| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 3030 |
tcp |
trojans |
Premium scan |
NetPanzer uses port 3030 (TCP/UDP).
W32.Mytob.ET@mm [Symantec-2005-061516-3312-99] (2005.06.15) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine to spread. Connects to an IRC server and listens for remote commands on port 3030/tcp.
Backdoor.Slao [Symantec-2003-052610-2111-99] (2003.05.26) - a backdoor trojan horse that allows unauthorized access to an infected computer.
Port also used by the W32.Mytob.EQ, W32.Mytob.cz@mm [Symantec-2005-060214-2034-99] variants of the worm.
IANA registered for: Arepa Cas (TCP/UDP) |
| 8900 |
tcp |
trojans |
Premium scan |
W32.Mytob.EV@mm [Symantec-2005-061516-2055-99] (2005.06.15) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on port 8900/tcp. |
| 8181 |
tcp |
trojans |
Members scan |
W32.Erkez.D@mm [Symantec-2004-121413-4703-99] (2004.12.14) - mass mailing worm that can terminate processes, lower security settings, and allow remote access to the compromised computer. Opens a backdoor and listens for remote commands on port 8181/tcp.
Backdoor.Shangxing [Symantec-2007-030516-4150-99] (2007.03.06) also uses this port.
The Web Administrator service (STEMWADM.EXE) in Websense Personal Email Manager 7.1 before Hotfix 4 and Email Security 7.1 before Hotfix 4 allows remote attackers to cause a denial of service (crash) by sending a HTTP GET request to TCP port 8181 and closing the socket before the service can send a response.
References: [CVE-2009-3749], [BID-36740]
IPSwitch IMail is an e-mail server which provides WWW (HTTP) E-mail services. By default this web service resides on port 8181 (TCP/UDP) or 8383 (TCP/UDP). Sending an HTTP request with an extremely long "HOST" field multiple times can cause the system hosting the service to become unresponsive. Each long request "kills" a thread without freeing up the memory used by it. By repeating this request, the system's resources can be used up completely.
References: [BID-2011]
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
References: [CVE-2021-30127]
Intermapper network management system (IANA official) |
| 8885 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm [Symantec-2005-071510-0336-99] (2005.07.15) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability ([MS04-011]) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm [Symantec-2005-071521-3122-99] (2005.07.15) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp. |
| 1052 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm [Symantec-2005-071510-0336-99] (2005.07.15) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability ([MS04-011]) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm [Symantec-2005-071521-3122-99] (2005.07.15) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp.
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
Fire HacKer, Slapper, The Hobbit Daemon trojans also use this port.
Linux.Slapper.Worm [Symantec-2002-091311-5851-99] (2002.09.13) - family of worms that use an "OpenSSL buffer overflow exploit [CVE-2002-0656] to run a shell on a remote computer. Targets vulnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp. Opens backdoors on the following ports: 2002/udp (.A variant), 1978/udp (.B variant), 4156/udp and 1052/tcp periodically (.C variant). |
| 1444 |
tcp |
trojans |
Premium scan |
Backdoor.Homutex [Symantec-2005-071512-0035-99] (2005.07.15) - a trojan with backdoor capabilities. Opens a backdoor and listens for remote commands on port 1444/tcp. Also attempts to sends information about the infected computer on port 1443/tcp. |
| 30722 |
tcp |
trojans |
Premium scan |
W32.Esbot.A [Symantec-2005-081610-2800-99] - a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (MS Security Bulletin [MS05-039]). Opens a backdoor and listens for remote commands by connecting to IRC servers on 30722/tcp (W32.Esbot.B [Symantec-2005-081716-4721-99] variant uses port 18067/tcp). |
| 8594 |
tcp |
trojans |
Basic scan |
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. |
| 18067 |
tcp |
trojans |
Basic scan |
Trojans/worms that exploit the Microsoft Plug and Play Buffer Overflow Vulnerability ([MS05-039]) commonly use this port to listen for remote commands via IRC.
Backdoor.Mousey [Symantec-2005-080510-2502-99] - a trojan that opens a backdoor on the compromised computer. It listens for remote commands via IRC on port 18067/tcp.
W32.Esbot.B - a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (MS Security Bulletin [MS05-039]). Opens a backdoor and listens for remote commands by connecting to IRC servers on port 18067/tcp (W32.Esbot.A [Symantec-2005-081610-2800-99] variant uses port 30722/tcp).
W32.Mocbot.A [Symantec-2005-102415-5716-99] - a worm with backdoor capabilities that exploits the MS Plug and Play Buffer Overflow Vulnerability ([MS05-039]). Opens a backdoor and listens for remote commands on port 18067/tcp. |
| 4095 |
tcp |
trojans |
Members scan |
W32.Randex.EUS [Symantec-2005-081614-2307-99] (2005.08.16) - a worm that spreads through weak passwords in network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 4095/tcp. |
| 1117 |
tcp |
trojans |
Premium scan |
W32.Zotob.D [Symantec-2005-081609-4733-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp. |
| 27328 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.N [Symantec-2005-081216-4542-99] - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp. |
| 65111 |
tcp |
trojans |
Premium scan |
Backdoor.Microkos [Symantec-2005-081015-0341-99] (2005.08.10) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp. |
| 9030 |
tcp |
trojans |
Members scan |
Tor often used
W32.Beagle.BY@mm [Symantec-2005-080411-1425-99] (2005.08.04) - a mass-mailing worm that uses its own SMTP engine. It opens a backdoor on the compromised computer and listens for remote commands on port 9030/tcp. |
| 3398 |
tcp |
trojans |
Premium scan |
PWSteal.Bancos.AA [Symantec-2005-080314-0053-99] (2005.08.03) - a trojan that steals passwords and logs keystrokes (mainly entered into a number of e-comerce and banking websites). The trojan runs a proxy server on port 3398/tcp. It also emails information from the compromised computer using its own SMTP server. |
| 4123 |
tcp |
trojans |
Members scan |
W32.Bratle.B [Symantec-2005-080216-5303-99] (2005.08.02) - a worm that spreads by exploiting the MS LSASS Buffer Overrun Vulnerability ([MS04-011]). It opens a backdoor by running an FTP server on port 4123/tcp.
Z-Wave Protocol (TCP/UDP) [Sigma_Designs_Inc_2] (IANA official) |
| 2005 |
tcp |
trojans |
Premium scan |
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
Duddie, TransScout trojans also use port 2005 (TCP).
Backdoor.Win32.Delf.zs / Unauthenticated Remote Command Execution - Backdoor Delf.zs c0ded By Eb0La, is used to build backdoors that listen on TCP port 2005. Upon building it drops an executable named "[Shell_Me]_Server.exe." The name for the spawned backdoor defaults to "Syst32.exe" but can be customized. Third-party attackers who can reach infected systems can execute arbitrary commands by simply connecting to the backdoor which will return a remote shell to the infected host as no authentication exists.
References: [MVID-2021-0150] |
| 20101 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101.
References: [CVE-2011-5001], [BID-50965] |
| 1155 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service. |
| 3351 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability ([MS04-011]). Opens backdoors on ports 3351/tcp and 8190/tcp. |
| 8190 |
tcp |
iot |
Members scan |
Veeam Backup and replication suite uses these ports, in addition to common 80, 443, etc.:
6160 TCP - Veeam installer service
6165 TCP - WAN accelerator
6180 TCP/UDP - Veeam cloud gateway
6169, 8190, 8191 TCP - used by SP backup server
10003 TCP - communication with Veeam backup service
Port used by: Ecobee thermostats, Y-cam Wireless IP Cameras
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability ([MS04-011]). Opens backdoors on ports 3351/tcp and 8190/tcp.
Multiple stack-based buffer overflows in Medicomp MEDCIN Engine 2.22.20142.166 might allow remote attackers to execute arbitrary code via a crafted packet on port 8190, related to (1) the GetProperty info_getproperty function and (2) the GetProperty UdfCodeList function.
References: [CVE-2015-2901]
Heap-based buffer overflow in the QualifierList retrieve_qualifier_list function in Medicomp MEDCIN Engine before 2.22.20153.226 might allow remote attackers to execute arbitrary code via a long list name in a packet on port 8190.
References: [CVE-2015-2899]
Multiple stack-based buffer overflows in Medicomp MEDCIN Engine before 2.22.20153.226 might allow remote attackers to execute arbitrary code via a crafted packet on port 8190, related to (1) the SetGroupSequenceEx na_setgroupsequenceex function, (2) the FormatDate julptostr function, and (3) the UserFindingCodes addtocl function.
References: [CVE-2015-2898]
IANA registered for: Generic control plane for RPHY |
| 7080 |
tcp |
haxdoor |
Premium scan |
VMware vCenter Single Sign On HTTP Port
Sepialine Argos Communications
Games: City of Heroes, City of Vilans
Backdoor.Haxdoor.E [Symantec-2005-080212-3505-99] (2005.08.01) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp.
NiteEnterprises Remote File Manager 1.0 allows remote attackers to cause a denial of service (crash) via a crafted string to TCP port 7080.
References: [CVE-2005-1603], [BID-13550]
EmpowerID Communication (IANA official) |
| 8008 |
tcp |
fortinet |
Premium scan |
Citrix common ICA/HDX HTML5 access to applications and virtual desktops.
Apple iCal service also uses this port.
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Backdoor.Haxdoor.E [Symantec-2005-080212-3505-99] (2005.08.01) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp.
njRAT remote access malware - default port is 1177, may also use ports 8008 and 8521. |
| 3333 |
tcp |
trojans |
Premium scan |
Network Caller ID server, CruiseControl.rb, OpenOCD (gdbserver)
ATC Rainbow Six Lockdown (TCP/UDP), developer: Foolish Entertainment
W32.Bratle.A [Symantec-2005-073116-3607-99] (2005.07.31) - worm that exploits the MS Windows LSASS Buffer Overrun vulnerability ([MS04-011]). Opens a FTP server on port 3333/tcp.
Backdoor.Slao [Symantec-2003-052610-2111-99] (2003.05.26) - a backdoor trojan horse that allows unauthorized access to an infected computer.
Daodan trojan
Backdoor.Win32.Hanuman.b / Unauthenticated Remote Command Execution - the malware listens on TCP port 3333. Third-party attackers who can reach an infected system can run any OS commands hijacking the compromised host.
References: [MVID-2022-0467] |
| 8881 |
tcp |
worm |
Members scan |
Atlasz Informatics Research Ltd Secure Application Server
Netflexity Inc QFlex - IBM WebSphere MQ monitoring software
W32.Mytob.IK@mm [Symantec-2005-072915-5351-99] (2005.07.29) - a mass-mailing worm that uses its own SMTP engine, opens a backdoor, and lowers security settings on the compromised computer. Listens for remote commands on port 8881/tcp.
Galaxy4D Online Game Engine [Galaxy4D] (IANA official) |
| 31113 |
tcp |
worms |
Members scan |
W32.Mytob.IH@mm [Symantec-2005-072512-2831-99] mass-mailing worm that uses its own SMTP engine, opens a backdoor, and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 31113/tcp. W32.Mytob.AD@mm and W32.Mytob.AA@mm variants of the worm listen to port 10087/tcp. |
| 28876 |
tcp |
trojans |
Premium scan |
Backdoor.Globe [Symantec-2005-011216-5201-99] - a proof-of-concept Trojan horse program that exploits the Microsoft Windows LoadImage API Function Integer Overflow Vulnerability (Windows XP, described in Microsoft Security Bulletin MS05-002). The Trojan is written in JavaScript and is embedded in .html files.
Trojan.Helemoo [Symantec-2005-072312-2716-99] - a backdoor trojan that exploits a MS IE DHTML Memory Corruption Vulnerability ([MS05-020]). Opens a backdoor and listens for remote commands on port 28876/tcp by default. |
| 29147 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AI [Symantec-2005-010309-3226-99] network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 29147/tcp. |
| 59 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AJ [Symantec-2005-011009-1754-99] (2005.01.10) - network aware worm with backdoor capabilities. Spreads via network shares. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 59/tcp.
DMSetup trojan also uses port 59.
any private file service (IANA official) |
| 7812 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AP [Symantec-2005-030416-5626-99] (2005.03.04) - worm with backdoor capabilities. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 7812/tcp. |
| 23476 |
tcp |
trojans |
Premium scan |
Donald Dik Trojan - backdoor trojan similar to BlackOrifice, affects Windows 9x/NT, opens a backdoor and listens for remote commands on ports 23476/tcp and 23477/tcp.
|
| 1907 |
tcp |
trojan |
Premium scan |
Backdoor.Verify [Symantec-2005-040711-2720-99] (2005.04.06) - backdoor trojan that that allows remote access to the compromised computer, opens ports 1906/tcp and 1907/tcp for remote access.
Backdoor.Win32.Verify.h / Unauthenticated Remote Command Execution - the malware listens on TCP ports 1906 and 1907. Third-party adversaries who can reach an infected host on either port can gain access and or run any OS command.
References: [MVID-2022-0538] |
| 8563 |
tcp |
trojans |
Members scan |
W32.Zotob.H [Symantec-2005-081717-2017-99] (2005.08.17) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6868 |
tcp |
trojans |
Premium scan |
Backdoor.Darkmoon [Symantec-2005-081910-3934-99] (2005.08.18) - trojan that opens a backdoor on the compromised computer and has keylogging capabilities. Opens a backdoor and listens for remote commands on ports 6868/tcp and 7777/tcp.
IANA registered for Acctopus Command Channel. |
| 7777 |
tcp |
trojans |
Members scan |
Applications:
iChat server file transfer proxy
Oracle Cluster File System 2
Satisfactory's dedicated server
Xivio default Chat Server
Games:
Active Worlds (TCP/UDP)
Fabula Mortis uses ports 7777 and 7778
ARK: Survival Evolved server
Terraria game (TCP/UDP)
Ultima Online
Malware: GodMessage trojan, The Thing trojan, tini.exe Windows backdoor program
Backdoor.Darkmoon [Symantec-2005-081910-3934-99] (2005.08.18) - trojan that opens a backdoor on the compromised computer and has keylogging capabilities. Opens a backdoor and listens for remote commands on ports 6868/tcp and 7777/tcp.
UsbCharger.dll in the Energizer DUO USB battery charger software contains a backdoor that is implemented through the Arucer.dll file in the %WINDIR%\system32 directory, which allows remote attackers to download arbitrary programs onto a Windows PC, and execute these programs, via a request to TCP port 7777. References: [CVE-2010-0103], [BID-38571]
OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 sends the configuration of the printer in cleartext, which allows remote attackers to obtain the administrative password by connecting to TCP port 5548 or 7777. References: [CVE-2008-0374], [BID-27339]
SKIDATA RFID Freemotion.Gate could allow a remote attacker to execute arbitrary commands on the system, caused by failure to restrict access to the RTP|One Gate web service and Gate. By sending a specially-crafted request to TCP port 7777, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system with root privileges. References: [XFDB-89103]
A flaw was found in podman. The 'podman machine' function (used to create and manage Podman virtual machine containing a Podman process) spawns a 'gvproxy' process on the host system. The 'gvproxy' API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the 'gvproxy' API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
References: [CVE-2021-4024]
Backdoor.Win32.Levelone.b / Remote Stack Buffer Overflow - the backdoor listens on Port 7777, sending two large consecutive HTTP OPTIONS requests trigger the buffer overflow overwriting EIP.
References: [MVID-2021-0021]
Backdoor.Win32.Tiny.a / Unauthenticated Remote Command Execution - the malware listens on TCP port 7777. Third-party attackers who can reach an infected system can run any OS commands hijacking the compromised host.
References: [MVID-2022-0533] |
| 8123 |
tcp |
vipre |
Premium scan |
BURST Reference Software uses TCP ports 8123 (p2p), 8124 (standard mining pool port), 8125 (web interface)
ClickHouse Analytics DB (open source big data) uses TCP port 8123 for its HTTP interface.
Home Assistant (massive open source home automation project) uses port 8123 for WebUI. See: home-assistant.io/hassio/
Minecraft default dynmap mappiing port
Polipo open source web proxy, Bukkit DynMap Default Webserver Bind Address
VIPRE Business Security uses the following TCP ports: 8123, 18082, 18086, 18090. It may also communicate through TCP ports 135, 139, 445.
|
| 9515 |
tcp |
trojans |
Members scan |
W32.Loxbot.A [Symantec-2005-101813-2331-99] (2005.10.17) - a worm with backdoor capabilities. It can spread using AIM, and it can lower security settings on the comromised computer. Also uses a rootkit to hide its process in memory. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 9515/tcp.
Port also used by the W32.Loxbot.B [Symantec-2005-103115-1053-99] variant. |
| 5652 |
tcp |
trojans |
Members scan |
W32.Fanbot.A@mm [Symantec-2005-101715-5745-99] (2005.10.17) - a mass-mailing worm that lowers security settings on the compromised computer. It can also spread through P@P networks and exploring the MS Plug and Play Buffer Overflow vulnerability described in [MS05-039]. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 5652/tcp. |
| 12401 |
tcp |
applications |
not scanned |
Buffer overflow in 7-Technologies (7T) Interactive Graphical SCADA System (IGSS) 9.0.0.11200 allows remote attackers to cause a denial of service via a crafted packet to TCP port 12401.
References: [CVE-2011-4050] [BID-51146]
PRLicenseMgr.exe in the Proficy Server License Manager in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12401.
References: [CVE-2012-0231]
Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted (1) ListAll, (2) Write File, (3) ReadFile, (4) Delete, (5) RenameFile, and (6) FileInfo commands in an 0xd opcode; (7) the Add, (8) ReadFile, (9) Write File, (10) Rename, (11) Delete, and (12) Add commands in an RMS report templates (0x7) opcode; and (13) 0x4 command in an STDREP request (0x8) opcode to TCP port 12401.
References: [CVE-2011-1567] [BID-46936] [SECUNIA-43849]
WellinTech KingSCADA is vulnerable to a stack-based buffer overflow, caused by an integer overflow in kxNetDispose.dll. By sending a specially-crafted packet to TCP port 12401, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2014-0787], [XFDB-92641] |
| 43287 |
tcp |
trojans |
Members scan |
W32.Mytob.KU@mm [Symantec-2005-101522-1102-99] - mass-mailing worm that uses its own SMTP engine, has backdoor capabilities, and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 43287/tcp.
Also: W32.Mytob.KR@mm [Symantec-2005-101517-4223-99] variant. |
| 30999 |
tcp |
trojans |
Premium scan |
Backdoor.Novacal [Symantec-2005-092910-5215-99] - a backdoor server that allows unauthorized access, uses ICQ to notify the remote attacker of the compromised computer. Opens a backdoor and listens for remote commands on port 30999/tcp.
Kuang2 trojan |
| 23560 |
tcp |
prtg |
Premium scan |
Paessler PRTG Remote Probe uses port 2356.
Backdoor.Sparta.D [Symantec-2005-093012-4729-99] - backdoor trojan that can be controlled by a remote attacker via IRC channels, uses port 23560/tcp. |
| 10027 |
tcp |
trojans |
Premium scan |
W32.Mytob.JW@mm [Symantec-2005-100312-4423-99] (2005.10.03) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm.
Default port for IBM WebSphere Portal Application Server Administrative Console |
| 52179 |
tcp |
trojans |
Premium scan |
Backdoor.Tjserv.D [Symantec-2005-100415-4002-99] (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp. |
| 7043 |
tcp |
trojans |
Members scan |
W32.Spybot.YCL [Symantec-2005-100416-5735-99] (2005.10.04) - a worm with backdoor and distributed denial of service (DDoS) capabilities. It can spread by exploiting a number of vulnerabilities, as well as backdoors left by other malware. Opens a backdoor and listens for remote commands via IRC on port 7043/tcp.
Also: W32.Spybot.YQW [Symantec-2005-101515-4844-99] (2005.10.15) |
| 9035 |
tcp |
trojans |
Members scan |
Citrix admin workstation connects to EdgeSightAgent using port 9035 TCP to access real-time data.
W32.Beagle.CK@mm [Symantec-2005-100615-0020-99] (2005.10.06) - a mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, stops some anti-virus and security related processes. Opens a backdoor and listens for remote commands on port 9035/tcp.
Port also used by W32.Beagle.CL@mm [Symantec-2005-100711-5834-99] (2005.10.07)
Constructor.Win32.SS.11.c / Unauthenticated Open Proxy - the malware listens on TCP port 9035. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0311] |
| 39780 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.O [Symantec-2005-101017-0741-99] - a backdoor trojan that also runs a keylogger. Opens a backdoor and listens for remote commands on port 39780/tcp. Also logs information and sends captured keystrokes to predetermined websites/emails. |
| 23523 |
tcp |
trojans |
Premium scan |
W32.Mytob.KM@mm [Symantec-2005-101214-2941-99] - a mass-mailing worm with backdoor capabilities, that also lowers security settings on the compromised computer. Opens a backdoor by connecting to rax.oucihax.info and listens for remote commands on port 23523/tcp. |
| 3385 |
tcp |
trojans |
Premium scan |
W32.Mytob.KP@mm [Symantec-2005-101410-3314-99] (2005.10.14) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands by connecting to an IRC server on the rax.oucihax.info domain on port 3385/tcp. |
| 4661 |
tcp |
trojans |
Members scan |
Trojan.Gamqowi [Symantec-2005-102012-4020-99] (2005.10.20) - a backdoor trojan that lowers security settings on the compromised computer. It blocks access to some security-related websites, and attempts to end security-related processes. Opens a backdoor and listens for remote commands by connecting to an IRC server on port 4661/tcp.
Nemog backdoor (discovered 2004.08.16) - a backdoor trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4646,4661,6565,8080
Port used by aMule and eMule p2p file sharing (eDonkey server default listening port). eMule p2p file sharing software uses ports 4661/tcp, 4662/tcp, 4665/udp, 4672/udp, 4711/tcp (web interface) by default. Some versions of this P2P client are vulnerable to a DecodeBase16 buffer overflow. |
| 321 |
tcp |
trojans |
Members scan |
W32.Looksky.A@mm [Symantec-2005-102511-3240-99] (2005.10.24) - a mass-mailing worm that lowers security settings and logs keystrokes on the compromised computer. It also gathers and sends out personal information. Opens a backdoor and listens for remote commands on port 321/tcp. It also periodically connects to proxy4u.ws on port 8080/tcp to check for updates.
Port also used by other variants:
W32.Looksky.E@mm [Symantec-2005-120910-5842-99] (2005.10.24)
W32.Looksky.H@mm [Symantec-2006-011812-1823-99] (2006.01.17)
PIP (TCP/UDP) (IANA official) |
| 1035 |
tcp |
trojans |
Premium scan |
Backdoor.Sedepex [Symantec-2005-103109-2236-99] (2005.10.31) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
Some other trojans using this port: Dosh, KWM, Multidropper, Truva Atl,
RemoteNC [Symantec-2002-042414-1825-99] |
| 1040 |
tcp |
trojans |
Members scan |
Backdoor.Sedepex [Symantec-2005-103109-2236-99] (2005.10.31) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
Backdoor.Medias [Symantec-2004-032713-0001-99] (2004.03.27) - a trojan horse that installs itself as a Browser Helper Object.
WebCam Monitor also uses port 1040 (TCP/UDP). |
| 7999 |
tcp |
worm |
Members scan |
W32.Mytob.LZ@mm [Symantec-2005-112014-4354-99] (2005.11.20) - a mass-mailing worm with backdoor capabilities. It can spread using network shares and exploiting Windows vulnerabilities. Blocks access to several security-related websites by modifying the hosts file. Opens a backdoor and listens for remote commands by connecting to an IRC server on port 7999/tcp. |
| 49495 |
tcp |
trojans |
Premium scan |
Backdoor.Danrit [Symantec-2005-111515-2142-99] (2005.11.15) - a trojan that opens a backdoor and logs keystrokes, opens a backdoor on port 49495/tcp. |
| 1081 |
tcp |
trojans |
Premium scan |
Backdoor.Zagaban [Symantec-2005-110314-5204-99] (2005.11.03) - a trojan that allows the compromised computer to be used as a covert proxy. Allows the attacker to modify the hosts file. Starts a covert proxy and listens on port 1081/tcp.
WinHole trojan also uses port 1081. |
| 5136 |
tcp |
trojans |
Premium scan |
Backdoor.Toob.A [Symantec-2005-110216-5242-99] (2005.11.02) - a trojan horse with backdoor capabilities. Opens a backdoor and listens for remote commands on port 5136/tcp. |
| 20192 |
tcp |
trojans |
not scanned |
Backdoor.Ranky.V [Symantec-2005-110215-2104-99] (2005.11.02) - a trojan horse that allows the compromised computer to be used as a covert proxy. Starts a proxy on a random TCP port between 1025 and 65535, uses port 20192/tcp to send notifications of infection. |
| 21211 |
tcp |
trojans |
Members scan |
W32.Dasher.B [Symantec-2005-121610-5037-99] (2005.12.16) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp. |
| 50777 |
tcp |
applications |
not scanned |
zenAdminSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted packet to TCP port 50777, aka Reference Number 25240.
References: [CVE-2011-4533], [BID-51897] |
| 3388 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.S [Symantec-2005-122217-5921-99] (2005.12.22) - trojan that opens a backdoor and runs a proxy server. The trojan can periodically connect to remote websites and send gathered information from the compromised computer. Opens a backdoor, acts as a SOCKS 4 proxy, and listens for remote commands on port 3388/tcp.
Trojan-Dropper.Win32.Googite.b / Unauthenticated Remote Command Execution - the malware listens on TCP ports 3388, 4488 and 10002 and drops executables under both Windows and SysWOW64 dirs. Third-party attackers who can reach infected systems can connect to port 10002 and run commands made available by the backdoor to retrieve information etc.
References: [MVID-2021-0254] |
| 44501 |
tcp |
kerio |
Members scan |
Port used by Kerio Personal Firewall pop-up blocking.
There is a script that sends information on this port about blocked pages. Also, reportedly Kerio personal firewall has "Internal traffic rules" for open ports not displayed in the GUI. |
| 5222 |
tcp |
chat |
Members scan |
Google Talk
Jabber instant messaging software client-to-server connection
CU-SeeMe-CUworld
Apple iChat (TCP/UDP)
WhatsApp uses these ports:
80, 443, 4244, 5222, 5223, 5228, 5242 TCP
50318, 59234 TCP/UDP
3478, 45395 UDP
X-Sense smoke detectors
Warface game ports: 5222 TCP, 64100-64299 UDP
League of Legends game uses these ports:
5000 - 5500 UDP - Game Client
8393 - 8400 TCP - Patcher and Maestro
2099, 5222, 5223 TCP - PVP.Net
80, 443 TCP - HTTP Connections
Extensible Messaging and Presence Protocol (XMPP, Jabber) client connection [RFC 6120] (IANA official) |
| 17940 |
tcp |
trojans |
Members scan |
W32.Imav.A [Symantec-2006-012610-4055-99] (2006.01.26) - a worm spreading through ICQ messages, may also arrive as a .zip attachment to emails. Disables security-related products and lowers security settings on the compromised computer. Connects to login.icq.com on port 17940/tcp, and sends out messages containing links to copies of the worm. |
| 1751 |
tcp |
trojans |
Members scan |
W32.Loxbot.D [Symantec-2006-010615-2712-99] (2006.01.06) - a worm that opens a backdoor on the compromised computer. Spreads through AOL Instant Messenger, uses rootkit capabilities to hide its process in memory. Opens a backdoor and listens for remote commands on port 1751/tcp.
|
| 33322 |
tcp |
trojans |
Premium scan |
Trojan.Lodeight.B [Symantec-2006-012514-0019-99] - trojan horse that attempts to download a W32.Beagle variant and opens a backdoor on the compromised computer. Opens a backdoor and listens for remote commands on port 33322/tcp. |
| 3689 |
tcp |
itunes |
not scanned |
iTunes Music Sharing (DAAP) |
| 636 |
tcp |
ldaps |
Members scan |
LDAPS - Lightweight Directory Access Protocol over TLS/SSL. See also LDAP port 389/tcp.
VMWare, Siemens Openstage and Gigaset phones, etc.
Novell eDirectory and Netware are vulnerable to a denial of service, caused by the improper allocation of memory by the LDAP_SSL daemon. A remote attacker could exploit this vulnerability to cause a system-wide denial of service (over/on/using) port 636 TCP.
References: [XFDB-67468], [EDB-17298]
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443 |
| 543 |
tcp |
klogin |
not scanned |
Kerberos login
Related ports: 88,464,544,749,751 |
| 544 |
tcp |
kshell |
not scanned |
Kerberos remote shell
Related ports: 88,464,543,749,751
A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785] |
| 520 |
tcp |
efs |
not scanned |
ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover partnerships, allows remote attackers to cause a denial of service (communications-interrupted state and DHCP client service loss) by connecting to a port that is only intended for a failover peer, as demonstrated by a Nagios check_tcp process check to TCP port 520.
References: [CVE-2010-3616], [BID-45360]
Port IANA registered for Extended File Name Server |
| 515 |
tcp |
printer |
Premium scan |
Printing services, listening for incoming connections
Trojans using this port: MscanWorm, lpdw0rm, Ramen.
Multiple buffer overflows in Client Software WinCom LPD Total 3.0.2.623 and earlier allow remote attackers to execute arbitrary code via a long 0x02 command to the remote administration service on TCP port 13500 or a long invalid control filename to LPDService.exe on TCP port 515.
References: [CVE-2008-5176], [BID-27614]
Stack-based buffer overflow in Winlpd 1.26 allows remote attackers to execute arbitrary code via a long string in a request to TCP port 515.
References: [CVE-2006-3670] [SECUNIA-21058] [BID-19011] [OSVDB-27332]
Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.
References: [CVE-2003-1141] [BID-8968] [OSVDB-2774] [SECUNIA-10143]
SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515.
References: [CVE-2016-10079], [EDB-41030]
spooler (IANA official) |
| 8500 |
tcp |
Macromedia |
not scanned |
Ethersphere Swarm (distributed storage and communication system) uses these ports:
6060, 6831 tcp - pprof debugging http server
8500, 8545 tcp - web access http api
Macromedia ColdFusion MX Server (Edition 6) uses port 8500 to allow remote access as Web server
Rumble Fighter uses this ports 7000-8500 (TCP/UDP) |
| 177 |
tcp |
xdmcp |
Premium scan |
Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed. |
| 1524 |
tcp |
backdoor |
Premium scan |
Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). Connections to port 600/pcserver also have this problem. [Cert IN-99-04]
Trin00 (DDoS) trojan horse also uses port 1524 (TCP).
IANA registered for: ingres (TCP/UDP) |
| 5555 |
tcp |
ms-crm |
Premium scan |
SoftEther VPN (Ethernet over HTTPS) uses TCP Ports 443, 992 and 5555
Port also used by Freeciv gaming protocol. , InfoSeek Personal Agent, HP OpenView Storage Data Protector (formerly HP OmniBack), McAfee EndPoint Encryption Database Server, SAP
RainMachine automatic irrigation control uses this port.
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)
Backdoor.Darkmoon.E [Symantec-2007-092515-0356-99] (2007.09.25) - a Trojan horse that opens a back door on TCP port 5555 on the compromised computer.
Some other trojans also use this port Backdoor.Sysbug [Symantec-2003-112517-2455-99], Noxcape, W32.MiMail.P, Daodan, Backdoor.OptixPro, ServeMe.
HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555.
References: [CVE-2000-0179] [BID-1015]
The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary commands or cause a denial of service via a crafted EXEC_BAR packet to TCP port 5555, aka ZDI-CAN-1885.
References: [CVE-2013-2347] [OSVDB-101626]
HP Data Protector could allow a remote attacker to execute arbitrary commands on the system. By sending a specially-crafted request to TCP port 5555, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
References: [CVE-2014-2623] [XFDB-94504]
KDDI CORPORATION Smart TV Box could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access by the Android Debug Bridge. By using port 5555/TCP, an attacker could exploit this vulnerability to conduct arbitrary operations on the device without user's intent.
References: [CVE-2019-6005], [XFDB-165762]
Jector Smart TV FM-K75 could allow a remote attacker to execute arbitrary code on the system. By using an adb connect to 5555 port, an attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.
References: [CVE-2019-9871], [XFDB-162056]
UPNP Service listening on port 5555 in Genexis Platinum 4410 Router V2.1 (P4410-V2–1.34H) has an action 'X_GetAccess' which leaks the credentials of 'admin', provided that the attacker is network adjacent.
References: [CVE-2020-25988]
Backdoor.Win32.FTP.Ics / Unauthenticated Remote Command Execution - the malware listens on TCP port 5555. Third-party attackers who can reach the system can run commands made available by the backdoor hijacking the infected host.
References: [MVID-2022-0499]
Fortinet FortiNAC could allow a remote attacker to gain unauthorized access to the system, caused by a command injection vulnerability. By sending a specially crafted request to the tcp/5555 service, an attacker could exploit this vulnerability to copy local files of the device to other local directories of the device.
References: [CVE-2023-33300], [XFDB-258703]
Microsoft Dynamics CRM 4.0. (IANA official) |
| 14534 |
tcp |
teamspeak |
Premium scan |
Teamspeak server default web administration port (configurable in server.ini). Program also uses port 51234/tcp for server queries, and port 8767/udp.
TeamSpeak WebServer 2.0 for Windows does not validate parameter value lengths and does not expire TCP sessions, which allows remote attackers to cause a denial of service (CPU and memory consumption) via long username and password parameters in a request to login.tscmd on TCP port 14534.
References: [CVE-2007-3956], [BID-24977] |
| 4664 |
tcp |
Google |
Basic scan |
Port used by Google desktop's built-in HTTP server / indexing software.
Port also used by Rimage Messaging Server. Port is responsible for providing the underlying foundation for the transaction among its clients and the messaging server. The network port 4664 is used for the transmission of messaging server alerts, errors and order requests. The initialization of this system port is normally done for version 8 and higher of the Rimage software.
Port also used by: Trojan-Downloader.Win32.Banload.nrd |
| 125 |
tcp |
misc |
not scanned |
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25.
Locus PC-Interface Net Map Ser (TCP/UDP) (IANA official) |
| 1 |
tcp |
tcpmux |
Premium scan |
Scans against this port are commonly used to test if a machine runs SGI Irix (as SGI is the only system that typically has this enabled). This service is almost never used in practice.
RFC1078 - TCPMUX acts much like Sun's portmapper, or Microsoft's end-point mapper in that it allows services to run on arbitrary ports. In the case of TCPMUX, however, after the "lookup" phase, all further communication continues to run over that port.
builtins.c in Xinetd before 2.3.15 does not check the service type when the tcpmux-server service is enabled, which exposes all enabled services and allows remote attackers to bypass intended access restrictions via a request to tcpmux port 1 (TCP/UDP).
References: [CVE-2012-0862] [BID-53720] [OSVDB-81774]
Trojans that use this port: Breach.2001, SocketsDeTroie
Also see: CERT: CA-95.15.SGI.lp.vul |
| 106 |
tcp |
poppassd |
not scanned |
(TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:
S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite
Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash.
Apple Mac OS X Password Server and City of Heroes also use this port.
Mail Management Agent (MAILMA) (a.k.a. Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106.
References: [CVE-2006-0129]
Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.
References: [CVE-1999-1113] [BID-75] |
| 9998 |
tcp |
totalbill |
Premium scan |
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Lighttpd server port 9998/tcp open to LAN only on some ASUS routers.
Totalbill (billing and provisioning system for ISPs by Aptis Software) listens on port 9998/tcp (by default) and allows full control over the software. An exploit script for this software has been published in 2000.
Common Palace chat environment, Football Manager Live also use port 9998 (TCP/UDP).
Malware using this port: W32.dabber.a trojan |
| 6000 |
tcp |
trojan |
Premium scan |
Port used by W32.LoveGate.ak [Symantec-2004-072816-0947-99] mass-mailing worm. Uses its own SMTP engine. Affects Windows 2000, Windows NT, Windows Server 2003, Windows XP
The IBM TotalStorage DS400 with firmware 4.15 uses a blank password for the root, user, manager, administrator, and operator accounts, which allows remote attackers to gain login access via certain Linux daemons, including a telnet daemon on a nonstandard port, tcp/6000.
References: [CVE-2007-3232] [BID-24452]
XFree86 3.3.x and 4.0 allows a user to cause a denial of service via a negative counter value in a malformed TCP packet that is sent to port 6000.
References: [CVE-2000-0453] [BID-1235]
The Xper Connect broker listens to Port 6000/TCP by default. By sending an HTTP request outside the bounds of the buffer to Port 6000/TCP, an attacker can cause a heap-based buffer resulting in loss of confidentiality, integrity, and availability.
References: [CVE-2013-2808], [SECUNIA-55152]
MobaXterm could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to authenticate remote X11 connections over port 6000. By connecting to the server, an attacker could exploit this vulnerability to inject X11 commands on the system with the privileges of the victim.
References: [CVE-2015-7244] [XFDB-107748]
Trojans using this port: The Thing, Aladino, NetBus, APStrojan. |
| 10008 |
tcp |
worm |
Premium scan |
In early 2001, many exploit scripts for DNS TSIG name overflow would place a root shell on this port.
Cheese Worm (2001) - spreads and scans other machines through port 10008/tcp.
LionWorm uses this port.
See also CERT: IN-2001-05
IANA registered for: Octopus Multiplexer
|
| 10752 |
tcp |
backdoor |
Members scan |
Backdoor. One of the many Linux mountd (port 635) exploits installs its backdoor at this port. Origin??? 10751 = 0x2a00, where 0x2a = 42 (proposed by Darren Reed)
The bx.c IRC exploit puts a root shell backdoor listening at this port.
The ADM named v3 attack puts a shell at this port. |
| 531 |
tcp |
chat |
Premium scan |
Port used by IRC chat
Trojans using this port: Rasmin, Net666 |
| 1494 |
tcp |
citrix |
not scanned |
Citrix NetScaler gateway XendDesktop/Virtual Desktop uses port 1494 TCP/UDP for access to applications and virtual desktops by ICA/HDX.
Citrix WinFrame, also uses port 1604 UDP. |
| 22793 |
tcp |
vocaltec |
not scanned |
VocalTec Internet Phone - tcp connection to VocalTec servers on this port. |
| 30029 |
tcp |
trojan |
Members scan |
AOL Trojan (aliases: AOL Admin, Backdoor.Cheeser) |
| 30100-30103 |
tcp |
trojan |
Members scan |
NetSphere trojan uses these ports.
30100 tcp - the main port that NetSphere connects to.
30101-30103 tcp - NetSphere runs FTP services on these ports, used to transfer various files (e.g. keylog files).
NetSphere infects only Windows 9x systems. A server program called nssx.exe is placed in the C:\Windows\System directory, a "NSSX" value is added to the Run hive of the registry to launch the server.
Port 30100 is IANA registered for Remote Window Protocol (TCP/SCTP) |
| 30464 |
tcp |
exploits |
Members scan |
Port used by Slapper trojan. A number of exploit scripts bind root shells to this port. See also SMTP ETRN overflow vulnerability. |
| 32000 |
tcp |
applications |
Members scan |
Merak WebMail server
Mercur Messaging
Java Wrapper Service
BDDT trojan
Artisoft XtraMail DoS vulnerability - control port can be overflown with long usernames. [BID-791]
Multiple buffer overflows in MERCUR Messaging 2005 before Service Pack 4 allow remote attackers to cause a denial of service (crash) via (1) "long command lines at port 32000" and (2) certain name service queries that are not properly handled by the SMTP service.
References: [CVE-2006-7038] [BID-18462] [SECUNIA-20432]
The (1) function.php or (2) function.view.php scripts in Merak Mail Server 5.2.7 allow remote attackers to read arbitrary PHP files via a direct HTTP request to port 32000.
References: [CVE-2004-1721] [BID-10966] [OSVDB-9045] [SECUNIA-12269] |
| 6112 |
tcp |
games |
Premium scan |
Port used by Guild Wars, Supreme Commander, Club Penguin Disney online game for kids, Warcraft II and III (Blizzard Downloader). It also uses port 3724.
Red Ace Squadron Pro uses ports 6112 (TCP/UDP), developer: Small Rockets
Trojan.Flogash [Symantec-2007-062516-0650-99] (2007.06.25) - a trojan horse that steals sensitive information from the compromised computer
A remotely exploitable buffer overflow exists in the Common Desktop Environment (CDE) Subprocess Control Service (dtspcd). An attacker who successfully exploits this vulnerability can execute arbitrary code as root. dtspcd is typically configured to run on port 6112/tcp with root privileges.
References: [CVE-2001-0803], [BID-3517]
IANA registered for: Desk-Top Sub-Process Control Daemon (TCP/UDP) |
| 6588 |
tcp |
analogx |
Premium scan |
Port used by AnalogX proxy server. Common web proxy server ports: 8080, 80, 3128, 6588
Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]
Buffer overflow in AnalogX Proxy 4.13 allows remote attackers to execute arbitrary code via a long URL to port 6588.
References: [CVE-2003-0410] [BID-7681] |
| 17988 |
tcp |
hp |
Premium scan |
HP integrated Lights Out Management Feature uses this port.
Also used by HP iLO as Virtual Media port. |
| 3724 |
tcp |
games |
Premium scan |
Port used by Warcraft II and III (Blizzard Downloader). It also uses port 6112.
Club Penguin Disney online game for kids also uses this port. |
| 912 |
tcp |
apex |
Members scan |
Port assigned to the APEX (Application Exchange Core) protocol. It is an XML-based protocol designed for sending instant messages based on the Blocks Extensible Exchange Protocol (BEEP).
APEX also uses TCP port 913 as its endpoint-relay service. The APEX protocol has been replaced by the SIP, SIMPLE and XMPP protocols. Port 912 is used primarily to receive and send messages that are originated via the end-points located in port 913. Information sent and received via port 912 includes the endpoint that created it, a URI reference point, the endpoints that will receive it and other options.
RealFlex RealWin is a SCADA server package for medium and small applications designed to control and monitor real-time applications. The RealWin application runs an HMI service on port 912/tcp. This service is vulnerable to two stack-based buffer overflows. One vulnerability is caused by the use of sprintf() in the SCPC_INITIALIZE() and SCPC_INITIALIZE_RF() functions. The second vulnerability is caused by the use of strcpy() in the SCPC_TXTEVENT() function.
References: [CVE-2010-4142], [BID-44150] |
| 943 |
tcp |
silverlight |
Members scan |
Port not officially assigned, used by Silverlight Microsoft plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser. Port 943 was first used in Silverlight version 2 beta 2 release.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 4502-4534 |
tcp |
silverlight |
not scanned |
Ports are used by the Microsoft Silverlight plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 950 |
tcp |
rpc.statd |
Members scan |
Port used by rpc.statd background process. This daemon is a part of the Network File System (NFS) protocol. This protocol was developed by Sun Microsystems to allow a client to access files that are shared on a network. The rpc.statd daemon is a subsystem of NFS used mostly on UNIX and Linux platforms.
Port 950 can also be used in a malicious way. The port allows direct access to the syslog() function, which may be manipulated by unauthorized users.
The port has been used historically to start a buffer overflow and launch Distributed Denial of Service attacks. |
