| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 9996 |
tcp |
trojans |
Members scan |
Football Manager Live (TCP/UDP), Ryan's App Trading Software (TCP/UDP), The Palace Virtual Reality Chat software (TCP/UDP)
W32.dabber.a trojan
W32.Sasser.Worm [Symantec-2004-050116-1831-99] - remote access trojan. Affects all current Windows versions, attemts to exploit a vulnerability addressed in Microsoft Security Bulletin [MS04-011]. There are some issues associated with using the [MS04-011] update discussed here: MS KB 835732.
Trojan runs a FTP server on port 5554 on infected systems and attempts to connect to random IPs on TCP port 445. If a connection is established, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. |
| 9997 |
tcp |
splunk |
Premium scan |
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Football Manager Live also uses port 9997 (TCP/UDP).
Malware that uses this port: W32.dabber.a trojan
Backdoor.Win32.SVC / Remote Stack Buffer Overflow - the malware listens on TCP port 9997. Third-party attackers who can reach an infected system can make an specially crafted HTTP GET request to trigger a classic stack buffer overflow overwriting ECX, EIP registers and structured exception handler (SEH).
References: [MVID-2022-0446]
Backdoor.Win32.SVC / Directory Traversal - the malware listens on TCP port 9997. Third-party attackers who can reach an infected host can read any file on the system using "../" path traversal characters to break out of the root dir.
References: [MVID-2022-0447] |
| 9998 |
tcp |
totalbill |
Premium scan |
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Lighttpd server port 9998/tcp open to LAN only on some ASUS routers.
Totalbill (billing and provisioning system for ISPs by Aptis Software) listens on port 9998/tcp (by default) and allows full control over the software. An exploit script for this software has been published in 2000.
Common Palace chat environment, Football Manager Live also use port 9998 (TCP/UDP).
Malware using this port: W32.dabber.a trojan |
| 9999 |
tcp |
crypto |
Premium scan |
Football Manager Live (TCP/UDP), Warzone 2100 (TCP/UDP), Ultima, TP-Link Smart Outlet remote console access, Hydranode—edonkey2000 TELNET control, Lantronix UDS-10/UDS100 RS-485 to Ethernet Converter TELNET control, Urchin Web Analytics
Dash cryptocurrency uses port 9999.
Common cryptocurrency ports (TCP):
Bitcoin: 8333
Litecoin: 9333
Dash: 9999
Dogecoin: 22556
Ethereum: 30303
Port vulnerabilities and malware that uses this port:
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] (2005.01.17) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
Backdoor.Lateda.C [Symantec-2005-033112-4545-99] (2005.03.31) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
The remote web management interface of Aprelium Technologies Abyss Web Server 1.1.2 and earlier does not log connection attempts to the web management port (9999), which allows remote attackers to mount brute force attacks on the administration console without detection.
References: [CVE-2003-1363] [BID-6842]
Firefly Media Server is vulnerable to a denial of service, caused by multiple NULL pointer dereference errors in the firefly.exe binary file. By sending a specially-crafted packet to TCP Port 9999 with a malformed header, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [EDB-23574]
This vulnerability allows remote attackers to execute arbitrary code on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the control service, which listens on TCP port 9999 by default. The issue results from the lack of authentication prior to allowing alterations to the system configuration. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10493.
References: [CVE-2020-10920]
A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256272.
Refereces: [CVE-2024-2318]
TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection
References: [EDB-51906]
TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution
References: [EDB-51853]
The Prayer 1 trojan horse (TCP)
distinct (TCP/UDP) (IANA official) |
| 9999 |
udp |
infosvr |
Premium scan |
Several Asus router models use a service called infosvr that listens on UDP port 9999 with root privileges and contains unauthenticated command execution vulnerability. See [CVE-2014-9583]
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
References: [CVE-2014-9583], [XFDB-100054] |
| 10000 |
tcp |
multiple |
Basic scan |
Applications that use this port:
Webmin - web-based system administration tool, BackupExec, Ericsson Account Manager (avim).
The Matrix Online, Everquest Online Adventures, BitTornado, Viatalk, Dungeon Fighter Online (TCP/UDP), FIFA Manager 10 (TCP/UDP)
QuickTime Streaming Server 4 also uses ports 10000-20000 (TCP).
Dumaru.Y [Symantec-2004-012316-2557-99] (2004.01.23) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Other trojans that use this port: Oracle, TCP Door, XHX, OpwinTRojan
The default configuration of the New Atlanta BlueDragon administrative interface in MediaCAST 8 and earlier enables external TCP connections to port 10000, instead of connections only from 127.0.0.1, which makes it easier for remote attackers to have an unspecified impact via a TCP session.
References: [CVE-2011-2077]
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a buffer overflow in observiced.exe that allows remote attackers to execute arbitrary code via vectors related to a "reverse lookup of connections" to TCP port 10000.
References: [CVE-2010-0072]
The web interface in BitTorrent allows remote attackers to execute arbitrary commands by leveraging knowledge of the pairing values and a crafted request to port 10000.
References: [CVE-2014-8515], [XFDB-99764]
By using port 10000 TCP in VERITAS Backup Exec Remote Agent, a remote attacker may be able to gain access to, and retrieve arbitrary files from a target system.
References: [CVE-2005-2611], [BID-14551]
Siemens RUGGEDCOM ROX I (all versions) allow an authenticated user to bypass access restrictions in the web interface at port 10000/TCP to obtain privileged file system access or change configuration settings.
References: [CVE-2017-2689], [BID-97170]
Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability in the integrated web server at port 10000/TCP which is prone to reflected Cross-Site Scripting attacks if an unsuspecting user is induced to click on a malicious link.
References: [CVE-2017-2687], [BID-97170]
Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability that could allow an authenticated user to read arbitrary files through the web interface at port 10000/TCP and access sensitive information.
References: [CVE-2017-2686], [BID-97170]
An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data.
References: [CVE-2017-2876], [CVE-2017-2875]
The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode."
References: [CVE-2019-9484]
Backdoor.Win32.Dumador.C / Remote Stack Buffer Overflow (SEH) - the malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).
Network Data Management Protocol (TCP/UDP) (IANA official) |
| 10001 |
tcp |
scp |
Premium scan |
Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming
Lantronix UDS-10/UDS100 RS-485 to Ethernet Converter default port
Qualys Cloud Agent
Seafile Windows Server uses these TCP ports: 8000 (seahub web interface), 8082 (seafile server), 10001 (ccnet), 12001 (seaf-server).
Tonido NAS remote access software uses port 10001
Veeam Agent Computer uses port 10001/TCP
Games that use 10001 (TCP/UDP):
Dungeon Fighter Online, MVP BAseball, Tera
IPFS (InterPlanetary File System) - FiveM and RedM game mods use this port
Backdoor.Zdemon.126 [Symantec-2003-050512-3204-99] (2003.05.05) - remote access trojan, affects all current Windows versions.
Lula trojan
The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116.
References: [CVE-2014-2609]
A missing error check exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 could allow an attacker to reset the user accounts to factory defaults, without authentication.
References: [CVE-2017-2877]
SCP Configuration Port (IANA official) |
| 10001 |
udp |
ubiquity |
not scanned |
Ubiquity Networks uses port 10001/UDP for its AirControl management discovery protocol |
| 10002 |
tcp |
trojans |
Premium scan |
Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming
Backdoor.Zdemon.126 [Symantec-2003-050512-3204-99] (2003.05.05) - remote access trojan, 05.2003
Lula trojan
Backdoor.Win32.Tonerok.d / Unauthenticated Remote Command Execution - the malware listens on TCP port 10002 and drops an executable named "svchost.exe" under Windows dir. Third-party attackers who can reach an infected system can execute commands made available by the backdoor.
References: [MVID-2021-0226]
Trojan-Dropper.Win32.Googite.b / Unauthenticated Remote Command Execution - the malware listens on TCP ports 3388, 4488 and 10002 and drops executables under both Windows and SysWOW64 dirs. Third-party attackers who can reach infected systems can connect to port 10002 and run commands made available by the backdoor to retrieve information etc.
References: [MVID-2021-0254]
Trojan-Dropper.Win32.Krepper.a / Unauthenticated Remote Command Execution - the malware listens on TCP port 10002 and drops several executables under Windows dir. Third-party attackers who can reach infected systems can connect to port 10002 and run commands made available by the backdoor to retrieve information etc
References: [MVID-2021-0260]
Backdoor.Win32.Avstral.e / Unauthenticated Remote Command Execution - the malware listens on TCP port 10002. Third-party adversaries who can reach an infected host can run commands made available by the backdoor.
References: [MVID-2022-0529]
SCP Configuration Port (IANA official) |
| 10003 |
tcp |
veeam |
Premium scan |
Veeam Backup and replication suite uses these ports, in addition to common 80, 443, etc.:
6160 TCP - Veeam installer service
6165 TCP - WAN accelerator
6180 TCP/UDP - Veeam cloud gateway
6169, 8190, 8191 TCP - used by SP backup server
10003 TCP - communication with Veeam backup service
The port is also used by ForeScout SecureConnector - a lightweight agent that creates a secure connection with the ForeScout CounterACT RemoteControl appliance and enables internet-based compliance management.
Lula trojan
|
| 10005 |
tcp |
trojan |
Premium scan |
OpwinTRojan
A vulnerability has been identified in LOGO!8 BM (All versions). Unencrypted storage of passwords in the project could allow an attacker with access to port 10005/tcp to obtain passwords of the device. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality of the device. At the time of advisory publication no public exploitation of this security vulnerability was known
References: [CVE-2019-10921],[CVE-2019-10920], [CVE-2019-10919], [BID-108382]
A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). An attacker with network access to port 10005/tcp of the LOGO! device could cause a Denial-of-Service condition by sending specially crafted packets. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2019-6571]
A vulnerability has been identified in LOGO!8 BM (All versions). Unencrypted storage of passwords in the project could allow an attacker with access to port 10005/tcp to obtain passwords of the device. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality of the device. At the time of advisory publication no public exploitation of this security vulnerability was known
References: [CVE-2019-10921]
A vulnerability has been identified in LOGO!8 BM (All versions). Project data stored on the device, which is accessible via port 10005/tcp, can be decrypted due to a hardcoded encryption key. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2019-10920], [BID-108382]
A vulnerability has been identified in LOGO!8 BM (All versions). Attackers with access to port 10005/tcp could perform device reconfigurations and obtain project files from the devices. The system manual recommends to protect access to this port. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2019-10919] |
| 10006 |
tcp |
games |
not scanned |
Veeam Agent for Linux v.6 uses these ports:
137-139, 445 tcp/udp - SMB(CIFS) shared folder
2500-3300 tcp - range of ports used for Veeam agent backup jobs
10006 tcp - backup server communication
10808 tcp - loopback port utilized for internal traffic only
Game: Dungeon Fighter Online, developer: Neople |
| 10007 |
tcp |
games |
not scanned |
RF Online |
| 10008 |
tcp |
worm |
Premium scan |
In early 2001, many exploit scripts for DNS TSIG name overflow would place a root shell on this port.
Cheese Worm (2001) - spreads and scans other machines through port 10008/tcp.
LionWorm uses this port.
See also CERT: IN-2001-05
IANA registered for: Octopus Multiplexer
|
| 10009 |
tcp,udp |
applications |
not scanned |
IANA registered for: Cross Fire, a multiplayer online First Person Shooter |
| 10010 |
tcp |
rxapi |
not scanned |
ooRexx rxapi services |
| 10011 |
tcp |
applications |
Premium scan |
TeamSpeak 3 default serverquery port.
TS3 uses the following ports:
9987 UDP (default voice port)
10011 TCP (default serverquery port)
30033 TCP (default filetransfer port)
41144 TCP (default tsdns port)
TS3 also connects to: accounting.teamspeak.com:2008 (TCP for license checks) and weblist.teamspeak.com:2010 (UDP). TS3 weblist also uses ports 2011-2110 (UDP out, first available port in range).
|
| 10012 |
tcp |
apps |
Premium scan |
Absen's Android-based LED wall uses port 10012/tcp
Amanda trojan (2010) |
| 10013 |
tcp |
trojan |
Premium scan |
Amanda trojan |
| 10017 |
tcp,udp |
applications |
not scanned |
AIX,NeXT, HPUX-rexd daemon control |
| 10019 |
tcp,udp |
applications |
not scanned |
Revo DVRNS |
| 10020 |
tcp |
abb-hw |
not scanned |
Proofpoint (email protection service) uses port 10020 TCP to access their SaaS servers
IANA registered for: Hardware configuration and maintenance |
| 10022 |
tcp |
intouch |
not scanned |
Gecko In.Touch (also in.touch 2) spa controller |
| 10023 |
udp |
cefd-vmp |
not scanned |
Comtech EF-Data's Vipersat Management Protocol - a feature-rich, automated bandwidth, capacity, and network management system with a high degree of configuration automation. [Comtech] (IANA official) |
| 10024 |
tcp |
applications |
not scanned |
IANA registered for: Zimbra smtp [mta] - to amavis from postfix |
| 10025 |
tcp |
applications |
not scanned |
IANA registered for: Ximbra smtp [mta] - back to postfix from amavis |
| 10027 |
tcp |
trojans |
Premium scan |
W32.Mytob.JW@mm [Symantec-2005-100312-4423-99] (2005.10.03) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm.
Default port for IBM WebSphere Portal Application Server Administrative Console |
| 10050 |
tcp,udp |
zabbix-agent |
not scanned |
Zabbix Agent (IANA official) |
| 10051 |
tcp,udp |
zabbix-trapper |
not scanned |
Zabbix Trapper (IANA official) |
| 10053 |
tcp,udp |
malware |
not scanned |
Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.
References: [CVE-2022-46768] |
| 10055 |
tcp |
qptlmd |
not scanned |
Quantapoint FLEXlm Licensing Service |
| 10067 |
udp |
trojans |
not scanned |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 10070 |
tcp,udp |
games |
not scanned |
Amplitude (PS2) uses ports 10070-10080, developer: Harmonix
Socom also uses ports 10070-10080 (TCP) |
| 10080 |
tcp |
trojans |
Premium scan |
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure)
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
IANA registered for: Amanda backup software |
| 10082 |
tcp |
trojans |
Premium scan |
W32.Mytob.CP@mm [Symantec-2005-052214-0509-99] (2005.05.22) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, spreads by exploiting the MS Security Bulletin [MS04-011] vulnerability. Starts an FTP server on a random TCP port. Uses port 10082/tcp to download the worm as "bingoo.exe". |
| 10084 |
tcp,udp |
trojan |
not scanned |
Syphillis trojan |
| 10085 |
tcp |
trojans |
Premium scan |
W32.Mytob.BL@mm [Symantec-2005-042416-0006-99] (2005.04.24) - mass-mailing worm with backdoor capabilities. Connects to an IRC server on port 6667/tcp, opens a backdoor FTP server on port 10085.
Syphillis trojan horse also uses port 10085 (TCP). |
| 10086 |
tcp |
trojans |
Members scan |
Syphillis trojan, W32.Mytob |
| 10087 |
tcp |
trojans |
Members scan |
W32.Mytob.AD@mm [Symantec-2005-040800-3252-99] - mass-mailing worm with built-in SMTP engine. Spreads by exploiting the MS DCOM RPC vulnerability ([MS03-026]) and the MS Windows Local Security Authority Service Remote Buffer Overflow ([MS04-011]). Opens a backdoor on port 10087/tcp. Also connects to an IRC channel on the ircd.dists.com domain on port 6667 and listens for commands. Compromised PCs can be rebooted remotely, files can be downloaded/executed, and IRC commands can be performed. W32.Mytob.AA@mm [Symantec-2005-040421-3550-99] and W32.Mytob.AQ@mm [Symantec-2005-041112-3912-99] variants also open this port. W32.Mytob.IH@mm variant listens on port 31113/tcp. W32.Mytob.FP@mm opens backdoors on ports 10087/tcp and 12347/tcp. |
| 10089 |
tcp |
trojans |
Premium scan |
W32.Mytob.AR@mm [Symantec-2005-041116-0718-99] (2005.04.11) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine. Opens a backdoor on port 10089/tcp, and connects to an IRC server on port 8080. |
| 10090 |
tcp,udp |
games |
not scanned |
PlayLink online game |
| 10093 |
tcp,udp |
games |
not scanned |
Football Manager 2005 |
| 10094 |
tcp,udp |
games |
not scanned |
Football Manager 2005 |
| 10099 |
tcp |
trojans |
Premium scan |
W32.Mytob.FX@mm [Symantec-2005-062313-5401-99] - mass-mailing worm that opens a backdoor and listens for remote commands on port 36311/tcp, also runs an FTP server on port 10099/tcp. |
| 10100 |
tcp,udp |
trojans |
not scanned |
Backdoor.Ranky.O [Symantec-2004-122417-2948-99], Control Total, GiFt trojan, Scalper, Slapper
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.
References: [CVE-2023-1133] |
| 10101 |
tcp |
trojan |
Premium scan |
BrainSpy trojan |
| 10102 |
tcp |
backdoor |
Premium scan |
Backdoor.Staprew.B [Symantec-2005-050215-0935-99] (2005.05.02) - backdoor program, contacts the lowesapr.net domain on port 10102/tcp with the IP of the compromised computer and a number of the random tcp port of the backdoor.
Backdoor.Urat [Symantec-2003-063013-1558-99] (2003.06.30) - allows unauthorized access to an infected computer. This Trojan Horse opens port 10102 to communicate with the attacker.
Port is also IANA registered for eZproxy |
| 10102 |
udp |
playfi |
not scanned |
Play-Fi from DTS may broadcast on port 10102/UDP to discover speakers/devices. |
| 10103 |
tcp |
trojan |
Premium scan |
Backdoor.Tuimer [Symantec-2005-031715-1256-99] |
| 10104 |
udp |
trojans |
not scanned |
Backdoor.Lowtaper [Symantec-2004-101411-3637-99] - remote access trojan, affects Windows, uses ports 24681/tcp and 10104/udp |
| 10109 |
tcp |
vmware |
not scanned |
VMware vSphere vCenter Inventory Service Service Management
|
| 10110 |
tcp,udp |
nmea-0183 |
not scanned |
Backdoor.Win32.Prexot.a / Authentication Bypass - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0484]
Backdoor.Win32.Prexot.a / Port Bounce Scan (MITM) - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0485]
NMEA-0183 Navigational Data (IANA official) |
| 10111 |
udp |
nmea-onenet |
not scanned |
NMEA OneNet multicast messaging [National Marine Electronics Association] (IANA official) |
| 10111 |
tcp |
vmware |
not scanned |
VMware vSphere vCenter Inventory Service Linked Mode Communication |
| 10113 |
tcp,udp |
netiq-endpoint |
not scanned |
NetIQ Endpoint (IANA official) |
| 10114 |
tcp,udp |
netiq-qcheck |
not scanned |
NetIQ Qcheck (IANA official) |
| 10115 |
tcp,udp |
netiq-endpt |
not scanned |
NetIQ Endpoint (IANA official) |
| 10116 |
tcp,udp |
netiq-voipa |
not scanned |
NetIQ VoIP Assessor (IANA official) |
| 10117 |
tcp,udp |
iqrm |
not scanned |
NetIQ IQCResource Managament Svc (IANA official) |
| 10123 |
tcp |
sccm |
not scanned |
SCCM (System Center Configuration Manager) Microsoft software management suite uses port 10123 for client notifications |
| 10128 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in bgs_sdservice.exe in BMC Patrol PerformAgent allows remote attackers to execute arbitrary code by connecting to TCP port 10128 and sending certain XDR data, which is not properly parsed.
References: [CVE-2007-2136], [BID-23557]
Port is also IANA registered for BMC-Perform-Service Daemon |
| 10129 |
tcp |
bmc-gms |
not scanned |
BMC General Manager Server |
| 10137 |
udp |
applications |
not scanned |
Avaya WinPDM is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the MwpCsi.exe service. By sending an overly long string to UDP port 10137, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-67604] [BID-47947] |
| 10138 |
udp |
applications |
not scanned |
Avaya WinPDM is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by PMServer.exe service. By sending an overly long string to UDP port 10138, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-67605], [BID-47947] |
| 10155 |
tcp |
rsync |
not scanned |
Plesk rsync custom migrator service for misc tasks (Windows only) uses port 10155/tcp |
| 10156 |
tcp |
rsync |
not scanned |
Plesk rsync server migration (Windows only) uses port 10156/tcp |
| 10161 |
tcp |
snmptls |
not scanned |
SNMP-TLS [RFC 6353] (IANA official) |
| 10161 |
udp |
snmpdtls |
not scanned |
SNMP-DTLS [RFC6353] (IANA official) |
| 10167 |
udp |
trojans |
not scanned |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 10168 |
tcp |
trojans |
Premium scan |
W32.HLLW.Lovgate [Symantec-2003-021916-4352-99] - a worm with backdoor trojan capabilities. Affects all current Windows versions. |
| 10172 |
tcp |
applications |
not scanned |
Intuit Quickbooks client |
| 10194 |
tcp |
twilio |
not scanned |
Twilio Client WebRTC uses port 10194 TCP for signaling to chunderm.gll.twilio.com
|
| 10196 |
udp |
games |
not scanned |
Tom Clancy's Splinter Cell: Conviction, developer: Ubisoft Montreal |
| 10200 |
tcp,udp |
trisoap |
not scanned |
NetFone, FRISK Software International's fpscand virus scanning daemon for Unix platforms (TCP)
A flaw exists in Trading Technologies Messaging 7.1.28.3 (ttmd.exe) due to improper validation of user-supplied data when processing a type 8 message sent to default TCP RequestPort 10200. An unauthenticated, remote attacker can exploit this issue, via a specially crafted message, to terminate ttmd.exe.
References: [CVE-2020-5778], [CVE-2020-5779]
Trigence AE Soap Service (IANA official) |
| 10201 |
tcp |
rsms |
not scanned |
Remote Server Management Service, FRISK Software International's f-protd virus scanning daemon for Unix platforms |
| 10201 |
udp |
rscs |
not scanned |
Remote Server Control and Test Service (IANA official) |
| 10212 |
tcp |
applications |
not scanned |
Multiple buffer overflows in CimWebServer.exe in the WebView component in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY before 8.0 SIM 27, 8.1 before SIM 25, and 8.2 before SIM 19, and Proficy Process Systems with CIMPLICITY, allow remote attackers to execute arbitrary code via crafted data in packets to TCP port 10212, aka ZDI-CAN-1621 and ZDI-CAN-1624.
References: [CVE-2013-2785]
Directory traversal vulnerability in CimWebServer.exe (aka the WebView component) in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY before 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted message to TCP port 10212, aka ZDI-CAN-1623.
References: [CVE-2014-0751], [BID-65117] |
| 10241 |
tcp |
games |
not scanned |
Aion |
| 10243 |
tcp,udp |
wmp |
not scanned |
Windows Media Player Network Sharing Service |
| 10250 |
tcp,udp |
applications |
not scanned |
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
References: [CVE-2020-8551]
A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References: [CVE-2021-20198] |
| 10253 |
udp |
eapol-relay |
not scanned |
Relay of EAPOL frames (IANA official) |
| 10255 |
tcp,udp |
applications |
not scanned |
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
References: [CVE-2020-8551] |
| 10261 |
tcp |
tile-ml |
not scanned |
IANA registered for: Tile remote machine learning |
| 10301 |
tcp |
applications |
not scanned |
VoiceIP-ACS UMP default device provisioning endpoint |
| 10302 |
tcp |
applications |
not scanned |
VoiceIP-ACS UMP default device provisioning endpoint (SSL) |
| 10308 |
tcp,udp |
applications |
not scanned |
Lock On
DCS Black Shark
Digital Combat Simulator Dedicated Server |
| 10426 |
tcp |
applications |
not scanned |
Backdoor.Win32.Agent.cu / Authentication Bypass RCE - the malware listens on TCP ports 10426, 56185. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0303] |
| 10439 |
udp |
bngsync |
not scanned |
BalanceNG session table synchronization protocol - a Software IP Load Balancing Solution utilising its own network stacks and functionality. [Inlab_Software_GmbH] (IANA official) |
| 10443 |
tcp,udp |
dogtag |
Premium scan |
Commonly used as an alternate SSL port.
VMware vSphere vCenter Inventory Service HTTPS
Fortinet SSL VPN default alternate port
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure)
IANA registered for: CirrosSP Workstation Communication (TCP) |
| 10468 |
udp |
applications |
not scanned |
Flyer - discovery protocol |
| 10480 |
udp |
games |
not scanned |
Swat 4 |
| 10481 |
udp |
games |
not scanned |
Swat 4 |
| 10482 |
udp |
games |
not scanned |
Swat 4 |
| 10483 |
udp |
games |
not scanned |
Swat 4 |
| 10498 |
udp |
trojan |
not scanned |
Mstream trojan
DDOS Communication also uses this port |
| 10500 |
udp |
hip-nat-t |
not scanned |
HIP NAT-Traversal [RFC 5770] (IANA official) |
| 10500 |
tcp |
worm |
Premium scan |
Dark Ages of Camelot game uses TCP ports 1280,10500,10622 TCP and a dynamic UDP port (1024-65535 range)
W32.Linkbot.H [Symantec-2005-011210-3257-99] (2005.01.12) - a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (Microsoft Security Bulletin [MS04-011]) in order to propagate. It also creates a back door on the system accessible through IRC. |
| 10514 |
udp |
applications |
not scanned |
A vulnerability has been reported in WinSyslog, which can be exploited to cause a DoS (Denial of Service) on a vulnerable syslog server.
The vulnerability is caused due to an error when the interactive syslog server receives and displays syslog events. This can be exploited by sending UDP datagrams containing arbitrary, overly large amounts of data to the interactive server (default port 10514/udp), which will cause it to freeze and halt the OS.
References: [SECUNIA-10004] |
| 10520 |
tcp |
trojan |
Premium scan |
Acid Shivers trojan |
| 10528 |
tcp |
trojan |
Premium scan |
Host Control trojan |
Shortcuts