| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 14942 |
tcp |
applications |
not scanned |
Trend Micro ServerProtect for Linux (SPLX) allows remote attackers to access arbitrary web pages and reconfigure the product via HTTP requests with the splx_2376_info cookie to the web interface port 14942/tcp.
References: [CVE-2007-1168], [BID-22662] |
| 14983 |
tcp,udp |
applications |
not scanned |
EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash.
CompleteFTP before 12.1.3 logs an obscured administrator password to a file during installation (C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log). If CompleteFTP is configured to permit remote administration (over port 14983) it is possible to obtain remote code execution through the administration interface.
References: [CVE-2019-16116], [EDB-48657] |
| 14985 |
tcp |
malware |
not scanned |
Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]
Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]
Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290] |
| 14988 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193] |
| 15000 |
tcp |
various |
Members scan |
N-Able update service
Games: Alien Crossfire (TCP/UDP), Alpha Centauri, Gridz (TCP/UDP), Links LS 2000 (TCP/UDP), Majesty (TCP/UDP), Master of Orion II (TCP/UDP), Star Conquest (TCP/UDP)
Malware: R0xr4t, Route to the Hell, NetDaemon 1.0, psyBNC, Wesnoth, Kaspersky Network Agent
Samsung SBeam allows remote attackers to read arbitrary images by leveraging an NFC connection to access the HTTP server on port 15000.
References: [CVE-2015-4033]
Backdoor.Win32.Benju.a / Unauthenticated Remote Command Execution - The RAT listens on TCP ports 200 and 15000. Third-party adversaries who can reach an infected host, can execute commands made available by the malware. Commands are sent in Spanish, using netcat or telnet fails to run cmds after connecting as they send CRLFs e.g. "quitar\r\n" fails "quitar" succeeds. Therefore, we need a custom client to send commands to the Benju RAT.
References: [MVID-2024-0700]
Hypack Data Aquisition (IANA official) |
| 15000 |
udp |
klnagent |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 15001 |
tcp |
games |
not scanned |
Ground Control |
| 15001 |
udp |
klnagent |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 15002 |
tcp |
onep-tls |
not scanned |
Open Network Environment TLS [Cisco_3] (IANA official) |
| 15012 |
tcp,udp |
applications |
not scanned |
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, 'istiod', is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.
References: [CVE-2022-23635] |
| 15017 |
tcp,udp |
applications |
not scanned |
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.
References: [CVE-2022-24726]
Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.
References: [CVE-2022-39278] |
| 15064 |
tcp |
apps |
not scanned |
LogMeIn may use port 15064/tcp
Dameware (dwrcs.exe) may use this port
Ring Doorbell uses TCP ports 80, 443, 5228, 15064. In addition, it may use a random UDP port, and outbound TCP ports 7078, 9078, 9998, 9999, 15063
|
| 15077 |
tcp,udp |
applications |
not scanned |
The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078.
References: [BID-5703], [CVE-2002-1501], [XFDB-10096] |
| 15078 |
tcp,udp |
applications |
not scanned |
The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078.
References: [BID-5703], [CVE-2002-1501], [XFDB-10096] |
| 15092 |
tcp |
trojan |
not scanned |
Host Control trojan |
| 15101 |
tcp |
games |
not scanned |
Tribes 2, Emperor: Rise of the Middle Kingdom, Ground Control, Hoyle Online, Swat 3, Arcanum, PGA Championship Golf 2000 |
| 15104 |
tcp |
trojan |
not scanned |
Mstream trojan
Tribes 2 also uses this port. |
| 15111 |
udp |
ksnproxy |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 15118 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin [MS04-011]). Uses tcp ports 11768 and 15118. |
| 15118 |
udp |
v2g-secc |
not scanned |
IANA registered for: v2g Supply Equipment Communication Controller Discovery Protocol |
| 15152 |
tcp |
applications |
not scanned |
Exteel |
| 15200 |
tcp |
games |
not scanned |
Nascar 3, Emperor: Rise of the Middle Kingdom, Ground Control, Hoyle Online, Swat 3 |
| 15204 |
tcp |
games |
not scanned |
Tribes 2, Arcanum |
| 15206 |
tcp |
trojan |
Premium scan |
KiLo [Symantec-2003-021319-1815-99] trojan
Tribes 2 also uses this port.
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 15207 |
tcp |
trojan |
Premium scan |
KiLo trojan [Symantec-2003-021319-1815-99]
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 15210 |
udp |
trojan |
not scanned |
UDP remote shell backdoor server |
| 15213 |
tcp,udp |
games |
not scanned |
Original War |
| 15252 |
tcp,udp |
routers |
not scanned |
Port 15252/UDP used by MikroTik routers IP Cloud |
| 15300 |
tcp |
games |
not scanned |
Emperor: Rise of the Middle Kingdom, Swat 3, Arcanum |
| 15345 |
tcp,udp |
xpilot |
not scanned |
IANA registered for: XPilot Contact |
| 15348 |
tcp |
trojans |
not scanned |
Backdoor.Bionet.404 [Symantec-2003-110416-1452-99] (2003.11.04) - a backdoor program that permits a remote attacker access on TCP port 15348. |
| 15367 |
tcp,udp |
games |
not scanned |
Aleph One, developer: Bungie Software |
| 15382 |
tcp |
trojan |
Premium scan |
SubZero trojan |
| 15400 |
udp |
games |
not scanned |
Homeworld |
| 15401 |
udp |
games |
not scanned |
Homeworld |
| 15425 |
tcp,udp |
trojan |
Premium scan |
Backdoor.Rohimafo [Symantec-2010-041308-3301-99] (2010.04.13) - a trojan horse that opens a back door and steals information from the compromised computer. It creates a proxy server on TCP port 15425.
IRLP - Internet Radio Linking Project (uses port 1545 tcp/udp) |
| 15432 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234. |
| 15441 |
tcp,udp |
applications |
not scanned |
ZeroNet fileserver |
| 15485 |
tcp |
trojan |
Premium scan |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 15486 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 15500 |
tcp |
trojan |
Premium scan |
In Route to the Hell trojan
Nascar 3, Hoyle Online also use this port. |
| 15512 |
tcp |
trojan |
Premium scan |
Iani trojan |
| 15551 |
tcp |
trojan |
Premium scan |
In Route to the Hell trojan |
| 15553 |
tcp |
trojans |
not scanned |
Backdoor.Dewin [Symantec-2002-061211-5916-99] (2002.06.12) - allows a hacker to gain access to and remotely control an infected computer. The Trojan program is written in Microsoft Visual C++ and is compressed with PECompact. |
| 15555 |
tcp |
trojan |
Premium scan |
ICMIBC trojan |
| 15556 |
tcp,udp |
applications |
not scanned |
Jeex.EU Artesia (direct client-to-db.service) |
| 15567 |
udp |
applications |
not scanned |
Battlefield Vietnam server port |
| 15668 |
udp |
games |
not scanned |
Heroes of Might and Magic III, developer: New World Computing |
| 15670 |
tcp |
stomp |
not scanned |
Port sometimes used by STOMP (Simple/Streaming Text Oriented Messaging Protocol, a web version of AMQP, or MQTT). |
| 15672 |
tcp,udp |
applications |
not scanned |
360 Share, developer: 360share
RabbitMQ management plugin uses this port |
| 15674 |
tcp |
stomp |
not scanned |
STOMP (Simple/Streaming Text Oriented Messaging Protocol) standard port. STOMP is a web version of AMQP or MQTT |
| 15690 |
udp |
applications |
not scanned |
ASE Port, Battlefield Vietnam |
| 15695 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro trojan |
| 15800 |
tcp |
games |
not scanned |
Tribes 2, Emperor: Rise of the Middle Kingdom, Swat 3, Arcanum |
| 15802 |
tcp |
games |
not scanned |
Throne of Darkness |
| 15845 |
udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 15852 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro trojan |
| 15855 |
tcp |
trojans |
not scanned |
Trojan.Looksky [Symantec-2006-060512-1520-99] (2006.06.05) - a trojan horse that opens a back door and downloads files onto the compromised computer. The trojan also contains rootkit functionality. |
| 15858 |
tcp |
trojans |
Premium scan |
CDK trojan (ports 79, 15858) |
| 15963 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 15998 |
udp |
2ping |
not scanned |
IANA registered for: 2ping Bi-Directional Ping Service |
| 15999 |
tcp |
programmar |
not scanned |
IANA registered for: ProGrammar Enterprise. |
| 16000 |
tcp,udp |
applications |
not scanned |
Motorhead Server, shroudBNC
Oracle WebCenter Content: Imaging (formerly known as Oracle Universal Content Management) (TCP). Port though often changed during installation.
Administration Server Access (IANA official)
|
| 16001 |
tcp |
fmsascon |
not scanned |
IANA registered for: Administration Server Connector. |
| 16002 |
tcp |
gsms |
not scanned |
IANA registered for: GoodSync Mediation Service |
| 16003 |
udp |
alfin |
not scanned |
IANA registered for: Automation and Control by REGULACE.ORG |
| 16010 |
tcp,udp |
applications |
not scanned |
Motorhead Server uses ports 16010-16030 |
| 16020 |
tcp |
jwpc |
not scanned |
Filemaker Java Web Publishing Core |
| 16021 |
tcp |
jwpc-bin |
not scanned |
Filemaker Java Web Publishing Core Binary |
| 16030 |
tcp,udp |
applications |
not scanned |
Motorhead Server uses ports 16010-16030 |
| 16057 |
tcp |
trojan |
Premium scan |
MoonPie trojan |
| 16080 |
tcp |
applications |
not scanned |
Mac OS X Server Web (HTTP) service with performance cache |
| 16102 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to execute arbitrary code via a large packet to the synchronization port (16102/tcp)
References: [CVE-2011-5124] |
| 16162 |
tcp |
solaris-audit |
not scanned |
Solaris Audit - secure remote audit log |
| 16200 |
tcp |
applications |
not scanned |
Oracle Universal Content Management Content Server
The TimesTenD process in Cisco Unified Presence 1.x, 6.x before 6.0(6), and 7.x before 7.0(4) allows remote attackers to cause a denial of service (process crash) via a large number of TCP connections to ports 16200 and 22794, aka Bug ID CSCsy17662.
References: [CVE-2009-2874], [BID-36675] |
| 16250 |
udp |
applications |
not scanned |
Ghost Recon Advanced Warfighter is vulnerable to a denial of service, caused by a signedness error. By sending specially-crafted packets to UDP port 16250, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-60153], [BID-41459], [SECUNIA-40465] |
| 16250 |
tcp |
applications |
not scanned |
Oracle Universal Content Management Inbound Refinery |
| 16261 |
tcp,udp |
applications |
not scanned |
Project Zomboid multiplayer. Additional sequential ports used for each player connecting to server |
| 16286 |
tcp,udp |
applications |
not scanned |
The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote attackers to cause a denial of service (resource exhaustion) by connecting to port 16286 and not disconnecting, which prevents users from making license requests.
References: [CVE-2001-1057], [BID-3120] |
| 16322 |
tcp |
trojans |
Premium scan |
Backdoor.Lastdoor [Symantec-2002-090517-3251-99] (2002.09.04) - remote access trojan. Affects all current Windows versions. |
| 16379 |
tcp |
applications |
not scanned |
Redis Cluster bus |
| 16384 |
udp |
connected |
not scanned |
Apple iChat AV (Audio RTP, RTCP; Video RTP, RTCP) uses ports 16384-16403
Verizon VoiceWing uses ports 16384-16392 (TCP/UDP)
Iron Mountain Digital online backup
Connected Corp (TCP/UDP) (IANA official) |
| 16385 |
udp |
applications |
not scanned |
Apple FaceTime, Apple Game Center (RTP/RTCP) |
| 16385 |
tcp |
rdgs |
not scanned |
Reliable Datagram Sockets (IANA official) |
| 16386 |
udp |
applications |
not scanned |
Apple FaceTime, Apple Game Center (RTP/RTCP) |
| 16387 |
udp |
applications |
not scanned |
Apple Game Center (RTP/RTCP) |
| 16389 |
tcp |
applications |
not scanned |
A vulnerability was discovered in Siemens SIMATIC Logon (All versions before V1.6) that could allow specially crafted packets sent to the SIMATIC Logon Remote Access service on port 16389/tcp to cause a Denial-of-Service condition. The service restarts automatically.
References: [CVE-2017-9938], [BID-99539], [XFDB-128367] |
| 16392 |
tcp,udp |
applications |
not scanned |
Verizon VoiceWing uses ports 16384-16392 |
| 16393 |
udp |
applications |
not scanned |
Apple FaceTime (RTP/RTCP) uses ports 16393-16402 |
| 16402 |
udp |
applications |
not scanned |
Apple FaceTime (RTP/RTCP) uses ports 16393-16402 |
| 16403 |
udp |
applications |
not scanned |
Apple Game Center (RTP/RTCP) uses ports 16403-16472 |
| 16420 |
udp |
applications |
not scanned |
Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)
Apple Game Center also uses this port |
| 16464 |
tcp |
trojan |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16465 |
tcp |
trojan |
not scanned |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16470 |
tcp |
zeroaccess |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16471 |
tcp |
trojan |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16484 |
tcp |
trojan |
not scanned |
Mosucker trojan |
| 16499 |
udp |
games |
not scanned |
Star Trek Armada II |
| 16514 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 16515 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
Shortcuts