| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 3162 |
tcp,udp |
sflm |
not scanned |
IANA registered for: SFLM |
| 3163 |
tcp |
games |
not scanned |
Tom Clancy's H.A.W.X., developer: Ubisoft Romania |
| 3168 |
udp |
netscaler |
not scanned |
Citrix NetScaler Gateway Plugin for VPN/XenApp/XenDesktop uses ports 3108, 3168, 3188 UDP for VPN tunnel with secure ICA connections. |
| 3169 |
tcp,udp |
serverview-as |
not scanned |
SERVERVIEW-AS |
| 3170 |
tcp,udp |
serverview-asn |
not scanned |
SERVERVIEW-ASN |
| 3171 |
tcp,udp |
serverview-gf |
not scanned |
SERVERVIEW-GF |
| 3172 |
tcp,udp |
serverview-rm |
not scanned |
SERVERVIEW-RM |
| 3181 |
tcp,udp |
bmcpatrolagent |
not scanned |
Format string vulnerability in BMC PATROL Agent before 3.7.30 allows remote attackers to execute arbitrary code via format string specifiers in an invalid version number to TCP port 3181, which are not properly handled when writing a log message.
References: [CVE-2008-5982], [BID-32692]
PatrolAgent.exe in BMC Performance Manager does not require authentication for requests to modify configuration files, which allows remote attackers to execute arbitrary code via a request on TCP port 3181 for modification of the masterAgentName and masterAgentStartLine SNMP parameters. NOTE: the vendor disputes this vulnerability, stating that it does not exist when the system is properly configured.
References: [CVE-2007-1972] [BID-23559]
Port also IANA registered for BMC Patrol Agent |
| 3182 |
tcp,udp |
bmcpatrolrnvu |
not scanned |
BMC Patrol Rendezvous |
| 3188 |
udp |
netscaler |
not scanned |
Citrix NetScaler Gateway Plugin for VPN/XenApp/XenDesktop uses ports 3108, 3168, 3188 UDP for VPN tunnel with secure ICA connections. |
| 3190 |
tcp,udp |
csvr-proxy |
not scanned |
ConServR Proxy |
| 3191 |
tcp,udp |
csvr-sslproxy |
not scanned |
ConServR SSL Proxy |
| 3195 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Whisper.B [Symantec-2005-011711-0033-99] (2005.01.17) - backdoor trojan. Connects to an IRC channel for remote access on port 3195/tcp.
IANA registered for: Network Control Unit |
| 3196 |
tcp,udp |
ncu-2 |
not scanned |
Network Control Unit |
| 3197 |
tcp,udp |
embrace-dp-s |
not scanned |
Embrace Device Protocol Server
MyDoom.B@mm trojan also uses this port (TCP). |
| 3198 |
tcp,udp |
embrace-dp-c |
not scanned |
Embrace Device Protocol Client
MyDoom.B@mm trojan also uses this port (TCP). |
| 3201 |
tcp,udp |
cpq-tasksmart |
not scanned |
Unspecified vulnerability in enserver.exe in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to read arbitrary files via crafted data on a "3200+SYSNR" TCP port, as demonstrated by port 3201. NOTE: this issue can be leveraged by local users to access a named pipe as the SAPServiceJ2E user.
References: [CVE-2006-5784] [SECUNIA-22677] [BID-20877]
CPQ-TaskSmart (IANA official) |
| 3203 |
tcp,udp |
netwatcher-mon |
not scanned |
Network Watcher Monitor |
| 3204 |
tcp,udp |
netwatcher-db |
not scanned |
Network Watcher DB Access |
| 3207 |
tcp,udp |
vx-auth-port |
not scanned |
Veritas Authentication Port
Symantec Veritas Storage Foundation is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the Veritas Enterprise Administrator (VEA) component in the Administrator Service (vxsvc.exe). By sending a specially-crafted packet to UDP port 3207, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM level privileges or cause the service to crash.
References: [CVE-2008-0638], [BID-25778] |
| 3214 |
tcp,udp |
jmq-daemon-1 |
not scanned |
JMQ Daemon Port 1 |
| 3215 |
tcp,udp |
jmq-daemon-2 |
not scanned |
Trojans using this port: XHX, BlackStar, Ghose
IANA registered for: JMQ Daemon Port 2 |
| 3219 |
tcp,udp |
wms-messenger |
not scanned |
WMS Messenger (IANA official) |
| 3220 |
tcp,udp |
xnm-ssl |
not scanned |
XML NM over SSL |
| 3221 |
tcp,udp |
xnm-clear-text |
not scanned |
XML NM over TCP |
| 3224-3324 |
udp |
citrix |
not scanned |
Citrix NetScaler Gateway XenDesktop–Virtual Desktop/XenApp Worker Server uses port range 3224-3324 UDP for access to applications and virtual desktops with Framehawk. |
| 3225 |
tcp,udp |
fcip-port |
not scanned |
FCIP (IANA official) [RFC 3821] |
| 3232 |
tcp |
trojans |
not scanned |
Backdoor.Slao [Symantec-2003-052610-2111-99] (2003.05.26) - a backdoor trojan horse that allows unauthorized access to an infected computer.
Port is also IANA registered for MDT [RFC6513] |
| 3233 |
tcp,udp |
whisker |
not scanned |
IANA registered for: WhiskerControl main port |
| 3234 |
tcp,udp |
applications |
not scanned |
Autodesk Backburner Manager is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Backburner Manager process. By sending specially crafted commands to the service port 3234, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2016-2344], [XFDB-111798] |
| 3235 |
tcp,udp |
mdap-port |
not scanned |
IANA registered for: MDAP port |
| 3240 |
tcp |
usbipd |
not scanned |
USBIPD (USB/IP Daemon) - allows for sharing USB-connected peripherals on a local network.
Trio Motion Control Port (IANA official) |
| 3250 |
udp |
hicp |
not scanned |
Vulnerability in NetBiter Config can be exploited to compromise a user's system. The vulnerability is caused due to a boundary error in NetbiterConfig.exe when processing device hostnames. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to UDP port 3250.
References: [CVE-2009-4462] [SECUNIA-37695]
IANA registered for HMS hicp port. |
| 3256 |
tcp |
trojans |
Premium scan |
W32.HLLW.Dax [Symantec-2002-091813-5520-99] (2002.09.18) - worm with remote access capabilities. Affects all current Windows versions.
port is also registered with IANA for: Compaq RPM Agent Port |
| 3260 |
tcp,udp |
iscsi-target |
not scanned |
iSCSI port (IANA official) [RFC 7143] |
| 3264 |
tcp |
trojans |
Premium scan |
Backdoor.Smother [Symantec-2003-092310-2135-99] (2003.09.23) - gives its creator complete access to your computer. By default, the trojan connects on port 3264 to a server whose address is hard coded in the trojan.
Port is also IANA registered for cc:mail/lotus |
| 3268 |
tcp,udp |
msft-gc |
not scanned |
LDAP connection to Global Catalog. LDAP servers typically use the following ports:
TCP 389 LDAP plain text
TCP 636 LDAP SSL connection
TCP 3268 LDAP connection to Global Catalog
TCP 3269 LDAP connection to Global Catalog over SSL
IANA registered for: Microsoft Global Catalog |
| 3269 |
tcp |
gc-ssl |
Members scan |
LDAP connection to Global Catalog over SSL. LDAP servers typically use the following ports:
TCP 389 LDAP plain text
TCP 636 LDAP SSL connection
TCP 3268 LDAP connection to Global Catalog
TCP 3269 LDAP connection to Global Catalog over SSL
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443
IANA registered for: Microsoft Global Catalog |
| 3283 |
tcp,udp |
net-assistant |
not scanned |
Apple Remote Desktop, iChat
IANA registered for: Net Assistant |
| 3290 |
tcp,udp |
caps-lm |
not scanned |
Port 3290 (UDP) is used by VATSIM, the Virtual Air Traffic Simulation network for voice communication
IANA registered for: CAPS LOGISTICS TOOLKIT - LM |
| 3292 |
tcp |
trojan |
Premium scan |
Xposure |
| 3293 |
tcp,udp |
fg-fps |
not scanned |
fg-fps |
| 3294 |
tcp,udp |
fg-gip |
not scanned |
fg-gip |
| 3295 |
tcp |
trojan |
Premium scan |
Xposure |
| 3297 |
udp |
games |
not scanned |
F1 2002 |
| 3297 |
tcp |
games |
not scanned |
GTR FIA GT Racing Game uses ports 3297-3301 |
| 3299 |
tcp,udp |
pdrncs |
not scanned |
SAP-Router (routing application proxy for SAP R/3) uses port 3299 (TCP)
IANA registered for: pdrncs |
| 3300 |
tcp,udp |
sap-gw |
not scanned |
SAP Gateway Server, TripleA game server (applications), Debate Gopher backend database system
IANA registered for: Ceph monitor (TCP) |
| 3301 |
tcp,udp |
tarantool |
not scanned |
Unauthorized use by SAP R/3
GTR FIA GT Racing Game also uses port 3301 (TCP)
Tarantool in-memory computing platform (IANA official) |
| 3303 |
tcp,udp |
opsession-clnt |
not scanned |
OP Session Client |
| 3304 |
tcp,udp |
opsession-srvr |
not scanned |
OP Session Server |
| 3305 |
tcp,udp |
odette-ftp |
not scanned |
Odette File Transfer Protocol (OFTP) (IANA official) [RFC 5024] |
| 3306 |
tcp,udp |
mysql |
Members scan |
MySQL database server connections - http://www.mysql.com
Caesar IV game uses this port.
MySQL 5.5.8, when running on Windows, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted packet to TCP port 3306.
References: [CVE-2011-5049]
Open Dental 16.1 and earlier has a hardcoded MySQL root password, which allows remote attackers to obtain administrative access by leveraging access to intranet TCP port 3306 (note: the vendor disputes this issue).
See: [CVE-2016-6531]
A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.
References: [CVE-2023-5157]
Port also used by Nemog backdoor (discovered 2004.08.16) - a backdoor trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4646,4661,6565,8080
Worms using this port: W32.Spybot.IVQ [Symantec-2005-012715-3315-99] |
| 3307 |
tcp |
virus |
not scanned |
W32.Dizan.C [Symantec-2007-032911-1053-99] (2007.03.29) - a virus that spreads by infecting executable files. It also opens a back door on the compromised computer.
Port is also IANA registered for OP Session Proxy |
| 3308 |
tcp,udp |
tns-server |
not scanned |
TNS Server |
| 3309 |
tcp,udp |
tns-adv |
not scanned |
TNS ADV |
| 3310 |
tcp |
worm |
Premium scan |
W32.Ranetif [Symantec-2007-122817-3923-99] (2007.12.28) - a worm that opens a back door and infects files.
ClamAV - Clamwin Daemon default listening port
Port is also IANA registered for Dyna Access |
| 3311 |
tcp |
worm |
not scanned |
W32.Ranetif [Symantec-2007-122817-3923-99] (2007.12.28) - a worm that opens a back door and infects files.
Port is also IANA registered for MCNS Tel Ret |
| 3313 |
tcp,udp |
uorb |
not scanned |
Verisys file integrity monitoring software uses port 3313 (TCP)
Port is IANA registered for Unify Object Broker |
| 3314 |
tcp,udp |
uohost |
not scanned |
Port is IANA registered for Unify Object Host |
| 3330 |
tcp,udp |
mcs-calypsoicf |
not scanned |
MCS Calypso ICF |
| 3331 |
tcp,udp |
mcs-messaging |
not scanned |
MCS Messaging |
| 3332 |
tcp |
trojans |
Premium scan |
Port is registered with IANA for: MCS Mail Server
Some trojans that use this port:
Q0 BackDoor trojan
W32.Cycle [Symantec-2004-051015-4731-99] (2004.05.10). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp. |
| 3333 |
tcp |
trojans |
Premium scan |
Network Caller ID server, CruiseControl.rb, OpenOCD (gdbserver)
ATC Rainbow Six Lockdown (TCP/UDP), developer: Foolish Entertainment
W32.Bratle.A [Symantec-2005-073116-3607-99] (2005.07.31) - worm that exploits the MS Windows LSASS Buffer Overrun vulnerability ([MS04-011]). Opens a FTP server on port 3333/tcp.
Backdoor.Slao [Symantec-2003-052610-2111-99] (2003.05.26) - a backdoor trojan horse that allows unauthorized access to an infected computer.
Daodan trojan
Backdoor.Win32.Hanuman.b / Unauthenticated Remote Command Execution - the malware listens on TCP port 3333. Third-party attackers who can reach an infected system can run any OS commands hijacking the compromised host.
References: [MVID-2022-0467] |
| 3333 |
udp |
dec-notes |
not scanned |
Wireshark (formerly Ethereal) is vulnerable to a buffer overflow, caused by improper bounds checking by the dissect_enttec_dmx_data() function when processing DMX data within ENTTEC packets. By sending a specially-crafted packet to UDP port 3333, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2010-4538], [XFDB-64450], [BID-45634], [EDB-15898]
Horos could allow a remote attacker to traverse directories on the system, caused by the failure to restrict unwanted access. An attacker could send a specially-crafted URL request to the port 3333 containing "dot dot dot" sequences (/.../) in the URL to view arbitrary files on the system.
References: [XFDB-119862]
IANA registered for: DEC Notes (TCP/UDP) |
| 3334 |
tcp |
pvfs2 |
Premium scan |
Parallel Virtual File System Version 2 (PVFS2) - http://www.pvfs.org
IANA registered for: Direct TV Webcasting |
| 3335 |
tcp,udp |
directv-soft |
not scanned |
Direct TV Software Updates |
| 3336 |
tcp,udp |
directv-tick |
not scanned |
Direct TV Tickers |
| 3338 |
tcp,udp |
anet-b |
not scanned |
OMF data b |
| 3339 |
tcp,udp |
anet-l |
not scanned |
OMF data l |
| 3340 |
tcp,udp |
anet-m |
not scanned |
OMF data m |
| 3341 |
tcp,udp |
anet-h |
not scanned |
OMF data h |
| 3344 |
tcp |
trojans |
Premium scan |
Repetier-Server (TCP/UDP)
W32.Mytob.GP@mm [Symantec-2005-063017-0607-99] (2005.06.30) - mass mailing worm that opens a backdoor on the compromised computer. Contacts IRC servers and listens for remote commands on port 3344/tcp. |
| 3347 |
tcp,udp |
phoenix-rpc |
not scanned |
Backdoor.Win32.Controlit.10 / Unauthenticated Remote Command Execution - the malware listens on TCP port 3347. Third-party attackers who can reach an infected system can run any OS commands made available by the malware further compromising the host.
References: [MVID-2022-0449]
Phoenix RPC (IANA official) |
| 3350 |
tcp,udp |
findviatv |
not scanned |
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
References: [CVE-2020-4044], [XFDB-184344]
FINDVIATV (IANA registered) |
| 3351 |
tcp |
trojans |
Members scan |
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability ([MS04-011]). Opens backdoors on ports 3351/tcp and 8190/tcp. |
| 3355 |
tcp |
trojans |
Members scan |
Backdoor.Hogle [Symantec-2003-102817-2820-99] (2003.10.28) - a proxy SMTP server that may be used as an anonymous spam relay. It also listens on TCP port 3355 for incoming connections.
Port is IANA registered for: Ordinox Dbase |
| 3356 |
tcp,udp |
upnotifyps |
not scanned |
UPNOTIFYPS |
| 3360 |
tcp,udp |
kv-server |
not scanned |
KV Server |
| 3361 |
tcp,udp |
kv-agent |
not scanned |
KV Agent |
| 3363 |
tcp |
fmod |
not scanned |
FMOD Studio terminal connections use port 3363/TCP |
| 3372 |
tcp |
msdtc |
Members scan |
MS DTC (Microsoft Distributed Transaction Coordinator) is a Microsoft transaction processing technology. The service is installed by default in Windows 2000 and can be used by MS SQL Server and Microsoft Message Queue Server (MSMQ).
The port is vulnerable to potential DDoS attacks. A remote user may be able to crash the MS DTC service by sending 1024 bytes of random data on TCP port 3372.
If you do not need MS DTC you can set your firewall to block access to port 3372. It is possible for MS DTS to use other ports so you might need to also set your firewall to block any activity by the MS DTS service. |
| 3385 |
tcp |
trojans |
Premium scan |
W32.Mytob.KP@mm [Symantec-2005-101410-3314-99] (2005.10.14) - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands by connecting to an IRC server on the rax.oucihax.info domain on port 3385/tcp. |
| 3386 |
tcp |
gprs-data |
not scanned |
GTP' 3GPP GSM/UMTS CDR logging protocol uses port 3386 (TCP/UDP)
IANA registered for: GPRS Data |
| 3386 |
udp |
gprs-sig |
not scanned |
IANA registered for: GPRS SIG |
| 3388 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.S [Symantec-2005-122217-5921-99] (2005.12.22) - trojan that opens a backdoor and runs a proxy server. The trojan can periodically connect to remote websites and send gathered information from the compromised computer. Opens a backdoor, acts as a SOCKS 4 proxy, and listens for remote commands on port 3388/tcp.
Trojan-Dropper.Win32.Googite.b / Unauthenticated Remote Command Execution - the malware listens on TCP ports 3388, 4488 and 10002 and drops executables under both Windows and SysWOW64 dirs. Third-party attackers who can reach infected systems can connect to port 10002 and run commands made available by the backdoor to retrieve information etc.
References: [MVID-2021-0254] |
| 3389 |
tcp |
rdp |
Basic scan |
Port is IANA registered for Microsoft WBT Server, used for Windows Remote Desktop and Remote Assistance connections (RDP - Remote Desktop Protocol). Also used by Windows Terminal Server.
See also: MS Security Bulletin [MS02-051] and [MS01-040].
Trojans using this port: Backdoor.Win32.Agent.cdm [Symantec-2005-050114-4234-99], TSPY_AGENT.ADDQ
This port is vulnerable to Denial of Service Attack Against Windows NT Terminal Server. A remote attacker can quickly cause a server to reach full memory utilization by creating a large number of normal TCP connections to port 3389. Individual connections will timeout, but a low bandwidth
continuous attack will maintain a terminal server at maximum memory utilization and prevent new connections from a legitimate source from taking place. Legitimate new connections will fail at this point with an error of either a connection timeout, or the terminal server has ended the connection.
References: [CVE-1999-0680]
A vulnerability exists in the Remote Desktop Protocol (RDP), where an attacker could send a specially crafted sequence of packets to TCP port 3389 which can result in RDP to accessing an object in memory after it has been deleted.
References: [CVE-2012-2526]
Zmodo Geovision also uses port 3389 (TCP/UDP) |
| 3390 |
tcp |
trojans |
Members scan |
Backdoor.Dawcun [Symantec-2010-040116-0914-99] (2010.04.01) - a trojan horse that steals confidential information and opens a back door on the compromised computer. It opens a back door by connecting to a remote server on TCP ports 2266 and 3390 to send the confidential information and to download, decrypt and then start the updated rootkit driver.
Hitachi IP5000 VOIP WIFI Phone 1.5.6 does not allow the user to disable access to (1) SNMP or (2) TCP port 3390, which allows remote attackers to modify configuration using [CVE-2005-3722], or access the Unidata Shell to obtain sensitive information or cause a denial of service.
References: [CVE-2005-3723] [SECUNIA-17628]
Port is also IANA registered for Distributed Service Coordinator |
| 3393 |
tcp,udp |
d2k-tapestry1 |
not scanned |
D2K Tapestry Client to Server |
| 3394 |
tcp,udp |
d2k-tapestry2 |
not scanned |
D2K Tapestry Server to Server |
| 3396 |
tcp,udp |
printer-agent |
not scanned |
IANA registered for: Printer Agent |
| 3397 |
tcp |
games |
not scanned |
GTR FIA GT Racing Game |
| 3398 |
tcp |
trojans |
Premium scan |
PWSteal.Bancos.AA [Symantec-2005-080314-0053-99] (2005.08.03) - a trojan that steals passwords and logs keystrokes (mainly entered into a number of e-comerce and banking websites). The trojan runs a proxy server on port 3398/tcp. It also emails information from the compromised computer using its own SMTP server. |
| 3399 |
tcp,udp |
csms |
not scanned |
SAP EPS (applications)
IANA registered for: CSMS |
| 3400 |
tcp,udp |
csms2 |
not scanned |
CSMS2 |
| 3405 |
tcp,udp |
nokia-ann-ch1 |
not scanned |
Nokia Announcement ch 1 |
| 3406 |
tcp,udp |
nokia-ann-ch2 |
not scanned |
Nokia Announcement ch 2 |
| 3409 |
tcp,udp |
networklens |
not scanned |
NetworkLens Event Port |
| 3410 |
tcp |
trojans |
Members scan |
W32.mockbot.a.worm [Symantec-2004-022608-5242-99], Backdoor.Optixpro [Symantec-2004-012117-4011-99] - remote access trojan.
This port is also registered for NetworkLens SSL Event |
| 3412 |
tcp,udp |
xmlblaster |
not scanned |
IANA registered for: xmlBlaster |
