Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 7831 |
tcp |
applications |
not scanned |
Default used by Smartlaunch Internet Cafe Administration software |
| 7844 |
tcp |
cloudflared |
Premium scan |
Cloudflare Argo Tunnel - connects a web server to the Cloudflare network via HTTP2 over a TLS encrypted tunnel. |
| 7845 |
tcp,udp |
applications |
not scanned |
ZNES
APC 7845 [American Power Conversion] (IANA official) |
| 7846 |
tcp,udp |
apc-7846 |
not scanned |
APC 7846 [American Power Conversion] (IANA official) |
| 7847 |
tcp |
csoauth |
not scanned |
IANA registered for: A product key authentication protocol made by CSO |
| 7850 |
tcp |
trojan |
Premium scan |
Paltalk trojan |
| 7869 |
tcp |
mobileanalyzer |
not scanned |
MobileAnalyzer& MobileMonitor |
| 7870 |
tcp |
applications |
not scanned |
The Cisco ATA 187 Analog Telephone Adaptor with firmware 9.2.1.0 and 9.2.3.1 before ES build 4 does not properly implement access control, which allows remote attackers to execute operating-system commands via vectors involving a session on TCP port 7870, aka Bug ID CSCtz67038.
References: [CVE-2013-1111]
The Cisco Unified SIP Phone 3905 with firmware before 9.4(1) allows remote attackers to obtain root access via a session on the test interface on TCP port 7870, aka Bug ID CSCuh75574.
References: [CVE-2014-0721]
Riverbed Steelhead Mobile Service (IANA official) |
| 7871 |
udp |
trojans |
Members scan |
Trojan.Peacomm [Symantec-2007-011917-1403-99] (2007.01.19) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271. |
| 7871 |
tcp |
mdm |
not scanned |
IANA registered for: Mobile Device Management |
| 7872 |
udp |
mipv6tls |
not scanned |
TLS-based Mobile IPv6 Security [IESG] [RFC 6618] (IANA official) |
| 7875 |
tcp |
games |
not scanned |
Ultima |
| 7878 |
tcp |
trojan |
Premium scan |
Paltalk trojan
IANA registered for: Opswise Message Service |
| 7879 |
tcp |
trojan |
Premium scan |
Paltalk trojan |
| 7880 |
tcp,udp |
pss |
not scanned |
PowerSchool Gradebook Server
IANA registered for: Pearson |
| 7887 |
tcp |
trojan |
Premium scan |
SmallFun trojan |
| 7888 |
tcp,udp |
dogtag |
not scanned |
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure) |
| 7889 |
tcp,udp |
dogtag |
not scanned |
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure) |
| 7890 |
tcp |
applications |
not scanned |
Default that will be used by the iControl Internet Cafe Suite Administration software |
| 7891 |
tcp |
trojan |
Premium scan |
The ReVeNgEr trojan |
| 7896 |
tcp |
trojans |
Premium scan |
Backdoor.Futh [Symantec-2004-072811-5911-99] (2004.07.28) - a backdoor trojan that allows unauthorized remote access. By default, Backdoor.Futh listens on TCP ports 7896 and 7897. |
| 7897 |
tcp |
trojans |
Premium scan |
Backdoor.Futh [Symantec-2004-072811-5911-99] (2004.07.28) - a backdoor trojan that allows unauthorized remote access. By default, Backdoor.Futh listens on TCP ports 7896 and 7897. |
| 7912 |
tcp |
applications |
not scanned |
GramAddict through 1.2.3 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same Wi-Fi network.
References: [CVE-2020-36245] |
| 7915 |
tcp |
applications |
not scanned |
Default for YSFlight server |
| 7919 |
tcp,udp |
applications |
not scanned |
ZIV Automation 4CCT-EA6-334126BF firmware version 3.23.80.27.36371, allows an unauthenticated, remote attacker to cause a denial of service condition on the device. An attacker could exploit this vulnerability by sending specific packets to the port 7919.
References: [CVE-2021-25909] |
| 7935 |
tcp |
adobe |
not scanned |
Fixed port used for Adobe Flash Debug Player to communicate with a debugger (Flash IDE, Flex Builder or fdb). |
| 7936 |
tcp |
malware |
not scanned |
Backdoor.Win32.Mazben.me / Unauthenticated Open Proxy - the malware listens on random TCP ports like 3515, 7936, 3972. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0302] |
| 7937 |
tcp,udp |
applications |
not scanned |
EMC2 (Legato) Networker or Sun Solstice Backup |
| 7946 |
tcp,udp |
applications |
not scanned |
Docker Swarm communication among nodes
Brocade SANnav before v2.3.0a lacks protection mechanisms on port 2377/TCP and 7946/TCP, which could allow an unauthenticated attacker to sniff the SANnav Docker information.
References: [CVE-2024-4159] |
| 7955 |
tcp |
trojan |
Premium scan |
W32.kibuv.b trojan
Net-Worm.Win32.Kibuv.c / Authentication Bypass - the malware listens on TCP port 7955. Third-party adversaries who can reach infected systems can logon using any username/password combination.
References: [MVID-2022-0563] |
| 7962 |
tcp,udp |
generalsync |
not scanned |
general-purpose synchronization protocol (IANA official) |
| 7968 |
tcp,udp |
applications |
not scanned |
Odyssey |
| 7979 |
tcp |
trojan |
Premium scan |
VagrNocker trojan [Symantec-2003-011011-5532-99]
inSpeak Communicator also uses this port. |
| 7981 |
tcp |
sossd-collect |
not scanned |
Spotlight on SQL Server Desktop Collect |
| 7982 |
tcp |
sossd-agent |
not scanned |
Spotlight on SQL Server Desktop Agent |
| 7982 |
udp |
sossd-disc |
not scanned |
Spotlight on SQL Server Desktop Agent Discovery |
| 7983 |
tcp |
trojan |
Premium scan |
Mstream trojan
A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories. An unprivileged remote attacker on the adjacent network, can download most system files, leading to serious critical information disclosure. Also, some TV models and/or FW versions may expose the webserver with the entire filesystem accessible on another port. For example, nmap scan for all ports run directly from the TV model U43P6046 (Android 8.0) showed port 7983 not mentioned in the original CVE description, but containing the same directory listing of the entire filesystem. This webserver is bound (at least) to localhost interface and accessible freely to all unprivileged installed apps on the Android such as a regular web browser. Any app can therefore read any files of any other apps including Android system settings including sensitive data such as saved passwords, private keys etc.
References: [CVE-2020-27403] |
| 7983 |
udp |
applications |
not scanned |
DDOS communication |
| 7985 |
tcp,udp |
viber |
Premium scan |
Viber uses the following ports: 80, 443, 4244, 5242, 5243, 7985 TCP/UDP |
| 7989 |
tcp,udp |
applications |
not scanned |
A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories. An unprivileged remote attacker on the adjacent network, can download most system files, leading to serious critical information disclosure. Also, some TV models and/or FW versions may expose the webserver with the entire filesystem accessible on another port. For example, nmap scan for all ports run directly from the TV model U43P6046 (Android 8.0) showed port 7983 not mentioned in the original CVE description, but containing the same directory listing of the entire filesystem. This webserver is bound (at least) to localhost interface and accessible freely to all unprivileged installed apps on the Android such as a regular web browser. Any app can therefore read any files of any other apps including Android system settings including sensitive data such as saved passwords, private keys etc.
References: [CVE-2020-27403] |
| 7990 |
tcp |
applications |
not scanned |
Atlassian Bitbucket |
| 7997 |
tcp |
trojan |
Premium scan |
VagrNocker trojan [Symantec-2003-011011-5532-99] |
| 7997 |
tcp |
pushns |
not scanned |
IANA registered for: PUSH Notification Service |
| 7998 |
udp |
usicontentpush |
not scanned |
USI Content Push Service |
| 7999 |
tcp |
worm |
Members scan |
W32.Mytob.LZ@mm [Symantec-2005-112014-4354-99] (2005.11.20) - a mass-mailing worm with backdoor capabilities. It can spread using network shares and exploiting Windows vulnerabilities. Blocks access to several security-related websites by modifying the hosts file. Opens a backdoor and listens for remote commands by connecting to an IRC server on port 7999/tcp. |
| 8000 |
tcp |
trojans |
Basic scan |
Commonly used as an alternate HTTP port. Some firewalls use it for HTTP web administration. Also commonly used for internet radio streams using Nicecast/Icecast/Shoutcast/Winamp audio streaming.
Applications that use this port:
PFSense
VmWare VMotion
Nortel Firewall User Authentication
Barracuda Web Administration
AWS Local DynamoDB
Canon Management Console
Dell OpenManage (remote management for Dell Servers)
MediaBank
JRun Management Console
Splunk
Django Dev Server
Chef service "opscode-erchef" uses 8000/TCP to handle Chef server API requests
HIKVISION iVMS software uses 8000 port for connect clients to PCNVR server
Seafile Windows Server uses the following TCP ports: 8000 (seahub web interface), 8082 (seafile server), 10001 (ccnet), 12001 (seaf-server).
X-Lite
Verint Vid-Center [vid-center.exe], Windows enterprise network DVR application
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Malware using this port:
W32.Gaobot.CEZ [Symantec-2005-012609-1021-99] (01.25.2005) - Worm with backdoor capabilities. Spreads trough exploiting various vulnerabilities (ports 80, 135, 445). Blocks access to security-related websites and terminates some processes. Connects to an IRC server and listens on port 8000.
W32.Spybot.OGX [Symantec-2005-050217-0724-99] (2005.05.02) - network-aware worm with distributed denial of service and backdoor capabilities. Opens a backdoor by connecting to an IRC server on port 8000/tcp.
W32.Mytob.JW@mm [Symantec-2005-100312-4423-99] (2005.10.04) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm.
JSMP3OGGWt.dll in JetCast Server 2.0.0.4308 allows remote attackers to cause a denial of service (daemon crash) via a long .mp3 URI to TCP port 8000.
References: [CVE-2007-4911] [BID-25660]
Gordano NTMail 6.0.3c allows a remote attacker to create a denial of service via a long (>= 255 characters) URL request to port 8000 or port 9000.
References: [CVE-2001-0585] [BID-2494]
Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a large PROCESS_HELLO message to the Message Dispatcher on TCP port 8000.
References: [CVE-2015-2281]
Port is also IANA registered for iRDMI. |
| 8000 |
udp |
games |
not scanned |
Aliens vs Predator uses ports 8000-8999 |
| 8001 |
tcp |
fortinet |
Premium scan |
squid HTTP Proxy server scan
Imperio also uses this port
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Backdoor.Graybird.D [Symantec-2003-062811-4412-99] is a variant of Backdoor.Graybird. This Trojan Horse gives its creator unauthorized access to your computer. The existence of the file, Svch0st.exe, is an indication of a possible infection.
Directory traversal vulnerability in WellinTech KingView 6.53 allows remote attackers to read arbitrary files via a crafted HTTP request to port 8001.
References: [CVE-2012-2560]
Stack-based buffer overflow in db_netserver in Lianja SQL Server before 1.0.0RC5.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted string to TCP port 8001.
References: [CVE-2013-3563]
Backdoor.Win32.Hupigon.adef / Remote Stack Buffer Overflow - Backdoor Hupigon (Cracked by bartchen) bartchen () vip sina com, listens on TCP ports 8001,8002,8003,8004 and 8005. Sending a large contaminated HTTP POST request to the target on port 8002 results in a buffer overflow overwriting the instruction pointer (EIP).
References: [MVID-2021-0045]
IANA registered for: VCOM Tunnel |
| 8002 |
tcp,udp |
applications |
not scanned |
DC Agent keepalive and push logon info to CA uses port 8002/UDP.
Cisco Systems Unified Call Manager Intercluster (TCP).
Imperio also uses this port.
W32.Tanexor.A [Symantec-2006-122111-1416-99] (2006.12.21) - a worm that can spread through removable storage devices. It also opens a back door and downloads potentially malicious files on to the compromised computer.
Buffer overflow in the web interface for Cmail 2.4.7 allows remote attackers to cause a denial of service by sending a large user name to the user dialog running on port 8002.
References: [CVE-2000-0556] [BID-1319]
Backdoor.Win32.Hupigon.adef / Remote Stack Buffer Overflow - Backdoor Hupigon (Cracked by bartchen) bartchen () vip sina com, listens on TCP ports 8001,8002,8003,8004 and 8005. Sending a large contaminated HTTP POST request to the target on port 8002 results in a buffer overflow overwriting the instruction pointer (EIP).
References: [MVID-2021-0045]
IANA registered for: Teradata ORDBMS |
| 8003 |
tcp |
mcreport |
not scanned |
Microsoft SCCM (System Center Configuration Manager) uses ports 8003 and 8004 TCP.
Backdoor.Win32.Hupigon.adef / Remote Stack Buffer Overflow - Backdoor Hupigon (Cracked by bartchen) bartchen () vip sina com, listens on TCP ports 8001,8002,8003,8004 and 8005. Sending a large contaminated HTTP POST request to the target on port 8002 results in a buffer overflow overwriting the instruction pointer (EIP).
References: [MVID-2021-0045]
IANA Registered for: Mulberry Connect Reporting Service
|
| 8004 |
tcp |
applications |
not scanned |
EMC2 (Legato) Networker or Sun Solcitice Backup (TCP/UDP)
Web service, iTunes Radio streams
Microsoft SCCM (System Center Configuration Manager) uses ports 8003 and 8004 TCP.
Symantec AntiVirus Scan Engine administrative interface contains a remotely exploitatble buffer overflow that may allow an attacker to execute arbitrary code by sending a specially crafted HTTP request to port 8004/tcp.
References: [CVE-2005-2758], [BID-15001], [OSVDB-19854]
Backdoor.Win32.Hupigon.adef / Remote Stack Buffer Overflow - Backdoor Hupigon (Cracked by bartchen) bartchen () vip sina com, listens on TCP ports 8001,8002,8003,8004 and 8005. Sending a large contaminated HTTP POST request to the target on port 8002 results in a buffer overflow overwriting the instruction pointer (EIP).
References: [MVID-2021-0045]
IANA registered for: Opensource Evolv Enterprise Platform P2P Network Node Connection Protocol |
| 8004 |
udp |
applications |
not scanned |
QuickTime Streaming Server |
| 8005 |
udp |
applications |
not scanned |
Fuji Electric V-Server before 6.0.33.0 is vulnerable to denial of service via a crafted UDP message sent to port 8005. An unauthenticated, remote attacker can crash vserver.exe due to an integer overflow in the UDP message handling logic.
References: [CVE-2019-3946] |
| 8005 |
tcp |
applications |
not scanned |
Tomcat remote shutdown
PLATO ASCII protocol (RFC 600)
Windows SCCM HTTP listener service
Backdoor.Win32.Hupigon.adef / Remote Stack Buffer Overflow - Backdoor Hupigon (Cracked by bartchen) bartchen () vip sina com, listens on TCP ports 8001,8002,8003,8004 and 8005. Sending a large contaminated HTTP POST request to the target on port 8002 results in a buffer overflow overwriting the instruction pointer (EIP).
References: [MVID-2021-0045] |
| 8006 |
tcp,udp |
applications |
not scanned |
Symantec Critical System Protection (used internally by Tomcat during service shutdown).
Proxmox Virtual Environment runs a web server on 8006.
Quest Rapid Recovery (Cloud Data Backup), Quest AppAssure 5 API (TCP)
IANA registered for: World Programming analytics (TCP) and World Programming analytics discovery (UDP) |
| 8007 |
tcp |
ajp12 |
not scanned |
Apache JServ Protocol v12
Proxmox Backup Server web interface
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
References: [CVE-2005-0808], [BID-12795]
IANA registered for: I/O oriented cluster computing software (TCP/UDP) |
| 8008 |
tcp |
fortinet |
Premium scan |
Citrix common ICA/HDX HTML5 access to applications and virtual desktops.
Apple iCal service also uses this port.
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Backdoor.Haxdoor.E [Symantec-2005-080212-3505-99] (2005.08.01) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp.
njRAT remote access malware - default port is 1177, may also use ports 8008 and 8521. |
| 8009 |
tcp,udp |
netware-http |
not scanned |
Netware HTTP Server, Apache JServ Protocol v13 (TCP)
Apache Tomcat in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allows connections from external interfaces via port 8009, which exposes it to attacks from outside parties.
References: [CVE-2007-1491]
The HTTPSTK service in the novell-nrm package before 2.0.2-297.305.302.3 in Novell Open Enterprise Server 2 (OES 2) Linux, and OES 11 Linux Gold and SP1, does not make the intended SSL_free and SSL_shutdown calls for the close of a TCP connection, which allows remote attackers to cause a denial of service (service crash) by establishing many TCP connections to port 8009.
References: [CVE-2013-3707]
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
References: [CVE-2020-1745]
IANA registered for: NVMe over Fabrics Discovery Service (TCP) |
| 8010 |
tcp |
applications |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
WinGate, XMPP File transfers
CommuniGate Pro is vulnerable to a buffer overflow. If an attacker connects to port 8010 and sends 70,000 a's followed by "\r\n", it will overflow a buffer. Further attempts to connect to any port will receive an access violation.
References: [CVE-1999-0865], [XFDB-3746]
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
References: [CVE-2019-11321]
On the Motorola router CX2L MWR04L 1.01, there is a stack consumption (infinite recursion) issue in scopd via TCP port 8010 and UDP port 8080. It is caused by snprintf and inappropriate length handling.
References: [CVE-2019-13129]
Buildbot Web status page also uses this port. |
| 8011 |
tcp |
trojan |
Premium scan |
HTTP/TCP Symon Communications Event and Query Engine
Way trojan |
| 8012 |
tcp,udp |
trojan |
not scanned |
Backdoor.Ptakks.b [Symantec-2002-090317-4452-99] |
| 8013 |
tcp |
forticlient |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
|
| 8014 |
tcp |
symantec |
not scanned |
Symantec Endpoint Protection (SEP) - port used for communication between the Symantec Endpoint Protection Manager (SEPM) and SEP clients and enforcers (8014 in MR3 and later builds, 80 in older).
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
HTTP/TCP Symon Communications Event and Query Engine
Perseus SDR Receiver default remote connection port (TCP/UDP) |
| 8015 |
tcp |
cfg-cloud |
not scanned |
IANA registered for: Configuration Cloud Service |
| 8016 |
tcp,udp |
applications |
not scanned |
Revo DVRNS
IANA registered for: Beckhoff Automation Device Specification (TCP) |
| 8017 |
udp |
cisco-cloudsec |
not scanned |
Cisco Cloudsec Dataplane Port Number (IANA official) |
| 8020 |
tcp |
applications |
not scanned |
360Works SuperContainer |
| 8022 |
tcp,udp |
applications |
not scanned |
RioRey RIOS 4.6.6 and 4.7.0 uses an undocumented, hard-coded username (dbadmin) and password (sq!us3r) for an SSH tunnel, which allows remote attackers to gain privileges via port 8022.
References: [CVE-2009-3710]
Directory traversal vulnerability in Ipswitch WhatsUp Small Business 2004 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in a request to the Report service (TCP 8022).
References: [CVE-2005-1939] [BID-15291] [SECUNIA-15500]
Port also IANA registered for oa-system |
| 8023 |
tcp |
applications |
not scanned |
Cisco SN 5420 Storage Router 1.1(3) and earlier allows remote attackers to cause a denial of service (reboot) via a series of connections to TCP port 8023.
References: [CVE-2001-1038], [BID-3014]
Missing Authentication for Critical Function in the Bosch Video Streaming Gateway (VSG) allows an unauthenticated remote attacker to retrieve and set arbitrary configuration data of the Video Streaming Gateway. A successful attack can impact the confidentiality and availability of live and recorded video data of all cameras configured to be controlled by the VSG as well as the recording storage associated with the VSG. This affects Bosch Video Streaming Gateway versions 6.45 <= 6.45.08, 6.44 <= 6.44.022, 6.43 <= 6.43.0023 and 6.42.10 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable VSG version is installed with BVMS. This affects Bosch DIVAR IP 2000 <= 3.62.0019 and DIVAR IP 5000 <= 3.80.0039 if the corresponding port 8023 has been opened in the device's firewall.
References: [CVE-2020-6769]
Backdoor.Win32.Xel / Remote Authentication Buffer Overflow
References: [MVID-2021-0044]
IANA registered for: ARCATrust vault API (TCP/UDP) |
| 8027 |
tcp,udp |
papachi-p2p-srv |
not scanned |
IANA registered for: peer tracker and data relay service |
| 8028 |
tcp |
applications |
not scanned |
The eDirectory Host Environment service (dhost.exe) in Novell eDirectory 8.8.2 allows remote attackers to cause a denial of service (CPU consumption) via a long HTTP HEAD request to TCP port 8028.
References: [CVE-2008-1777], [BID-28572] |
| 8033 |
tcp |
trojans |
Premium scan |
RingZero [Symantec-2000-121809-3414-99], Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor |
| 8038 |
tcp,udp |
applications |
not scanned |
Crackle
Grouper (peer-to-peer (P2P) filesharing) also uses this port |
| 8040 |
tcp,udp |
ampify |
not scanned |
Ampify Messaging Protocol
ScreenConnect uses port 8040 (TCP) |
| 8041 |
tcp |
applications |
not scanned |
ScreenConnect
IANA registered for: Xcorpeon ASIC Carrier Ethernet Transport (TCP/UDP) |
| 8042 |
tcp |
applications |
not scanned |
Orthanc - Default HTTP Port for GUI |
| 8043 |
tcp |
applications |
not scanned |
Remote RMI and IIOP Acess to JBOSS |
| 8045 |
tcp |
applications |
not scanned |
EMC AutoStart is vulnerable to multiple buffer overflows when allocating memory. By sending a specially-crafted packet to port 8045 TCP, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-75861] |
| 8046 |
tcp |
applications |
not scanned |
Heur.Risktool.Win32.Bitminer.Gen / Remote Memory Corruption - null pointer write access violation on server response to an HTTP request to TCP port 8046. The program also connects to port 80 and respawns upon crashing.
References: [MVID-2021-0009] |
| 8048 |
tcp |
applications |
not scanned |
Warhammer Online - Age of Reckoning |
| 8051 |
tcp |
rocrail |
not scanned |
IANA registered for: Rocrail Client Service |
| 8059 |
tcp |
TrendMicro |
not scanned |
TrendMicro WFBS web server port |
| 8060 |
udp |
aero |
not scanned |
Asymmetric Extended Route Optimization (AERO) [IESG] [RFC 6706] (IANA official) |
| 8060 |
tcp |
lync |
not scanned |
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 8061 |
tcp |
nikatron-dev |
not scanned |
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
Nikatron Device Protocol (IANA official) |
| 8062 |
tcp |
trojans |
Premium scan |
Backdoor.Toob.B [Symantec-2006-092615-0048-99] (2006.09.26) - a trojan that opens a back door on the compromised computer on TCP port 8062. The trojan then sends confidential information to a remote attacker. |
| 8066 |
tcp |
toad-bi-appsrvr |
not scanned |
IANA registered for: Toad BI Application Server |
| 8067 |
tcp |
infi-async |
not scanned |
Infinidat async replication (IANA official) |
| 8069 |
tcp |
applications |
not scanned |
OpenERP Default HTTP port (web interface and xmlrpc calls) |
| 8070 |
tcp,udp |
applications |
not scanned |
1AVStreamer
OpenERP Legacy netrpc protocol (TCP)
IANA registered for: Oracle Unified Communication Suite's Indexed Search Converter (TCP) |
| 8074 |
tcp,udp |
gadugadu |
not scanned |
IANA registered for: Gadu-Gadu |
| 8075 |
tcp |
applications |
not scanned |
Killing Floor |
| 8076 |
tcp |
trojans |
Members scan |
W32.Spybot.PEN [Symantec-2005-051916-0450-99] (2005.05.19) - worm with DDoS and backdoor capabilities. Spreads through network shares and by exploiting multiple vulnerabilities. Can be dropped by W32.Kelvir.CG. Opens a backdoor by connecting to IRC channel on port 8076/tcp. Exploits vulnerabilities on port 445/tcp ([MS04-011]), and 1433/udp ([MS02-061]).
W32.Mytob.HI@mm [Symantec-2005-071123-0807-99] (2005.07.11) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 8076/tcp.
AtlasVPN Linux Client 1.0.3 IP Leak Exploit - the AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code. |
| 8077 |
tcp |
mles |
not scanned |
IANA registered for: Mles is a client-server data distribution protocol targeted to serve as a lightweight and reliable distributed publish/subscribe database service. |
| 8078 |
tcp,udp |
applications |
not scanned |
Default port for most Endless Online-based servers |
| 8080 |
tcp |
http |
Basic scan |
Common alternative HTTP port used for web traffic. See also TCP ports 80,81,8443. It can also be used for HTTP Web Proxies. Some broadband routers run a web server on port 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using routers web-based administration interface.
Ubiquiti UniFi Controller uses these ports:
8080 tcp - http port for UAP to inform controller
8443 tcp - https port for controller GUI/API
8880 tcp - http portal redirect port (may also use ports 8881, 8882)
8843 tcp - https portal redirect port
3478 udp - STUN port (should be open at firewall)
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Rainmachine smart sprinkler controllers use ports 80, 8080 and 18080.
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
If you're not running web services, keep in mind that some trojans also use these ports:
Reverse WWW Tunnel Backdoor - remote access/tunneling software coded in Perl, uses ports 80, 3128, 8080. Works on Unix, Linux, Solaris, AIX and OpenBSD.
RingZero (a.k.a. Ring0, Trojan.PSW.Ring, RingZero.gen, Ring) - uses ports 80, 3128, 8080. Affects Windows 9x.
Screen Cutter (a.k.a. Backdoor.Screencut) - uses ports 80, 8080.
W32.Mydoom.B@mm [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
W32.Spybot.OFN [Symantec-2005-042917-1039-99] (2005.04.29) - network-aware worm with DDoS and backdoor capabilities. Spreads through network shares and exploiting multiple vulnerabilities. It ay be downloaded by W32.Kelvir [Symantec-2005-041414-2221-99] variants. Opens a backdoor on port 8080/tcp. Also exploits vulnerabilities on ports 445 and 1433.
W32.Zotob.C@mm [Symantec-2005-081516-4417-99] (2005.08.16) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A [Symantec-2005-081415-0646-99] and W32.Zotob.B [Symantec-2005-081415-0741-99]variants of the worm as well.
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
Backdoor.Naninf.D [Symantec-2006-020115-0317-99] (2006.02.01)
Backdoor.Naninf.C [Symantec-2006-013111-4821-99] (2006.01.31)
W32.Rinbot.A [Symantec-2007-021615-1555-99] (2007.03.02) - a worm that opens a back door, copies itself to IPC shares, connects to an IRC server, and awaits commands on port 8080/tcp. See Also [CVE-2002-1123], [CVE-2006-2630], [CVE-2006-3439]
Android.Acnetdoor [Symantec-2012-051611-4258-99] (2012.05.16) - opens a backdoor on Android devices
Feodo/Geodo (a.k.a. Cridex or Bugat) trojan used to commit e-banking fraud uses ports 8080 tcp and 7779/tcp to run a nginx proxy and communicate with the botnet C&C server.
A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions.
References: [CVE-2017-2683], [BID-96455]
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
References: [CVE-2017-2682], [BID-96458]
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
References: [CVE-2018-19911]
HEUR.Backdoor.Win32.Generic / Unauthenticated Open Proxy - the backdoor creates a Windows service backed by an executable named "1314.exe", it lives under C:\WINDOWS and listens on TCP ports 1080 and 8080. Third-party adversaries who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. The relay does not require authentication or any special User-agent check and leverages the HTTP Host header in the request to connect to third-party systems.
References: [MVID-2021-0176] |
| 8080 |
udp |
trojans |
Premium scan |
Backdoor.Tjserv.D [Symantec-2005-100415-4002-99] (2005.10.04) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp.
On the Motorola router CX2L MWR04L 1.01, there is a stack consumption (infinite recursion) issue in scopd via TCP port 8010 and UDP port 8080. It is caused by snprintf and inappropriate length handling.
References: [CVE-2019-13129] |
| 8081 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic. See also TCP ports 80, 81, 8080.
Dreambox 8000 also uses port 8081 (TCP/UDP).
Azure Cosmos DB Emulator uses port 8081 by default. https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator
McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, SSL LDAP
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages
If you're not running web services on this ports, keep in mind that some trojans also use it:
W32.Bufei [Symantec-2005-041809-5835-99] (2005.04.17) - virus with backdoor and keylogger capabilities. Attempts to connect to URLs for remote access on port 8081 every 3 minutes.
A vulnerability has been reported in McAfee Agent, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error within the McAfee Framework Service (FrameworkService.exe) when handling HTTP requests and can be exploited to cause a crash by sending a specially crafted HTTP request to default TCP port 8081.
References: [CVE-2013-3627], [SECUNIA-55158]
A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions.
References: [CVE-2017-2683], [BID-96455]
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
References: [CVE-2017-2682], [BID-96458]
An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.
References: [CVE-2018-17178]
A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all.
References: [CVE-2018-17176] |
| 8082 |
tcp |
applications |
Basic scan |
TrendMicro Smart Scan server uses TCP ports 4345/tcp and 8082/tcp.
Seafile Windows Server uses these TCP ports:
8000 - seahub web interface
8082 - seafile server
10001 - ccnet
12001 - seaf-server
ASUS AiCloud routers file sharing service uses ports 443 and 8082. There is a vulnerability in AiCloud with firmwares prior to 3.0.4.372 , see [CVE-2013-4937]
Unrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, a.k.a. "Malformed Request Code Execution Vulnerability."
References: [CVE-2010-3964], [BID-45264]
Port also IANA registered for Utilistor (Client) |
| 8082 |
udp |
applications |
not scanned |
McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, SSL LDAP
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages
Format string vulnerability in the logDetail function of applib.dll in McAfee Common Management Agent (CMA) 3.6.0.574 (Patch 3) and earlier, as used in ePolicy Orchestrator 4.0.0 build 1015, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in a sender field in an AgentWakeup request to UDP port 8082. NOTE: this issue only exists when the debug level is 8.
References: [CVE-2008-1357] [BID-28228] [SECUNIA-29337] |
Vulnerabilities listed: 100 (some use multiple ports)
|
