Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 6444 |
tcp,udp |
sge_qmaster |
not scanned |
Sun Grid Engine - Qmaster Service |
| 11109 |
tcp |
sgi-dmfmgr |
not scanned |
Data migration facility Manager (DMF) is a browser based interface to DMF - SGI (IANA official) |
| 11110 |
tcp |
sgi-soap |
not scanned |
Data migration facility (DMF) SOAP is a web server protocol to support remote access to DMF - SGI (IANA official) |
| 160 |
tcp,udp |
sgmp-traps |
not scanned |
SGMP-TRAPS (IANA official) |
| 29118 |
sctp |
sgsap |
not scanned |
SGsAP in 3GPP [GPP Specifications] (IANA official) |
| 43210 |
udp |
shaperai-disc |
not scanned |
Bombsquad game uses port 43210 UDP
Shaper Automation Server Management Discovery [Shaper_Automation] (IANA official) |
| 514 |
tcp |
shell |
Members scan |
Used by rsh and (also rcp), interactive shell without any logging.
Citrix NetScaler appliance MAS syslog port.
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Games that use this port: America's Army
Malware using this port: RPC Backdoor, Whacky, ADM worm
Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 allows remote attackers to execute arbitrary code via a long string to the shell port (514/tcp). NOTE: this might overlap [CVE-2007-4006].
References: [CVE-2007-4005] [BID-25044] [SECUNIA-26197]
Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a denial of service (crash) via a long string to port 514.
References: [CVE-2001-0707]
A vulnerability has been reported in Cisco IOS, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785] |
| 4105 |
tcp,udp |
shofarplayer |
Premium scan |
WatchGuard Firewalls may allow remote management using WSM (WatchGuard System Manager) over ports 4105, 4117, 4118 TCP.
ShofarPlayer, IBM Internet Security, CA Message Queuing (CAM/CAFT) software. There are some known CAM/CAFT vulnerabilities (CVE-2007-0060)
Computer Associates (CA) Message Queuing (CAM / CAFT), as used in multiple CA products, allows remote attackers to cause a denial of service via a crafted message to TCP port 4105.
References: [CVE-2006-0529], [BID-16475] |
| 5440 |
tcp,udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The SiNVR 3 Central Control Server (CCS) does not enforce logging of security-relevant activities in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker could exploit this vulnerability to perform covert actions that are not visible in the application log.
References: [CVE-2019-19292], [CVE-2019-19295], [XFDB-177561], [XFDB-177564] |
| 5441 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5442 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5444 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5446 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5447 |
tcp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports:
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5449 |
tcp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports:
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5469 |
tcp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports:
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 22333 |
tcp,udp |
showcockpit-net |
not scanned |
IANA registered for: ShowCockpit Networking |
| 22335 |
tcp |
shrewd-control |
not scanned |
Initium Labs Security and Automation Control (IANA official) |
| 22335 |
udp |
shrewd-stream |
not scanned |
Initium Labs Security and Automation Streaming (IANA official) |
| 4787 |
tcp |
sia-ctrl-plane |
not scanned |
Service Insertion Architecture (SIA) Control-Plane |
| 18443 |
tcp |
siemens |
Premium scan |
Siemens Openstage and Gigaset phones use the following ports:
389/tcp - LDAP
636/tcp - LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
|
| 18444 |
tcp |
siemens |
Premium scan |
Siemens Openstage and Gigaset phones use the following ports:
389/tcp - LDAP
636/tcp - LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS) |
| 608 |
udp |
sift-uft |
not scanned |
Directory traversal vulnerability in eFileGo 3.01 allows remote attackers to execute arbitrary code, read arbitrary files, and upload arbitrary files via a ... (triple dot) in (1) the URL on port 608 and (2) the argument to upload.exe.
References: [CVE-2005-4622] [BID-16124] [OSVDB-22151] [SECUNIA-18279]
Sender-Initiated/Unsolicited File Transfer (IANA official) |
| 3614 |
tcp,udp |
sigma-port |
not scanned |
Satchwell Sigma [Dave_Chapman] (IANA official) |
| 2832 |
tcp,udp |
silkp4 |
not scanned |
Media Streaming, Live Blogging Sametime 751 (peer-to-peer video feed), FlashFXP
IANA registered for: silkp4 |
| 943 |
tcp |
silverlight |
Members scan |
Port not officially assigned, used by Silverlight Microsoft plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser. Port 943 was first used in Silverlight version 2 beta 2 release.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 4502-4534 |
tcp |
silverlight |
not scanned |
Ports are used by the Microsoft Silverlight plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 3110 |
tcp,udp |
sim-control |
not scanned |
YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH)
References: [EDB-50471]
Kingdia CD Extractor 3.0.2 - Buffer Overflow (SEH)
References: [EDB-50470]
Simulator control port (IANA official) |
| 1599 |
tcp |
simbaservices |
not scanned |
Use-after-free vulnerability in the socket manager of Impress Remote in LibreOffice 4.x before 4.2.7 and 4.3.x before 4.3.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to TCP port 1599.
References: [CVE-2014-3693]
IANA registered for: simbaservices
|
| 4753 |
tcp,udp |
simon |
not scanned |
Simple Invocation of Methods Over Network (SIMON) [Alexander_Christian] (IANA official) |
| 5060 |
tcp,udp |
sip |
Basic scan |
Session Initiation Protocol (SIP) (official) - SIP VoIP phones and providers use this port. Asterisk server, X-ten Lite/Pro, Ooma, Vonage (ports 5060,5061,10000-20000), Apple iChat, iTalkBB, Motorola Ojo, OpenWengo, TalkSwitch, IConnectHere, Lingo VoIP (ports 5060-5065), Majicjack (ports 5060, 5070)
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Siemens Openstage and Gigaset phones use the following ports:
389/tcp LDAP
636/tcp LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
Memory leak in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (memory consumption or device reload) by sending crafted SIP packets to UDP port 5060, aka Bug ID CSCtj04672.
References: [CVE-2011-3280]
The provider-edge MPLS NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) via a malformed SIP packet to UDP port 5060, aka Bug ID CSCti98219.
References: [CVE-2011-3279]
Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) by sending crafted SIP packets to UDP port 5060, aka Bug ID CSCti48483.
References: [CVE-2011-3278]
Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload or hang) by sending crafted SIP packets to TCP port 5060, aka Bug ID CSCso02147.
References: [CVE-2011-3276], [BID-49822]
Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500.
References: [CVE-2011-2577] [BID-49392]
Siemens C450 IP and C475 IP VoIP devices allow remote attackers to cause a denial of service (disconnected calls and device reboot) via a crafted SIP packet to UDP port 5060.
References: [CVE-2008-7065] [BID-32451] [SECUNIA-32827] [OSVDB-50274]
The Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a flood of fragmented packets to port 5060.
References: [CVE-2007-5789], [BID-26349]
Memory leak in Cisco Unified Communications Manager IM and Presence Service before 8.6(5)SU1 and 9.x before 9.1(2), and Cisco Unified Presence, allows remote attackers to cause a denial of service (memory and CPU consumption) by making many TCP connections to port (1) 5060 or (2) 5061, aka Bug ID CSCud84959.
References: [CVE-2013-3453]
Cisco Unified Communications Manager (Unified CM) 8.5(x) and 8.6(x) before 8.6(2a)su3 and 9.x before 9.1(1) does not properly restrict the rate of SIP packets, which allows remote attackers to cause a denial of service (memory and CPU consumption, and service disruption) via a flood of UDP packets to port 5060, aka Bug ID CSCub35869.
References: [CVE-2013-3461]
Cisco TelePresence Video Communication Server is vulnerable to a denial of service, caused by the improper handling of messages by the Session Initiation Protocol (SIP) module. By sending a specially-crafted Session Description Protocol (SDP) message to UDP and TCP port 5060, a remote attacker could exploit this vulnerability to cause the device to reload.
References: [CVE-2014-0662], [BID-65076], [XFDB-90621]
innovaphone is vulnerable to a denial of service, caused by improper bounds checking by protocol SIP/UDP. By sending a specially-crafted SIP request to the open 5060/UDP port, an remote attacker could exploit this vulnerability to cause the VoIP phone to crash and restart.
References: [XFDB-111764]
A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper processing of SIP packets in transit while NAT is performed on an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted SIP packets via UDP port 5060 through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.
References: [CVE-2018-0476], [BID-105419]
Polycom VVX 500/601 devices could allow a remote attacker to obtain sensitive information, caused by a flaw in the SIP service. By sending a specially-crafted request to TCP port 5060, a remote attacker could exploit this vulnerability to obtain phone configuration information.
References: [CVE-2018-18566], [XFDB-151919], [BID-105746] |
| 5061 |
tcp,udp |
sip-tls |
not scanned |
Asterisk, Freeswitch, Vonage, MS Lync Server
Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500.
References: [CVE-2011-2577] [BID-49392]
SIP-TLS (IANA official) |
| 4606 |
tcp |
sixid |
not scanned |
IANA registered for: Secure ID to IP registration and lookup |
| 8111 |
udp |
skynetflow |
not scanned |
IANA registered for: Skynetflow network services |
| 5521 |
tcp |
skype |
Premium scan |
Port used by Skype VoIP.
Illusion Mailer trojan also uses port 5521 (TCP). |
| 12350 |
tcp |
skype |
Members scan |
Port used by Skype VoIP |
| 13392 |
tcp,udp |
skype |
not scanned |
Port sometimes used by Skype VoIP |
| 2062 |
udp |
skype-p2p |
Members scan |
Skype uses this as a p2p port, using super nodes and other users to communicate. |
| 29831 |
tcp,udp |
slapd |
not scanned |
Slapd |
| 2827 |
tcp,udp |
slc-ctrlrloops |
not scanned |
I2P Basic Open Bridge API (TCP)
IANA registered for: slc ctrlrloops |
| 5525 |
tcp |
slican |
not scanned |
Port 5525/TCP is used by Slican devices for billing purposes (slican.com) |
| 3483 |
tcp,udp |
slim-devices |
not scanned |
IANA registered for: Slim Devices Protocol |
| 36423 |
sctp |
slmap |
not scanned |
SLm Interface Application Protocol (IANA official) |
| 1847 |
tcp,udp |
slp-notify |
not scanned |
SLP Notification [RFC 3082] (IANA official) |
| 2938 |
tcp,udp |
sm-pas-1 |
not scanned |
SM-PAS-1 |
| 2939 |
tcp,udp |
sm-pas-2 |
not scanned |
SM-PAS-2 |
| 2940 |
tcp,udp |
sm-pas-3 |
not scanned |
SM-PAS-3 |
| 2941 |
tcp,udp |
sm-pas-4 |
not scanned |
SM-PAS-4 |
| 9522 |
udp |
sma-spw |
not scanned |
SMA Speedwire [SMA Solar Techology] (IANA official) |
| 122 |
tcp,udp |
smakynet |
not scanned |
SMAKYNET (IANA official) |
| 4412 |
udp |
smallchat |
not scanned |
SmallChat (IANA official) |
| 4987 |
tcp,udp |
smar-se-port1 |
not scanned |
SMAR Ethernet Port 1, maybe-veritas |
| 4988 |
tcp,udp |
smar-se-port2 |
not scanned |
SMAR Ethernet Port 2 |
| 4786 |
tcp |
smart-install |
not scanned |
Smart Install Service
Unspecified vulnerability in the Smart Install functionality in Cisco IOS 12.2 and 15.1 allows remote attackers to execute arbitrary code or cause a denial of service (device crash) via crafted TCP packets to port 4786, aka Bug ID CSCto10165.
References: [CVE-2011-3271], [BID-49828]
Cisco IOS and Cisco IOS XE are vulnerable to a denial of service, caused by the improper handling of image list parameters by the Smart Install client feature. By sending specially crafted Smart Install packets to TCP port 4786, a remote attacker could exploit this vulnerability to cause a Cisco Catalyst switch to reload.
References: [CVE-2016-1349] [XFDB-111744]
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, Causing an indefinite loop on the affected device that triggers a watchdog crash. Cisco Bug IDs: CSCvg76186.
References: [CVE-2018-0171], [BID-103538]
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786. Only Smart Install client switches are affected. Cisco devices that are configured as a Smart Install director are not affected by this vulnerability. Cisco Bug IDs: CSCvd40673.
References: [CVE-2018-0156], [BID-103569] |
| 6090 |
tcp |
smartbear |
not scanned |
SmartBear uses ports 6090-6092 for TestComplete software, and port 1947 tcp/udp for license manager. It also needs access to port 443 for activation. |
| 6091 |
tcp |
smartbear |
not scanned |
SmartBear uses ports 6090-6092 for TestComplete software, and port 1947 tcp/udp for license manager. It also needs access to port 443 for activation. |
| 6092 |
tcp |
smartbear |
not scanned |
SmartBear uses ports 6090-6092 for TestComplete software, and port 1947 tcp/udp for license manager. It also needs access to port 443 for activation. |
| 3516 |
tcp,udp |
smartcard-port |
not scanned |
IANA registered for: Smartcard Port |
| 4116 |
tcp,udp |
smartcard-tls |
not scanned |
IANA registered for: Smartcard-TLS |
| 5445 |
tcp,sctp |
smbdirect |
not scanned |
Server Message Block over Remote Direct Memory Access [Microsoft Corporation 2] (IANA official) |
| 6787 |
tcp,udp |
smc-admin |
not scanned |
Sun Web Console Admin |
| 6788 |
tcp,udp |
smc-http |
not scanned |
SMC-HTTP |
| 6786 |
tcp,udp |
smc-jmx |
not scanned |
Sun Java Web Console JMX |
| 4174 |
tcp |
smcluster |
not scanned |
IANA registered for: StorMagic Cluster Services |
| 2703 |
tcp,udp |
sms-chat |
not scanned |
SMS CHAT (IANA official)
Vipul's Razor distributed, collaborative, spam-detection-and-filtering network uses port 2703 (TCP). |
| 25 |
tcp |
SMTP |
Basic scan |
SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.
Integer overflow in Apple Safari [CVE-2010-1099], Arora [CVE-2010-1100], Alexander Clauss iCab [CVE-2010-1101], OmniWeb [CVE-2010-1102], Stainless [CVE-2010-1103] allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25.
List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy, Aji, Email Worms, Haebu Coceda, Loveletter, Neabi, Shtrilitz.
W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R [Symantec-2005-070117-2559-99] (2005.07.01) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.15) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E [Symantec-2005-110111-3344-99]. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock [Symantec-2006-060111-5747-99] (2006.06.01) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries.
NJStar Communicator is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MiniSMTP server when processing packets. By sending a specially-crafted request to TCP port 25, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-4040], [XFDB-71086], [BID-50452]
Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.
References: [CVE-2021-43270]
Trojan.Win32.Barjac / Remote Stack Buffer Overflow - Trojan.Win32.Barjac makes SMTP connection to Port 25, upon processing the server response we control, we overwrite instruction pointer (EIP), undermining the integrity of the trojan.
References: [MVID-2021-0011] |
| 587 |
tcp |
smtp |
Members scan |
Outgoing SMTP Mail port (TLS/Start TLS Port) - used by various mail servers for relaying outgoing mail as a modern alternative to port 25. Gmail, Apple MobileMe Mail, Yahoo SMTP server, etc. all use this port. See [RFC2476]
IANA registered for: Message Submission (TCP/UDP) |
| 465 |
tcp |
smtp-ssl |
Premium scan |
Outgoing SMTP Mail over SSL (SMTPS) [RFC 2487] - older IANA registered port, largely replaced by port 587 and SMTP over TLS.
PlayStation Network and SCEA Game Servers use this port
Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.
References: [CVE-2021-43270]
Message Submission over TLS protocol [RFC8314] (IANA official) |
| 199 |
tcp,udp |
smux |
not scanned |
A vulnerability in the TCP/IP stack of Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Secure Email and Web Manager, formerly Security Management Appliance, could allow an unauthenticated, remote attacker to crash the Simple Network Management Protocol (SNMP) service, resulting in a denial of service (DoS) condition. This vulnerability is due to an open port listener on TCP port 199. An attacker could exploit this vulnerability by connecting to TCP port 199. A successful exploit could allow the attacker to crash the SNMP service, resulting in a DoS condition.
References: [CVE-2022-20675]
SMUX (IANA official) |
| 3979 |
tcp,udp |
smwan |
not scanned |
OpenTTD game
IANA registered for: Smith Micro Wide Area Network Service |
| 2599 |
tcp,udp |
snapd |
not scanned |
SonicWALL anti-spam traffic between Remote Analyzer (RA) and Control Center (CC)
IANA registered for: Snap Discovery |
| 161 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications. Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
Brother MFC printers use ports 137 UDP and 161 UDP (network printing and remote setup), 54925/udp (network scanning), 54926 UDP (PC fax receiving). Some may also open port 21 TCP (scan to FTP feature).
Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs.
References: [CVE-2005-0289], [BID-12152]
The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]
Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cause a denial of service (defect-mode transition and control outage) via crafted packets to UDP port 161 (aka the SNMP port).
References: [CVE-2013-2780]
Cisco Catalyst 2900 XL series switches are vulnerable to a denial of service, caused by an empty UDP packet. If SNMP is disabled, a remote attacker can connect to port 161 and send an empty UDP packet to cause the switch to crash.
References: [CVE-2001-0566], [XFDB-6515]
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions) and Modicon M340 controller (all firmware versions), which could cause denial of service when truncated SNMP packets on port 161/UDP are received by the device.
References: [CVE-2019-6813] |
| 162 |
udp |
SNMP |
Basic scan |
Simple network management protocol (SNMP). Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162.
References: [CVE-2006-0250], [BID-16267]
Memory leak in the SNMP process in Cisco IOS XR allows remote attackers to cause a denial of service (memory consumption or process reload) by sending many port-162 UDP packets, aka Bug ID CSCug80345.
References: [CVE-2013-1204]
Cisco Hosted Collaboration Mediation allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets on port 162, aka Bug ID CSCug85756.
References: [CVE-2013-3381] |
| 10161 |
udp |
snmpdtls |
not scanned |
SNMP-DTLS [RFC6353] (IANA official) |
| 5161 |
tcp |
snmpssh |
not scanned |
SNMP over SSH Transport Model [RFC 5592] (IANA official) |
| 5162 |
tcp |
snmpssh-trap |
not scanned |
SNMP Notification over SSH Transport Model [RFC 5592] (IANA official) |
| 10161 |
tcp |
snmptls |
not scanned |
SNMP-TLS [RFC 6353] (IANA official) |
| 2658 |
tcp,udp |
sns-admin |
not scanned |
SNS Admin |
| 2657 |
tcp,udp |
sns-dispatcher |
not scanned |
SNS Dispatcher |
| 2659 |
tcp,udp |
sns-query |
not scanned |
SNS Query |
| 11171 |
udp |
snss |
not scanned |
IANA registered for: Surgical Notes Security Service Discovery (SNSS) |
| 5100 |
udp |
socalia |
not scanned |
Avaya Communication Server 1000 is vulnerable to a denial of service, when parsing requests. By sending a specially-crafted packet to UDP port 5100, a remote attacker could exploit this vulnerability to cause the server to crash.
References: [XFDB-66908], [BID-47514], [SECUNIA-44213]
IANA registered for: Socalia service mux (TCP/UDP) |
| 5146 |
tcp |
social-alarm |
not scanned |
Social Alarm Service |
| 1080 |
tcp |
socks |
Members scan |
Socks Proxy is an Internet proxy service, potential spam relay point.
Common programs using this port: Wingate
Trojans/worms that use this port as well:
Bugbear.xx [Symantec-2003-060423-5844-99] - wide-spread mass-mailing worm, many variants.
SubSeven - remote access trojan, 03.2001. Afects all current Windows versions.
WinHole - remote access trojan, 01.2000 (a.k.a. WinGate, Backdoor.WLF, BackGate). Affects Windows 9x.
Trojan.Webus.C [Symantec-2004-101212-0903-99] - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080.
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Lixy [Symantec-2003-100816-5051-99] (2003.10.08) - a backdoor trojan horse that opens a proxy server on TCP port 1080.
W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.
WinHole, Wingate, Bagle.AI trojans also use this port.
Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]
Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080.
References: [CVE-2004-0315] [BID-9721]
HEUR.Backdoor.Win32.Generic / Unauthenticated Open Proxy - the backdoor creates a Windows service backed by an executable named "1314.exe", it lives under C:\WINDOWS and listens on TCP ports 1080 and 8080. Third-party adversaries who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. The relay does not
require authentication or any special User-agent check and leverages the HTTP Host header in the request to connect to third-party systems.
References: [MVID-2021-0176]
Backdoor.Win32.Small.gs / Unauthenticated Remote Command Execution - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can execute OS commands and or run arbitrary programs.
References: [MVID-2021-0336]
Backdoor.Win32.Agent.aer / Remote Denial of Service - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can send a specially crafted junk payload for the logon credentials to trigger an exception and crash.
References: [MVID-2021-0346]
Backdoor.Win32.Agent.bxxn / Open Proxy - the malware listens on TCP port 1080. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2022-0522]
Backdoor.Win32.Aphexdoor.LiteSock / Remote Stack Buffer Overflow (SEH) - the malware drops an extensionless PE file named "3" which listens on TCP port 1080. Third-party attackers who can reach an infected host can send a specially crafted packet to port 1080, that will trigger a stack buffer overflow overwriting ECX register and SEH.
References: [MVID-2022-0653] |
| 4882 |
udp |
socp-c |
not scanned |
SOCP Control Protocol |
| 4881 |
udp |
socp-t |
not scanned |
SOCP Time Synchronization Protocol |
| 1621 |
tcp,udp |
softdataphone |
not scanned |
A security issue has been reported in Cisco Mobility Services Engine, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the Oracle SSL service misconfiguration and can exploited to bypass the authentication mechanism by connecting to an unprotected port (1621).
References: [CVE-2013-3469], [SECUNIA-54709]
IANA registered for softdataphone |
| 215 |
tcp,udp |
softpc |
not scanned |
Insignia Solutions (IANA official) |
| 16162 |
tcp |
solaris-audit |
not scanned |
Solaris Audit - secure remote audit log |
| 17777 |
tcp |
solarwinds |
Premium scan |
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
Malware that uses port 17777: Nephron trojan |
| 17790,17791 |
tcp |
solarwinds |
not scanned |
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
|
| 17778 |
tcp |
solarwinds |
not scanned |
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
|
| 17779 |
tcp |
solarwinds |
not scanned |
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
|
| 25672 |
tcp |
solarwinds |
not scanned |
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
Zulip, an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.
References: [CVE-2021-43799] |
| 2636 |
tcp,udp |
solve |
not scanned |
IANA registered for: Solve |
| 8347 |
tcp |
sophos |
not scanned |
Sophos Security Heartbeat updates uses port 8347 |
| 7982 |
tcp |
sossd-agent |
not scanned |
Spotlight on SQL Server Desktop Agent |
| 7981 |
tcp |
sossd-collect |
not scanned |
Spotlight on SQL Server Desktop Collect |
| 7982 |
udp |
sossd-disc |
not scanned |
Spotlight on SQL Server Desktop Agent Discovery |
| 7690 |
tcp |
sovd |
not scanned |
Service-Oriented Vehicle (IANA official) |
Vulnerabilities listed: 100 (some use multiple ports)
|
