for UAP to inform controller
8443 tcp - https port for controller GUI/API
8880 tcp - http portal redirect port (may also use ports 8881, 8882)
8843 tcp - https portal redirect port
3478 udp - STUN port (should be open at firewall)

Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port

If you're not running web services, keep in mind that some trojans also use these ports:
Reverse WWW Tunnel Backdoor - remote access/tunneling software coded in Perl, uses ports 80, 3128, 8080. Works on Unix, Linux, Solaris, AIX and OpenBSD.
RingZero (a.k.a. Ring0, Trojan.PSW.Ring, RingZero.gen, Ring) - uses ports 80, 3128, 8080. Affects Windows 9x.
Screen Cutter (a.k.a. Backdoor.Screencut) - uses ports 80, 8080.
Mydoom.B (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.

W32.Spybot.OFN (2005.04.29) - network-aware worm with DDoS and backdoor capabilities. Spreads through network shares and exploiting multiple vulnerabilities. It ay be downloaded by W32.Kelvir variants. Opens a backdoor on port 8080/tcp. Also exploits vulnerabilities on ports 445 and 1433.

W32.Zotob.C@mm (2005.08.16) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.

W32.Zotob.E(2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
Backdoor.Naninf.D (2006.02.01)
Backdoor.Naninf.C (2006.01.31)
W32.Rinbot.A (2007.03.02) - a worm that opens a back door, copies itself to IPC$ shares, connects to an IRC server, and awauts commands on port 8080/tcp.
Android.Acnetdoor (2012.05.16) - opens a backdoor on Android devices
Feodo/Geodo (a.k.a. Cridex or Bugat) trojan used to commit e-banking fraud uses ports 8080 tcp and 7779/tcp to run a nginx proxy and communicate with the botnet C&C server.
 2343 tcp trojans Premium scan Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default.
 23432 tcp trojans Premium scan Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2342, 23432 by default.
 21 tcp FTP Basic scan File Transfer Protocol [RFC 959]

List of some trojan horses/backdoors that also use this port: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm, W32.Sober.N@mm.
W32.Bobax.AF@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C (01.11.2006)

FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service (network connectivity loss) via a connection to port 21 with a large amount of random data.
References: [CVE-2002-0779]

TURCK BL20 / BL67 could allow a remote attacker to bypass security restrictions, caused by the use of hardcoded credentials for the FTP service. An attacker could exploit this vulnerability using TCP port 21 to gain administrative access to the device.
References: [CVE-2012-4697], [XFDB-84351]

The FTP service in QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, has hardcoded credentials, which makes it easier for remote attackers to obtain access via a session on TCP port 21.
References: [CVE-2015-7261]

The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices has a default password, which makes it easier for remote attackers to read or write to files via a session on TCP port 21.
References: [CVE-2015-3968]
 445 tcp microsoft-ds Basic scan TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.

Leaving port 445 open will leave you vulnerable to some worms, such as W32.Deloader and IraqiWorm (aka Iraq_oil.exe ), W32.HLLW.Moega, W32.Sasser.Worm, W32.Korgo.AB (09.24.2004), Backdoor.Rtkit.B (10.01.2004), Trojan.Netdepix.B (01.16.2005), as well as the Windows Null Session Exploit.

MS Security Bulletin [MS03-026] outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.

See also: Microsoft Security Bulletin [MS03-049] and Microsoft Security Bulletin [MS03-043]

W32.Zotob.C@mm (08.16.2005) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.

W32.Zotob.D (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.

W32.Zotob.E (08.16.2005) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. Port 445/tcp also used by the W32.Zotob.H variant of the worm.

W32.Conficker.worm - a worm with multiple variants. It exploits a buffer overflow vulnerability in the Server Service on Windows computers. McAfee has named the most recently discovered variant of this worm as W32/Conficker.worm.gen.d. The original W32.Conficker.worm attacks port 445, the port that Microsoft Directory Service uses, and exploits Microsoft Windows vulnerability [MS08-067].

Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445.
References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]

LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.
References: [CVE-2002-0597] [BID-4532] [OSVDB-5179]
 3372 tcp msdtc Members scan MS DTC (Microsoft Distributed Transaction Coordinator) is a Microsoft transaction processing technology. The service is installed by default in Windows 2000 and can be used by MS SQL Server and Microsoft Message Queue Server (MSMQ).

The port is vulnerable to potential DDoS attacks. A remote user may be able to crash the MS DTC service by sending 1024 bytes of random data on TCP port 3372.

If you do not need MS DTC you can set your firewall to block access to port 3372. It is possible for MS DTS to use other ports so you might need to also set your firewall to block any activity by the MS DTS service.
 389 tcp LDAP Basic scan LDAP (Lightweight Directory Access Protocol) - an Internet protocol, used my MS Active Directory,as well as some email programs to look up contact information from a server.

Both Microsoft Exchange and NetMeeting install a LDAP server on this port.

IBM Lotus Domino Server 7.0 allows remote attackers to cause a denial of service (segmentation fault) via a crafted packet to the LDAP port (389/TCP).
References: [CVE-2006-0580], [BID-16523]

Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a denial of service by sending crafted LDAP packets to port 389/TCP, as demonstrated by the ProtoVer LDAP testsuite.
References: [CVE-2006-0790] [BID-16675] [SECUNIA-18888]
 1002 tcp ms-ils Basic scan Windows Internet Locator Server service, used by MS NetMeeting. ILS is a MS NetMeeting service that is now preferred by MS over the Internet standard LDAP service (port 389). This port does not appear in "netstat" comand listings.
 25 tcp SMTP Basic scan SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.

Integer overflow in Apple Safari [CVE-2010-1099], Arora [CVE-2010-1100], Alexander Clauss iCab [CVE-2010-1101], OmniWeb [CVE-2010-1102], Stainless [CVE-2010-1103] allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25.

List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
W32.Sober.I@mm (11.19.2004) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R (07.01.2005) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm (12.16.2005) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock (01.12.2006) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries.

NJStar Communicator is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MiniSMTP server when processing packets. By sending a specially-crafted request to TCP port 25, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-4040], [XFDB-71086], [BID-50452]
 23 tcp telnet Basic scan Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities [RFC 854]

Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (109.26.2005)

Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23.
References: [CVE-2012-1222] [BID-52061]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]

Buffer overflow in the Remote command server (Rcmd.bat) in IpTools (aka Tiny TCP/IP server) 0.1.4 allows remote attackers to cause a denial of service (crash) via a long string to TCP port 23.
References: [CVE-2012-5345]

Hospira Lifecare PCA infusion pump running "SW ver 412" does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.
References: [CVE-2015-3459]

Zhuhai RaySharp firmware has a hardcoded root password, which makes it easier for remote attackers to obtain access via a session on TCP port 23 or 9000.
References [CVE-2015-8286]
 70 tcp trojans Members scan W32.Evala.Worm - backdoor trojan, 07.2002. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef

Note: port 69/udp is used by TFTP.
 110 tcp POP3 Basic scan POP3 (Post Office Protocol - Version 3)

Security Concerns: Re-usable cleartext password, no auditing of connections & attempts thus subject to grinding. Some POP3 server versions have had buffer overflow problems. CERT Advisories: CA-97.09

ADM, ProMail trojans also use port 110 (TCP).

Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, 6, and 6 SP1; Windows Live Mail on Windows XP SP2 and SP3, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; and Windows Mail on Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote e-mail servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) POP3 or (2) IMAP response, as demonstrated by a certain +OK response on TCP port 110, aka "Outlook Express and Windows Mail Integer Overflow Vulnerability."
References: [CVE-2010-0816] [BID-40052]

Integer overflow in eXtremail 2.1.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long USER command containing "%s" sequences to the pop3 port (110/tcp), which are expanded to "%%s" before being used in the memmove function, possibly due to an incomplete fix for [CVE-2001-1078].
References: [CVE-2007-5467] [BID-26074] [SECUNIA-27220]
 7 tcp Echo Members scan Echo Service, somewhat outdated by ICMP echo. Port just echoes whatever is sent to it. This feature can be used in many attacks, such as fraggle.

See also: [RFC862]
ICP - Internet Caching Protocol - This protocol is used by HTTP caching proxies in order to coordinate working together in a cluster. Part of this implementation includes bouncing packets off the echo port in order to test if the peers are alive.

Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288]
 1080 tcp socks Members scan Socks Proxy is an Internet proxy service, potential spam relay point.

Common programs using this port: Wingate

Trojans/worms that use this port as well:
Bugbear.xx - wide-spread mass-mailing worm, many variants. More info
SubSeven - remote access trojan, 03.2001. Afects all current Windows versions.
WinHole - remote access trojan, 01.2000 (a.k.a. WinGate, Backdoor.WLF, BackGate). Affects Windows 9x.
Trojan.Webus.C - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080.

Mydoom.B (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.

Backdoor.Lixy (2003.10.08) - a backdoor trojan horse that opens a proxy server on TCP port 1080.

W32.HLLW.Deadhat (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.

WinHole, Wingate, Bagle.AI trojans also use this port.

Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]

Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080.
References: [CVE-2004-0315] [BID-9721]
 1214 tcp Kazaa Members scan Kazaa - peer-to-peer file sharing, some known vulnerabilities, and at least one worm (Benjamin) targeting it.

FastTrack, Apple iMesh also uses port 1214 (TCP/UDP).

iMesh is vulnerable to a buffer overflow. By connecting to the TCP port 1214 that iMesh listens on and sending a long string of data, a remote attacker can overflow a buffer and execute arbitrary code on the vulnerable system.
References: [BID-1576], [CVE-2000-0706], [OSVDB-1513], [XFDB-4829]

File-sharing application Morpheus contains a security vulnerability that allows remote users to obtain the Morpheus username of other users by establishing a telnet connection to port 1214 of a machine running Morpheus.
 12345 tcp NetBus Members scan NetBus Trojan Horse uses this port.

Because of the common sequence of numbers "1 2 3 4 5" this port is commonly chosen when configuring programs, or as default port number.

Some other trojan horses/backdoors that use this port: Ashley, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, Pie Bill Gates, Whack Job, X-bill, ValvNet, TMListen, cron/crontab, Adoresshd
Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429

Trend Micro's OfficeScan products use port 12345 as well (see Securityfocus BugtraqID: 1013).

The Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%.
References: [CVE-2000-0204] [BID-1013]

Cubeworld Server also uses port 12345 (TCP/UDP)
opendkim default port (may also use ports 8891,54321)
 87 tcp terminal link Members scan terminal link - a talk/chat style protocol. Port commonly used by intruders
 540 tcp uucp Members scan a famous file transfer service, potential vulnerability.
 674 tcp ACAP Premium scan ACAP -- Application Configuration Access Protocol

References: RFC2244, RFC2595, RFC2636
 2000 tcp callbook Members scan "RemoteAnywhere" installs a webserver on this port. NeWS/OpenWin (Sun's older variation of X-Windows) uses this port.

Lineage also uses this port.

A number of trojan horses/backdoors use this port: Der Spaeher, Fear, Force, GOTHIC Intruder, Insane Network, Last 2000, Real 2000, Remote Explorer 2000, Senna Spy Trojan Generator, Singularity
Backdoor.Fearic (2002.08) - remote access trojan, affects all current Windows versions, opens ports 2000, 3456, 8811.
Trojan.Esteems.D (2005.05.16) - trojan with keylogger capabilities. Uses port 2000/tcp to communicate with a remote host and send logged information.

Dark Colony game also uses port 2000 (TCP/UDP).

Unspecified vulnerability in the Session Border Controller (SBC) before 3.0(2) for Cisco 7600 series routers allows remote attackers to cause a denial of service (SBC card reload) via crafted packets to TCP port 2000.
References: [CVE-2009-0619], [BID-33975]

Port is also IANA registered for Cisco SCCP
 7000 tcp afs-fileserver Members scan afs fileserver

Command and Conquer Renegade and Rumble Fighter (TCP/UDP) also use this port.

W32.Gaobot.BQJ (11.08.2004) - network-aware worm taht opens a backdoor and can be controlled via IRC. It can affect all current Windows versions. Connects to an IRC server on port 7000/tcp.
W32.Mydoom.BQ@mm (05.11.2005) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 7000/tcp.

W32.Mytob.GC@mm (06.30.2005) - mass-mailing worm that opens a backdoor on port 7000/tcp.

Some older trojan horses/backdoors that also use this port: Exploit Translation Server, Kazimas, Remote Grab, SubSeven

The control-plane access-list implementation in Cisco IPS Software before 7.1(8p2)E4 and 7.2 before 7.2(2)E4 allows remote attackers to cause a denial of service (MainApp process outage) via crafted packets to TCP port 7000, aka Bug ID CSCui67394.
References: [CVE-2014-0719], [BID-65667], [XFDB-91195]

The game Aliens vs Predator 2 uses ports 7000-10000 (TCP)
 23456 tcp trojans Members scan The following trojans/backdoors use this port: Evil FTP, Ugly FTP, WhackJob
 31 tcp msg-auth Members scan MSG Authentication

Delta Force also uses this port.

The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun
 555 tcp dsf Members scan Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy

Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
References: [CVE-2012-1830]
 777 tcp multiling-http Members scan Trojans that use this port: AimSpy (AIM trojan), Un-Detected ( a.k.a. Backdoor.TDS, 4Fuk, Trojan.Win32.TrojanRunner.Levil, U4 ).

Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.
References: [CVE-2011-0406], [BID-45727]

Port also IANA registered for Multiling HTTP
 999 tcp garcon Members scan Port used by ScimoreDB Database System

Trojans that run on this port: DeepThroat (a.k.a. DTV2, DTV3, BackDoor-J), F0replay (a.k.a. WiNNUke eXtreame), WinSatan

Delta Force game also uses port 999 (TCP/UDP)
 1001 tcp trojans Members scan Trojans using this port: Der Spaeher, Le Guardien, Silencer, WebEx, GOTHIC Intruder, Lula, One Windows Trojan, Theef

The Sabserv client component in Sabre Desktop Reservation Software 4.2 through 4.4 allows remote attackers to cause a denial of service via malformed input to TCP port 1001.
References: [CVE-2002-1191], [BID-5974]

Stack-based buffer overflow in Ubisoft Rayman Legends before 1.3.140380 allows remote attackers to execute arbitrary code via a long string in the "second connection" to TCP port 1001.
References: [CVE-2014-4334]
 1000 tcp trojans Members scan Trojans using this port: Der Spaeher, Direct Connection, GOTHIC Intruder, Theef
 1024 tcp kdm Basic scan K Display Manager (KDE version of xdm)

Trojans taht use this port: Jade, Latinus, Lithium, NetSpy, Ptakks, RAT, YAI
Backdoor.Lingosky 04.28.2005 - trojan with backdoor capabilities. Opens a backdoor on port 1024/tcp.

Applications using this port: AIM Video IM, ICUII, NetMeeting with H323, Lingo VoIP, Battlefield 2142, Everquest

The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.
References: [CVE-1999-0816]
 1170 tcp trojans Premium scan Some eavesdropping/remote access trojans use this port:
Psyber Streaming Audio Server - Remote access trojan.
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.

Voice, Psyber Stream Server trojans also uses port 1170.
 24 tcp priv-mail not scanned Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port
 1243 tcp trojans Members scan Some trojans use this port: SubSeven/BackDoor-G, Tiles
 1999 tcp tcp-id-port Members scan Cisco identification port.

Some trojans also use this port: Back Door, SubSeven, TransScout
Backdoor.Bifrose.C (05.19.2005) - trojan that opens a backdoor on port 1999/tcp, and sends information to a remote server.

An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).
References: [CVE-1999-0453]
 6670 tcp vocaltec Members scan Vocaltec global online directory.

Some trojans also use this port: BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame.
 6711 tcp trojans Premium scan SubSeven/BackDoor-G, VP Killer trojans
Backdoor.Kilo - remote access trojan, 02.2003. Affects Windows, listens on port 6711 and 6718.
 6776 tcp trojans Members scan RAT (remote administration tool)

Trojans that use this port: 2000 Cracks, SubSeven/BackDoor-G, VP Killer
 6969 tcp acmsoda Members scan Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker.

Other trojans that use this port: GateCrasher, IRC 3/IRC Hack, Net Controller, Priority, Danton, 2000Cracks
 20034 tcp trojans Members scan Some trojans/backdoors use this port: NetBus, NetRex, Whack Job
 21554 tcp trojans Members scan Some trojans/backdoors use this port: Exploiter, Kid Terror, Winsp00fer, GirlFriend
Scwhindler remote access trojan - ports 21554, 50766
 22222 tcp trojans Members scan Some trojans/backdoors use this port: Donald Dick, G.R.O.B, Prosiak, Ruler, RUX The TIc.K

Viasat (Swedish TV provider) routes traffic to digital boxes for digital TV through this port.

EasyEngine is CLI tool to manage WordPress Sites on Nginx server [rtCamp_Solutions_Private_Limited] (IANA official)
 32100 tcp trojans Members scan Some trojans/backdoors use this port: Peanut Brittle, Project nEXT
 33333 tcp trojans Members scan W32.Zotob.C@mm (2005.08.16) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.

Backdoor.Selka (2004.11.12) - backdoor program, can affect all current Windows versions. Listens on port 33333.

Some older trojans/backdoors that also use this port: Blakharaz, Prosiak

Port is IANA registered for Digital Gaslight Service.
 55165 tcp trojans Premium scan Some trojans use this port: File Manager trojan, WM Trojan Generator
 60000 tcp trojans Premium scan Trojans/backdoors that use this port: DeepThroat/BackDoor-J, F0replay/WiNNUke eXtreame, Sockets des Troie, MiniBacklash
 65000 tcp trojans Premium scan Devil 13, Sockets des Troie, Stacheldraht trojans
 3389 tcp rdp Basic scan Port is IANA registered for Microsoft WBT Server, used for Windows Remote Desktop and Remote Assistance connections (RDP - Remote Desktop Protocol). Also used by Windows Terminal Server.

See also: MS Security Bulletin [MS02-051] and [MS01-040].

Trojans using this port: Backdoor.Win32.Agent.cdm, TSPY_AGENT.ADDQ

This port is vulnerable to Denial of Service Attack Against Windows NT Terminal Server. A remote attacker can quickly cause a server to reach full memory utilization by creating a large number of normal TCP connections to port 3389. Individual connections will timeout, but a low bandwidth
continuous attack will maintain a terminal server at maximum memory utilization and prevent new connections from a legitimate source from taking place. Legitimate new connections will fail at this point with an error of either a connection timeout, or the terminal server has ended the connection.
References: [CVE-1999-0680]

A vulnerability exists in the Remote Desktop Protocol (RDP), where an attacker could send a specially crafted sequence of packets to TCP port 3389 which can result in RDP to accessing an object in memory after it has been deleted.
References: [CVE-2012-2526]

Zmodo Geovision also uses port 3389 (TCP/UDP)
 12348 tcp BioNet Members scan GCI BioNet trojan
 3128 tcp ndl-aas Members scan Port used by some proxy servers (3proxy). Common web proxy server ports: 8080, 80, 3128, 6588

Officiall assignment: Active API Server Port

Trojans and backdoors that use this port: Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero

Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.

W32.HLLW.Deadhat (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.

Multiple buffer overflows in Thomas Hauck Jana Server allow remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request with a long major version number, an HTTP GET request to the HTTP proxy on port 3128 with a long major version number, a long OK reply from a POP3 server, and a long SMTP server response.
References: [CVE-2002-1061], [BID-5320]
 9876 tcp session director Premium scan Session Director, True Image Remote Agent, Wireshark, nmap use this port.

Trojans that also use this port:
Cyber Attacker, Rux, Backdoor.Lolok

Backdoor.Lolok is a backdoor Trojan that uses the mIRC client to give a hacker access to the computer. By default, it establishes an IRC connection to irc.tu-pac.net on port 9876. Usualy spreads through email attachments or disguised as a video file. Discovered on 12.05.2002.

Acronis True Image Windows Agent 1.0.0.54, allows remote attackers to cause a denial of service (crash) via a malformed packet to port 9876, which triggers a NULL pointer dereference
References: [CVE-2008-1280], [BID-28169]
 9872-9874 tcp trojans Premium scan Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
 3700 tcp LRS NetPage Premium scan Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.

3700/tcp is also registered with IANA for: LRS NetPage
 2 tcp compressnet Premium scan trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg

America's Army, Operation Flashpoint also use this port.

Port 2 is also registered with IANA for compressnet management utility.
 121 tcp erpc Premium scan trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)

Port is also IANA registered for: Encore Expedited Remote Pro.Call
 10001 tcp scp Premium scan Backdoor.Zdemon.126 (05.2003) - remote access trojan, affects all current Windows versions.
Lula trojan also uses this port.

Games that use 10001 (TCP/UDP): Dungeon Fighter Online, MVP BAseball, Tera.

Applications that use port 10001: Tonido NAS remote access software
Ubiquity Networks uses port 10001/UDP for its AirControl management discovery protocol: wiki.ubnt.com/AirControl#Management_Protocol

Seafile Windows Server uses the following TCP ports: 8000 (seahub web interface), 8082 (seafile server), 10001 (ccnet), 12001 (seaf-server).

The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116.
References: [CVE-2014-2609]

IANA registered for: SCP Configuration Port
 11831 tcp trojans Premium scan Trojans that use this port:
Latinus (2002.06) - remote access trojan, affects Windows 9x/ME/NT/2k/XP. Uses port 11831 for direct control and port 29559 for file transfer.
Pestdoor (2002.10) - remote access trojan, affects Windows 9x/ME/NT/2k/XP
DarkFace - remote access trojan, affects Windows
Vagr Nocker (2001.02) - remote access trojan, affects Windows
 12000 tcp trojans Members scan SatanCrew - remote access trojan, 08.2002. Affects Windows 9x/Me,NT,2K,XP

W32.Mytob.GN@mm (06.30.2005) - mass-mailing worm with its own SMTP engine and backdoor capabilities. Sends itself to email addresses it finds on the compromised computer. Opens and IRC backdoor on port 12000/tcp.

Applications that use this port: Phantasy Star Universe, ClearCommerce Engine 4.x (www.clearcommerce.com)

Wizard 101 uses ports 12000-12999 (TCP/UDP)

eosfailoverservice.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service by sending a large amount of data to TCP port 12000.
References: [CVE-2012-1813]

IANA assigned to: entextxid - IBM Enterprise Extender SNA XID Exchange
 901 tcp trojans Members scan NetDevil - remote access trojan, 02.2002. Affects Windows 9x/Me/NT/2k/XP

Port IANA registered for SMPNAMERES

Also used by VMware Virtual Infrastructure Client, Samba SWAT tool, ISS RealSecure Sensor
 5588 tcp trojans Premium scan Easyserv.11 - remote access trojan, 08,2002. Affects all current Windows versions.
 9696 tcp trojans Premium scan Gholame - remote access trojan, 08,2002. Affects all current Windows versions.
 1034 tcp trojans Members scan Backdoor.Systsec - remote acess trojan, 02.2002. Affects all current Windows versions.
Backdoor.Zincite.A (2004.07.27) - backdoor server program that allows unauthorized access to the compromised computer. It runs and listens for remote commands on port 1034/tcp.
W32.Mydoom.CI@mm (2005.09.27) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine.

KWM trojan also uses this port.
 1111 tcp trojans Members scan Trojans that use this port:
Backdoor.AIMvision - remote access trojan, 10.2002. Affects all current Windows versions.
Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.
Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows.
W32.Suclove.A@mm (09.26.2005) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.

Daodan, Tport trojans also use this port.

The Administration Service (FMSAdmin.exe) in Macromedia Flash Media Server 2.0 r1145 allows remote attackers to cause a denial of service (application crash) via a malformed request with a single character to port 1111.
References: [CVE-2005-4216], [BID-15822]

Port is also IANA registered for: LM Social Server
 1218 tcp trojans Premium scan Trojans that use this port:
Backdoor.Sazo - remote access trojan, 06.2002. Affects Windows
Force/Feardoor - VB6 remote access trojan, 07.2002. Affects Windows.

Port is also IANA registered for: aeroflight-ads
 1234 tcp trojans Premium scan Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.

Some other trojans using this port: SubSeven 2.0, Bagle.AF.

Port is also IANA registered for: Infoseek Search Agent
 6718 tcp trojans Premium scan Backdoor.Kilo - remote access trojan, 02.2003. Affects Windows, listens on port 6711 and 6718.
 58343 tcp trojans Premium scan Backdoor.Prorat - Delphi remote access trojan, 06.2003. Affects Windows. It opens port 58343 by default.
 31332 tcp trojans Premium scan Backdoor.Grobodor - backdoor trojan coded in Delphi, 10.06.2003. Affects all current Windows versions, listens on port 31332.
 10168 tcp trojans Premium scan W32.HLLW.Lovgate - a worm with backdoor trojan capabilities, 06.2003. Affects all current Windows versions.
 3456 tcp trojans Premium scan Backdoor.Fearic (2002.08) - remote access trojan. Affects all current Windows versions, opens ports 2000, 3456, 8811.

Some other trojans using this port: Teror Trojan, Fear, Force.

IANA registered for: VAT default data
 8811 tcp trojans Premium scan Backdoor.Fearic (2002.08) - remote access trojan, affects all current Windows versions, opens ports 2000, 3456, 8811.

Backdoor.Monator (2003.04.17) - a backdoor trojan that gives a hacker full access to your computer. By default it opens port 8811 for listening.
 3457 tcp trojans Premium scan Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429

IANA registered for: VAT default control
 7823 tcp trojans Premium scan Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
 13173 tcp trojans Premium scan Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
 44280,44390 tcp trojans Premium scan Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
 47387 tcp trojans Premium scan Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
 64429 tcp trojans Premium scan Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
 3410 tcp trojans Members scan W32.mockbot.a.worm , Backdoor.Optixpro - remote access trojan.

This port is also registered for NetworkLens SSL Event
 3737 tcp trojans Premium scan Backdoor.Helios - remote access trojan, 09.2002. Affects all current Windows versions.

XPanel Daemon also uses this port.
 3332 tcp trojans Premium scan Port is registered with IANA for: MCS Mail Server

Some trojans that use this port:
Q0 BackDoor trojan
W32.Cycle (05.10.2004). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
 40421-40426 tcp trojans Premium scan Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426.

Port 40421/tcp also used by Agent 40421 trojan. Check port 30/tcp as well.
 3129 tcp trojans Premium scan Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426

MyDoom.B@mm trojan also uses this port.

Port 3129 is also registered with IANA for: NetPort Discovery Port
 3256 tcp trojans Premium scan W32.HLLW.Dax - worm with remote access capabilities, 09.2002. Affects all current Windows versions.

port is also registered with IANA for: Compaq RPM Agent Port
 2090 tcp trojans Premium scan Backdoor.Expjan - remote access trojan, 08.2002. Affects all current Windows versions.

Port is also IANA registered for: Load Report Protocol
 1533 tcp trojans Premium scan Backdoor.Miffice - remote access trojan, 08.2002. Affects all current Windows versions.

IBM Lotus Sametime is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Community Services Multiplexer service (StMux.exe). By sending an overly long HTTP request to TCP port 1533, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-2499], [BID-29328]

Port is also registered with IANA for: Virtual Places Software
 59211 tcp trojans Premium scan Backdoor.Ducktoy (2002.07) - remote access trojan, affects all current Windows versions, listens to ports 29559 and 59211 by default.

NewFuture trojan
 29559 tcp trojans Premium scan Backdoor.Ducktoy (2002.07) - remote access trojan, affects all current Windows versions, listens to ports 29559 and 59211 by default.
Backdoor.Latinus (2002.06) - remote access trojan, affects Windows 9x/ME/NT/2k/XP. Uses port 11831 for direct control and port 29559 for file transfer.

Some other trojans also use this port: AntiLamer BackDoor, DarkFace, DataRape, Pest, Vagr Nocker
 58666 tcp trojans Premium scan Backdoor.Redkod - remote access trojan, 02.2003. Affects all current Windows versions.
 58008 tcp trojans Premium scan Backdoor.Tron - remote access trojan, 06.2002.Affects all current Windows versions, has the ability to kill software firewall processes.
 56565 tcp trojans Premium scan Backdoor.Osirdoor - remote access trojan, 08.2002. Affects all current Windows versions.

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About