| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 5591 |
tcp |
applications |
not scanned |
IANA registered for: Tidal Enterprise Scheduler master-Socket. It is used for communication between Agent-to-Master, though can be changed. |
| 5598 |
tcp |
trojan |
Premium scan |
BackDoor 2.03 |
| 5599 |
tcp |
applications |
not scanned |
Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. Version 2.9.0 contains a patch for the issue. As a workaround, one may remove certain parameters from the 'antmedia.service' file.
References: [CVE-2024-32656] |
| 5600 |
tcp |
esmmanager |
Members scan |
X-ztoo, also known as [X]-ztoo 1.0, Backdoor.VB.gen and Backdoor.VB.nr, is a backdoor Trojan affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 5600, to allow the client system to connect. X-ztoo could allow a remote attacker to gain unauthorized access to the system.
Reference: [XFDB-19662]
The DMCRUIS/0.1 web server on the Samsung PS50C7700 TV allows remote attackers to cause a denial of service (daemon crash) via a long URI to TCP port 5600.
References: [CVE-2013-4890] [XFDB-85904] [BID-61391]
Port is also IANA registered for: Enterprise Security Manager (tcp/udp) |
| 5601 |
tcp,udp |
esmagent |
not scanned |
Kibana (TCP)
Enterprise Security Agent (IANA official) |
| 5610 |
tcp,udp |
applications |
not scanned |
GeoVision Vital Sign Monitor |
| 5618 |
tcp |
efr |
not scanned |
IANA registered for: Fiscal Registering Protocol |
| 5631 |
udp |
pc-anywhere |
Members scan |
PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631.
References: [CVE-1999-1028]
IANA registered for: pcANYWHEREdata (TCP/UDP) |
| 5631 |
tcp |
applications |
not scanned |
The awhost32 service in Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), Altiris Client Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), and Altiris Deployment Solution Remote pcAnywhere Solution 7.1 (aka 12.5.x and 12.6.x) allows remote attackers to cause a denial of service (daemon crash) via a crafted TCP session on port 5631.
References: [CVE-2012-0292] [BID-52094]
The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a crafted session on TCP port 5631.
References: [CVE-2011-3478] [BID-51592] |
| 5632 |
udp |
pc-anywhere |
Members scan |
PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
IANA registered for: pcANYWHEREstat (TCP/UDP) |
| 5633 |
tcp |
applications |
not scanned |
The Job Engine (bengine.exe) service in Symantec Backup Exec for Windows Servers (BEWS) 11d allows remote attackers to cause a denial of service (CPU and memory consumption, NULL dereference and service crash) via a crafted packet to port 5633/tcp, triggering an infinite loop.
References:
[CVE-2007-4346] [SECUNIA-26975]
[CVE-2007-4347] [BID-26029]
BE Operations Request Listener (IANA official) |
| 5636 |
tcp |
trojan |
Premium scan |
PC Crasher trojan |
| 5637 |
tcp |
trojan |
Premium scan |
PC Crasher trojan
IANA registered for: Symantec CSSC |
| 5638 |
tcp |
trojan |
Premium scan |
PC Crasher trojan
Symantec Fingerprint Lookup and Container Reference Service [Symantec Corp] (IANA official) |
| 5639 |
tcp |
ics |
not scanned |
Symantec Integrity Checking Service [Symantec Corp] (IANA official) |
| 5645 |
tcp,udp |
applications |
not scanned |
Voyager Server
Malicious services using this port: IRC-based Botnet |
| 5646 |
tcp |
vfmobile |
not scanned |
Ventureforth Mobile [Ventureforth Inc] (IANA officials) |
| 5650 |
tcp |
trojan |
Premium scan |
Pizza trojan |
| 5652 |
tcp |
trojans |
Members scan |
W32.Fanbot.A@mm [Symantec-2005-101715-5745-99] (2005.10.17) - a mass-mailing worm that lowers security settings on the compromised computer. It can also spread through P@P networks and exploring the MS Plug and Play Buffer Overflow vulnerability described in [MS05-039]. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 5652/tcp. |
| 5655 |
tcp,udp |
applications |
not scanned |
Astium PBX is vulnerable to a denial of service, caused by improper bounds checking by the astiumd service. By sending an overly long string to port 5655, a remote attacker could exploit this vulnerability to overflow a buffer and cause the device to crash and restart.
References: [XFDB-80895], [BID-57095], [EDB-23830] |
| 5656 |
tcp |
applications |
not scanned |
MOHAA Reverend
IBM Lotus Sametime p2p file transfer
|
| 5657 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5657 |
udp |
palcom-disc |
not scanned |
Port is IANA assigned for PalCom Discovery. |
| 5658 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5665 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5666 |
tcp |
applications |
Premium scan |
MOHAA Reverend, Nagios NRPE
PC Crasher trojan also uses this port.
SuperDoctor5 - 'NRPE' Remote Code Execution
References: [EDB-47030]
Nagios Remote Plugin Executor (IANA official) |
| 5667 |
tcp |
applications |
not scanned |
NSCA (Nagios), MOHAA Reverend |
| 5669 |
tcp |
trojan |
Premium scan |
SpArTa trojan |
| 5670 |
tcp |
filemq |
not scanned |
Active Worlds
ZeroMQ file publish-subscribe protocol [ZeroMQ.org] (IANA official) |
| 5670 |
udp |
zre-disc |
not scanned |
Local area discovery and messaging over ZeroMQ (IANA official) |
| 5671 |
tcp,udp |
amqps |
not scanned |
AMQP protocol over TLS/SSL
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
Dell EMC NetWorker versions 19.1.x, 19.1.0.x, 19.1.1.x, 19.2.x, 19.2.0.x, 19.2.1.x 19.3.x, 19.3.0.x, 19.4.x, 19.4.0.x, 19.5.x,19.5.0.x, 19.6 and 19.6.0.1 and 19.6.0.2 contain an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port 5671 which could allow remote attackers to spoof certificates.
References: [CVE-2022-29082] |
| 5672 |
tcp,udp,sctp |
amqp |
not scanned |
MOHAA Reverend
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
Zulip, an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.
References: [CVE-2021-43799]
Advanced Message Queueing Protocol, see http://www.amqp.org (IANA official) |
| 5674 |
|
hyperscsi-port |
not scanned |
HyperSCSI Port [Data Storage Institut] (IANA official) |
| 5675 |
tcp,udp,sctp |
v5ua |
not scanned |
V5UA application port (IANA official) [RFC 3807] |
| 5678 |
tcp,udp |
rrac |
Basic scan |
Port used by Linksys (and other) Cable/DSL Routers Remote Administration. Also used by MikroTik Neighbor Discovery protocol and n8n.
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
SNATMAP server also uses this port to ensure that connections between iChat users can properly function behind network address translation (NAT).
Buffer overflow in the Nortel UNIStim IP Softphone 2050 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via a flood of invalid characters to the RTCP port (5678/udp) that triggers a Windows error message, a.k.a. "extraneous messaging."
References: [CVE-2007-5636] [BID-26118]
WellinTech KingHistorian 3.0 allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678.
References: [CVE-2012-2559]
Linksys EtherFast Cable/DSL BEFSR11, BEFSR41 and BEFSRU31 with the firmware 1.42.7 upgrade installed opens TCP port 5678 for remote administration even when the "Block WAN" and "Remote Admin" options are disabled, which allows remote attackers go gain access.
References: [CVE-2002-2159] [BID-4987]
A vulnerability has been identified in SIMATIC WinCC OA V3.14 and prior (All versions < V3.14-P021). Improper access control to a data point of the affected product could allow an unauthenticated remote user to escalate its privileges in the context of SIMATIC WinCC OA V3.14. This vulnerability could be exploited by an attacker with network access to port 5678/TCP of the SIMATIC WinCC OA V3.14 server. Successful exploitation requires no user privileges and no user interaction. This vulnerability could allow an attacker to compromise integrity and availability of the SIMATIC WinCC OA system. At the time of advisory publication no public exploitation of this vulnerability was known.
References: [CVE-2018-13799], [BID-105332] |
| 5679 |
tcp |
trojan |
Premium scan |
Nautical trojan
The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute arbitrary commands via shell metacharacters in a certain string to TCP port 5679.
References: [CVE-2008-1136], [BID-27178]
Port also IANA registered for Direct Cable Connect Manager. |
| 5682 |
udp |
brightcore |
not scanned |
BrightCore control & data transfer exchange |
| 5683 |
udp |
coap |
not scanned |
Constrained Application Protocol (IANA official) [RFC 7252] |
| 5684 |
udp |
coaps |
not scanned |
DTLS-secured CoAP (IANA official) [RFC 7252] |
| 5693 |
tcp |
rbsystem |
not scanned |
Backdoor.WinMap [Symantec-2004-010512-2847-99] (2000.06.19) - a backdoor trojan horse that opens a port on the system and allows incoming connections. This can provide an attacker full control over the system.
Nagios Cross Platform Agent (NCPA) also uses this port.
IANA registered for: Robert Bosch Data Transfer. |
| 5695 |
tcp |
trojan |
Members scan |
Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
| 5696 |
tcp |
trojan |
Premium scan |
Assasin trojan
IANA assigned for: Key Management Interoperability Protocol |
| 5697 |
tcp |
trojan |
Premium scan |
Assasin trojan |
| 5698 |
tcp |
trojan |
Premium scan |
BackDoor.203 trojan |
| 5700 |
tcp,udp |
applications |
not scanned |
Camstreams
Unspecified vulnerability in the Audit Vault component in Oracle Audit Vault 10.2.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue is related to a crafted parameter in an action.execute request to the av component on TCP port 5700.
References: [CVE-2010-4449] [BID-45844] [SECUNIA-42919] [OSVDB-70583]
IANA registered for: Dell SupportAssist data center management (TCP) |
| 5701 |
tcp |
applications |
not scanned |
Open-Xchange AppSuite could provide weaker than expected security, caused by the use of Hazelcast based cluster API implementation at the backend with default configuration to listen all network interfaces at TCP port 5701. By sending a specially-crafted request to connect a malicious server, a remote attacker could exploit this vulnerability to modify configuration, scan internal hosts or proxy Internet traffic and gain unauthorized access to devices on the internal network.
References: [CVE-2013-5200], [XFDB-86975] |
| 5705 |
tcp |
storageos |
not scanned |
IANA registered for: StorageOS REST API |
| 5714 |
tcp |
trojan |
Premium scan |
WinCrash [Symantec-2000-121909-3241-99], WinCrash 3 (TCP) |
| 5720 |
tcp,udp |
applications |
not scanned |
Jumi Controller |
| 5721 |
tcp,udp |
dtpt |
not scanned |
Kaseya
IANA registered for: Desktop Passthru Service |
| 5722 |
tcp |
applications |
not scanned |
DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 for 2 minutes after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port during the time window.
References: [CVE-2007-1534], [OSVDB-33668]
Port is also IANA registered for Microsoft DFS Replication Service |
| 5723 |
tcp,udp |
omhs |
not scanned |
IConnectHere
IANA registered for: Operations Manager - Health Service |
| 5727 |
tcp |
asgenf |
not scanned |
ASG Event Notification Framework |
| 5728 |
tcp |
io-dist-data |
not scanned |
Dist. I/O Comm. Service Data and Control |
| 5728 |
udp |
io-dist-group |
not scanned |
Dist. I/O Comm. Service Group Membership |
| 5730 |
tcp,udp |
games |
not scanned |
Metal Gear Solid 3 Subsistence |
| 5732 |
tcp |
worm |
Members scan |
W32.Bolgi.Worm [Symantec-2003-112019-2425-99] (2003.11.20) - a network aware worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability using TCP port 445 |
| 5737 |
udp |
applications |
not scanned |
eDonkey |
| 5741 |
tcp |
trojan |
Premium scan |
WinCrash [Symantec-2000-121909-3241-99], WinCrash 3 (TCP)
IDA Discover Port 1 (TCP/UDP) [MPITech Support] (IANA official) |
| 5742 |
tcp |
trojan |
Premium scan |
WinCrash [Symantec-2000-121909-3241-99] trojan. Aliases: BackDoor.M, Backdoor.Wincrash, W95/Backdoor.WinCrash
Turkojan also uses port 5742 (TCP/UDP).
IDA Discover Port 2 (TCP/UDP) [MPITech Support] (IANA official) |
| 5743 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 5744 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 5745 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 5748 |
tcp |
trojans |
Premium scan |
Backdoor.Ranky.B [Symantec-2003-091917-5557-99] (2003.09.17) - a trojan horse that runs as a proxy server. By default, the trojan opens port 5748.
Port is also IANA registered for Wildbits Tunalyzer |
| 5753 |
tcp |
cognex |
not scanned |
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure |
| 5760 |
tcp |
trojan |
Premium scan |
Portmap Remote Root Linux Exploit
eShare Chat Server also uses this port. |
| 5761 |
tcp,udp |
applications |
not scanned |
eShare Web Tour |
| 5764 |
tcp,udp |
applications |
not scanned |
eShare Admin Server |
| 5777 |
tcp,udp |
games |
not scanned |
Rainbox Six 3: Raven Shield, developer: Ubisoft Montreal
Control commands and responses (IANA official) |
| 5778 |
tcp,udp |
games |
not scanned |
Rainbox Six 3: Raven Shield, developer: Ubisoft Montreal |
| 5780 |
tcp |
vts-rpc |
not scanned |
Visual Tag System RPC |
| 5784 |
udp |
ibar |
not scanned |
Cisco Interbox Application Redundancy |
| 5786 |
udp |
worm |
not scanned |
W32.Wergimog.B [Symantec-2012-051704-2659-99] (2012.05.16) - a worm that attempts to spread through removable drives. It also opens a back door and may steal information from the compromised computer.
Port is also used by Cisco Redundancy notification |
| 5787 |
udp |
waascluster |
not scanned |
IANA registered for: Cisco WAAS Cluster Protocol |
| 5794 |
udp |
spdp |
not scanned |
Simple Peered Discovery Protocol |
| 5798 |
tcp |
enlabel-dpl |
not scanned |
Proprietary Website deployment service (IANA official) |
| 5799 |
tcp,udp |
applications |
not scanned |
ECC Server |
| 5800 |
tcp |
vnc |
Members scan |
VNC (Virtual Network Computing) - remote control programs, typically also use ports 5800+ and 5900+ for additional machines.
Backdoor.Evivinc [Symantec-2004-042518-0520-99] trojan also uses this port. |
| 5802 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan |
| 5810 |
tcp |
trojan |
Premium scan |
Y3K RAT |
| 5814 |
tcp,udp |
spt-automation |
not scanned |
HPE AutoPass License Server could allow a remote attacker to bypass security restrictions, caused by a specific flaw that exists within the web service, which listens on TCP port 5814 by default. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to perform higher privileged actions.
References: [CVE-2024-51767], [XFDB-390530]
Support Automation (IANA official) |
| 5820 |
tcp |
autopassdaemon |
not scanned |
AutoPass licensing (IANA official) |
| 5823 |
tcp |
malware |
not scanned |
Trojan-Proxy.Win32.Daemonize.i / Remote Denial of Service - Daemonize.i listens on TCP port 5823, sending some junk packets to the trojan results in invalid pointer read leading to an access violation and crash.
References: [MVID-2021-0102] |
| 5827 |
tcp,udp |
games |
not scanned |
World Championship Snooker |
| 5842 |
tcp |
reversion |
not scanned |
Key Management Interoperability Protocol
Reversion Backup/Restore [Cameo Systems Inc] (IANA official) |
| 5843 |
tcp,udp |
applications |
not scanned |
IIS Admin Service |
| 5850 |
tcp |
applications |
not scanned |
COMIT SE (PCR) |
| 5852 |
tcp |
applications |
not scanned |
Adeona client: communications to OpenDHT |
| 5858 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan
inSpeak Communicator also uses this port.
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
References: [CVE-2018-12120], [BID-106040]
|
| 5859 |
tcp,udp |
wherehoo |
not scanned |
Backdoor.Win32.Armagedon.R / Hardcoded Cleartext Credentials - the malware listens on TCP port 5859 and requires authentication. The password "KOrUPtIzEre" is stored in cleartext within the PE file at offset 0x4635f. Connecting to the backdoor returns the value "1" then enter the password.
References: [MVID-2024-0670]
WHEREHOO (IANA official) |
| 5864 |
tcp,udp |
applications |
not scanned |
BiblioFile |
| 5868 |
tcp,sctp |
diameters |
not scanned |
Diameter over TLS/TCP [IESG] (IANA official) [RFC 6733] |
| 5873 |
tcp |
trojan |
Premium scan |
SubSeven 2.2 trojan |
| 5880 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5881 |
udp |
trojan |
not scanned |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. May also use port 5881/UDP |
| 5882 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5883 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan
IANA registered for: Javascript Unit Test Environment |
| 5884 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5885 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan
The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded manufacturer account. This account is not documented, nor is the DEBUG feature or the use of telnetd on port tcp/5885.
References: [CVE-2017-6351], [BID-96588], [XFDB-122553] |
| 5886 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan |
