Shortcuts
|
Port 21 Details
known port assignments and vulnerabilities
threat/application/port search:
Port(s) |
Protocol |
Service |
Details |
Source |
21 |
tcp |
FTP |
File Transfer Protocol [RFC 959] - some network devices may be listening on this port, such as NAT routers for remote access/private cloud storage and network attached multi-function printers (scan to ftp feature).
Asus RT routers may open an internet accessible FTP server for USB-attached storage, configurable in administration panel under "USB Application > Servers Center > FTP Share"
Trojan horses/backdoors that also use this port: 7tp trojan, MBT, Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm [Symantec-2005-040915-5504-99], W32.Sober.N@mm [Symantec-2005-041910-4132-99], W32.Bobax.AF@mm [Symantec-2005-081611-4121-99] - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C [Symantec-2006-010515-3159-99] (2006-01-05)
FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service (network connectivity loss) via a connection to port 21 with a large amount of random data.
References: [CVE-2002-0779]
TURCK BL20 / BL67 could allow a remote attacker to bypass security restrictions, caused by the use of hardcoded credentials for the FTP service. An attacker could exploit this vulnerability using TCP port 21 to gain administrative access to the device.
References: [CVE-2012-4697], [XFDB-84351]
The FTP service in QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, has hardcoded credentials, which makes it easier for remote attackers to obtain access via a session on TCP port 21.
References: [CVE-2015-7261]
The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices has a default password, which makes it easier for remote attackers to read or write to files via a session on TCP port 21.
References: [CVE-2015-3968]
A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker with access to port 21/tcp to access or alter historical measurement data stored on the device.
References: [CVE-2017-6872], [BID-99473]
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The two FTP services (default ports 21/tcp and 5411/tcp) of the SiNVR 3 Video Server contain a path traversal vulnerability that could allow an authenticated remote attacker to access and download arbitrary files from the server, if the FTP services are enabled.
References: [CVE-2019-19296]
Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]
ReverseTrojan by satan_addict listens on TCP ports, 12000 and 21. The malware accepts empty credentials for authentication as the default settings are set to blank. Third-party attackers who can reach an infected host can potentially gain access to the machine before or if no password is set.
References: [MVID-2021-0256]
Backdoor.Win32.Wollf.16 / Authentication Bypass - the malware listens on TCP port 1015 and has an FTPD feature that when enabled listens on TCP port 21. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0462]
Backdoor.Win32.Hellza.120 / Unauthorized Remote Command Execution - the malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can issue commands made available by the backdoor.
References: [MVID-2022-0641] |
SG
|
21 |
udp |
FSP |
FSP/FTP [RFC959] |
SG
|
21 |
tcp |
|
FTP - control (command) (official) |
Wikipedia
|
21 |
tcp |
trojan |
ADM worm, Back Construction, Blade Runner, BlueFire, Bmail, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, FreddyK, Invisible FTP, KWM, MscanWorm, NerTe, NokNok, Pinochet, Ramen, Reverse Trojan, RTB 666, The Flu, WinCrash, Voyager Alpha Force |
Trojans
|
21 |
tcp,udp |
ftp |
File Transfer [Control] |
SANS
|
21 |
tcp |
applications |
GeoVision DMIP |
Portforward
|
21, 80, 3389, 4550, 5550, 6550, 9650 |
tcp |
applications |
GeoVision TwinDVR with Webcam |
Portforward
|
21,80,3389,4550,5550,6550 |
tcp |
applications |
GeoVision Webcam |
Portforward
|
21,50000-50004 |
tcp |
applications |
Serv-U |
Portforward
|
21,1983 |
tcp |
applications |
Tales of Pirates |
Portforward
|
20,21 |
tcp |
applications |
vsftp |
Portforward
|
21 |
tcp,udp |
ftp |
File Transfer [Control] |
Nmap
|
21 |
tcp |
BackConstruction |
[trojan] Back Construction |
Neophasis
|
21 |
tcp |
BladeRunner |
[trojan] BladeRunner |
Neophasis
|
21 |
tcp |
CattivikFTPServer |
[trojan] Cattivik FTP Server |
Neophasis
|
21 |
tcp |
CCInvader |
[trojan] CC Invader |
Neophasis
|
21 |
tcp |
DarkFTP |
[trojan] Dark FTP |
Neophasis
|
21 |
tcp |
DolyTrojan |
[trojan] Doly Trojan |
Neophasis
|
21 |
tcp |
Fore |
[trojan] Fore |
Neophasis
|
21 |
tcp |
FreddyK |
[trojan] FreddyK |
Neophasis
|
21 |
tcp |
InvisibleFTP |
[trojan] Invisible FTP |
Neophasis
|
21 |
tcp |
Juggernaut42 |
[trojan] Juggernaut 42 |
Neophasis
|
21 |
tcp |
Larva |
[trojan] Larva |
Neophasis
|
21 |
tcp |
MotIvFTP |
[trojan] MotIv FTP |
Neophasis
|
21 |
tcp |
NetAdministrator |
[trojan] Net Administrator |
Neophasis
|
21 |
tcp |
Ramen |
[trojan] Ramen |
Neophasis
|
21 |
tcp |
RTB666 |
[trojan] RTB 666 |
Neophasis
|
21 |
tcp |
SennaSpyFTPserver |
[trojan] Senna Spy FTP server |
Neophasis
|
21 |
tcp |
Traitor21 |
[trojan] Traitor 21 |
Neophasis
|
21 |
tcp |
[trojan]TheFlu |
[trojan] The Flu |
Neophasis
|
21 |
tcp |
WebEx |
[trojan] WebEx |
Neophasis
|
21 |
tcp |
WinCrash |
[trojan] WinCrash |
Neophasis
|
21 |
tcp |
AudioGalaxy |
AudioGalaxy file sharing app |
Neophasis
|
21 |
tcp |
threat |
Back Construction |
Bekkoame
|
21 |
tcp |
threat |
Blade Runner |
Bekkoame
|
21 |
tcp |
threat |
Cattivik FTP Server |
Bekkoame
|
21 |
tcp |
threat |
CC Invader |
Bekkoame
|
21 |
tcp |
threat |
Dark FTP |
Bekkoame
|
21 |
tcp |
threat |
Doly Trojan |
Bekkoame
|
21 |
tcp |
threat |
Fore |
Bekkoame
|
21 |
tcp |
threat |
Invisible FTP |
Bekkoame
|
21 |
tcp |
threat |
Juggernaut 42 |
Bekkoame
|
21 |
tcp |
threat |
Larva |
Bekkoame
|
21 |
tcp |
threat |
MotIv FTP |
Bekkoame
|
21 |
tcp |
threat |
Net Administrator |
Bekkoame
|
21 |
tcp |
threat |
Ramen |
Bekkoame
|
21 |
tcp |
threat |
Senna Spy FTP server |
Bekkoame
|
21 |
tcp |
threat |
The Flu |
Bekkoame
|
21 |
tcp |
threat |
Traitor 21 |
Bekkoame
|
21 |
tcp |
threat |
W32.Bobax |
Bekkoame
|
21 |
tcp |
threat |
W32.Loxbot |
Bekkoame
|
21 |
tcp |
threat |
W32.Mytob |
Bekkoame
|
21 |
tcp |
threat |
WebEx |
Bekkoame
|
21 |
tcp |
threat |
WinCrash |
Bekkoame
|
21 |
tcp,udp |
ftp |
File Transfer Protocol [Control] [RFC959] |
IANA
|
21 |
sctp |
ftp |
FTP [RFC4960] |
IANA
|
|
56 records found
|
jump to:
|
Related ports: 20 443 1234 1235 1239 5410 12000 12122 14920 14923
« back to SG Ports
External Resources
SANS ISC: port 21
Notes:
Port numbers in computer networking represent communication endpoints. Ports are unsigned 16-bit integers (0-65535) that identify
a specific process, or network service. IANA is responsible for internet protocol resources, including the registration of commonly
used port numbers for well-known internet services.
Well Known Ports: 0 through 1023.
Registered Ports: 1024 through 49151.
Dynamic/Private : 49152 through 65535.
TCP ports use the Transmission Control Protocol, the most commonly used protocol
on the Internet and any TCP/IP network. TCP enables two hosts
to establish a connection and exchange streams of data. TCP guarantees delivery of data
and that packets will be delivered in the same order in which they were sent.
Guaranteed communication/delivery is the key difference between TCP and UDP.
UDP ports use the Datagram Protocol. Like TCP, UDP is used in combination with IP (the Internet Protocol)
and facilitates the transmission of datagrams from one computer to applications on another computer,
but unlike TCP, UDP is connectionless and does not guarantee reliable communication; it's up to the application that received
the message to process any errors and verify correct delivery. UDP is often used with time-sensitive
applications, such as audio/video streaming and realtime gaming, where dropping some packets is preferable to waiting for delayed data.
When troubleshooting unknown open ports, it is useful to find exactly what services/processes are listening to them.
This can be accomplished in both Windows command prompt and Linux variants using the "netstat -aon" command.
We also recommend runnig multiple anti-virus/anti-malware scans to rule out the possibility of active malicious software.
For more detailed and personalized help please use our forums.
Please use the "Add Comment" button below to provide additional information or comments about port 21.
|
|
|
|