Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 8076 |
tcp |
trojans |
Members scan |
W32.Spybot.PEN [Symantec-2005-051916-0450-99] (2005.05.19) - worm with DDoS and backdoor capabilities. Spreads through network shares and by exploiting multiple vulnerabilities. Can be dropped by W32.Kelvir.CG. Opens a backdoor by connecting to IRC channel on port 8076/tcp. Exploits vulnerabilities on port 445/tcp ([MS04-011]), and 1433/udp ([MS02-061]).
W32.Mytob.HI@mm [Symantec-2005-071123-0807-99] (2005.07.11) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 8076/tcp.
AtlasVPN Linux Client 1.0.3 IP Leak Exploit - the AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code. |
| 8077 |
tcp |
mles |
not scanned |
IANA registered for: Mles is a client-server data distribution protocol targeted to serve as a lightweight and reliable distributed publish/subscribe database service. |
| 8078 |
tcp,udp |
applications |
not scanned |
Default port for most Endless Online-based servers |
| 8080 |
tcp |
http |
Basic scan |
Common alternative HTTP port used for web traffic. See also TCP ports 80,81,8443. It can also be used for HTTP Web Proxies. Some broadband routers run a web server on port 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using routers web-based administration interface.
Ubiquiti UniFi Controller uses these ports:
8080 tcp - http port for UAP to inform controller
8443 tcp - https port for controller GUI/API
8880 tcp - http portal redirect port (may also use ports 8881, 8882)
8843 tcp - https portal redirect port
3478 udp - STUN port (should be open at firewall)
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Rainmachine smart sprinkler controllers use ports 80, 8080 and 18080.
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
If you're not running web services, keep in mind that some trojans also use these ports:
Reverse WWW Tunnel Backdoor - remote access/tunneling software coded in Perl, uses ports 80, 3128, 8080. Works on Unix, Linux, Solaris, AIX and OpenBSD.
RingZero (a.k.a. Ring0, Trojan.PSW.Ring, RingZero.gen, Ring) - uses ports 80, 3128, 8080. Affects Windows 9x.
Screen Cutter (a.k.a. Backdoor.Screencut) - uses ports 80, 8080.
W32.Mydoom.B@mm [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
W32.Spybot.OFN [Symantec-2005-042917-1039-99] (2005.04.29) - network-aware worm with DDoS and backdoor capabilities. Spreads through network shares and exploiting multiple vulnerabilities. It ay be downloaded by W32.Kelvir [Symantec-2005-041414-2221-99] variants. Opens a backdoor on port 8080/tcp. Also exploits vulnerabilities on ports 445 and 1433.
W32.Zotob.C@mm [Symantec-2005-081516-4417-99] (2005.08.16) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A [Symantec-2005-081415-0646-99] and W32.Zotob.B [Symantec-2005-081415-0741-99]variants of the worm as well.
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
Backdoor.Naninf.D [Symantec-2006-020115-0317-99] (2006.02.01)
Backdoor.Naninf.C [Symantec-2006-013111-4821-99] (2006.01.31)
W32.Rinbot.A [Symantec-2007-021615-1555-99] (2007.03.02) - a worm that opens a back door, copies itself to IPC shares, connects to an IRC server, and awaits commands on port 8080/tcp. See Also [CVE-2002-1123], [CVE-2006-2630], [CVE-2006-3439]
Android.Acnetdoor [Symantec-2012-051611-4258-99] (2012.05.16) - opens a backdoor on Android devices
Feodo/Geodo (a.k.a. Cridex or Bugat) trojan used to commit e-banking fraud uses ports 8080 tcp and 7779/tcp to run a nginx proxy and communicate with the botnet C&C server.
A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions.
References: [CVE-2017-2683], [BID-96455]
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
References: [CVE-2017-2682], [BID-96458]
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
References: [CVE-2018-19911]
HEUR.Backdoor.Win32.Generic / Unauthenticated Open Proxy - the backdoor creates a Windows service backed by an executable named "1314.exe", it lives under C:\WINDOWS and listens on TCP ports 1080 and 8080. Third-party adversaries who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. The relay does not require authentication or any special User-agent check and leverages the HTTP Host header in the request to connect to third-party systems.
References: [MVID-2021-0176] |
| 8080 |
udp |
trojans |
Premium scan |
Backdoor.Tjserv.D [Symantec-2005-100415-4002-99] (2005.10.04) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp.
On the Motorola router CX2L MWR04L 1.01, there is a stack consumption (infinite recursion) issue in scopd via TCP port 8010 and UDP port 8080. It is caused by snprintf and inappropriate length handling.
References: [CVE-2019-13129] |
| 8081 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic. See also TCP ports 80, 81, 8080.
Dreambox 8000 also uses port 8081 (TCP/UDP).
Azure Cosmos DB Emulator uses port 8081 by default. https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator
McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, SSL LDAP
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages
If you're not running web services on this ports, keep in mind that some trojans also use it:
W32.Bufei [Symantec-2005-041809-5835-99] (2005.04.17) - virus with backdoor and keylogger capabilities. Attempts to connect to URLs for remote access on port 8081 every 3 minutes.
A vulnerability has been reported in McAfee Agent, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error within the McAfee Framework Service (FrameworkService.exe) when handling HTTP requests and can be exploited to cause a crash by sending a specially crafted HTTP request to default TCP port 8081.
References: [CVE-2013-3627], [SECUNIA-55158]
A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions.
References: [CVE-2017-2683], [BID-96455]
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
References: [CVE-2017-2682], [BID-96458]
An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.
References: [CVE-2018-17178]
A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all.
References: [CVE-2018-17176] |
| 8082 |
tcp |
applications |
Basic scan |
TrendMicro Smart Scan server uses TCP ports 4345/tcp and 8082/tcp.
Seafile Windows Server uses these TCP ports:
8000 - seahub web interface
8082 - seafile server
10001 - ccnet
12001 - seaf-server
ASUS AiCloud routers file sharing service uses ports 443 and 8082. There is a vulnerability in AiCloud with firmwares prior to 3.0.4.372 , see [CVE-2013-4937]
Unrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, a.k.a. "Malformed Request Code Execution Vulnerability."
References: [CVE-2010-3964], [BID-45264]
Port also IANA registered for Utilistor (Client) |
| 8082 |
udp |
applications |
not scanned |
McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, SSL LDAP
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages
Format string vulnerability in the logDetail function of applib.dll in McAfee Common Management Agent (CMA) 3.6.0.574 (Patch 3) and earlier, as used in ePolicy Orchestrator 4.0.0 build 1015, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in a sender field in an AgentWakeup request to UDP port 8082. NOTE: this issue only exists when the debug level is 8.
References: [CVE-2008-1357] [BID-28228] [SECUNIA-29337] |
| 8083 |
tcp,udp |
applications |
not scanned |
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
ShowOff! 1.5.4 allows remote attackers to cause a denial of service (server crash) via a malformed request to port 8083.
References: [CVE-2005-1572], [BID-13598]
Utilistor Server (IANA official) |
| 8084 |
tcp |
websnp |
not scanned |
Apache Tomcat server (Netbeans JSP servlets)
IBM Lotus Sametime server uses this port. To allow internal users to participate in interactive audio/video meetings with users from the Internet, you must either open TCP port 8084 (the default TCP Tunneling port for the Audio/Video Services) or a range of UDP ports through the internal firewall.
Snarl Network Protocol over HTTP (IANA official) |
| 8085 |
tcp |
wiki service |
Members scan |
DSL CPE Management (Used by British Telecom, KPN Netherlands, etc. for ADSL modem communication)
Wiki service (Mac OS X Server v10.5 and later)
inSpeak Communicator uses port 8085 (TCP/UDP)
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
Siemens Openstage and Gigaset phones use the following ports:
389/tcp LDAP
636/tcp LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device.
References: [CVE-2018-13989], [EDB-45022] |
| 8086 |
tcp |
wiki service |
not scanned |
Wiki service (Mac OS X Server v10.5 and later)
HELM Web Host Automation Windows Control Panel
Kaspersky AV Control Center
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
XMMS.pm in X2 XMMS Remote, as obtained from the vendor server between 4 AM 11 AM PST on May 7, 2003, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to TCP port 8086.
References: [CVE-2003-1128], [BID-7534]
IANA registered for: Distributed SCADA Networking Rendezvous Port (TCP/UDP) |
| 8087 |
tcp |
wiki service |
not scanned |
Wiki service (Mac OS X Server v10.5 and later)
Hosting Accelerator Control Panel, Parallels Plesk Control Panel
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
ABB PCU400 contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The ABB PCU400 application serves as a communication gateway between RTUs that use the IEC-870-5-104 protocol and the SCADA server. The diagnostic web application contains a software flaw which allows an attacker to gain full access on the PCU400 server by sending a specially crafted packet to the X87 web interface on TCP port 8087.
References: [CVE-2008-2474], [BID-31391]
IANA registered for: Simplify Media SPP Protocol (TCP/UDP) |
| 8087 |
udp |
applications |
not scanned |
Kaspersky AV Control Center |
| 8088 |
tcp |
apple |
not scanned |
Software update (Mac OS X Server v10.4 and later)
Asterisk (PBX) Web Configuration utility (GUI Addon)
IANA registered for: Radan HTTP (TCP/UDP) |
| 8088 |
udp |
games |
not scanned |
Lord of the Rings: Battle for Middle Earth uses ports 8088-28088 |
| 8089 |
tcp |
web email rules |
not scanned |
Web email rules (Mac OS X Server v10.6 and later), Fritz!Box automatic TR-069 configuration
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
References: [CVE-2021-3122] |
| 8090 |
tcp |
http_alt_alt |
Premium scan |
Another HTTP Alternate (http_alt_alt)used as an alternative to port 8080.
Applications using this port: WebcamXP, Atlassian Confluence, Matrix identity server, Coral Content Distribution Network
Trojans that use this port: Aphex's Remote Packet Sniffer (Asniffer)
Trojan.Heloag [Symantec-2010-041512-2356-99] (2010.04.15) - a trojan horse that opens a back door and may download more files on to the compromised computer
EMC Data Protection Advisor could allow a remote attacker to execute arbitrary code on the system, caused by an error in the exposed EJBInvokerServlet servlet within the DPA_Illuminator.exe service. By sending a specially-crafted object to TCP ports 8090 or 8453, an attacker could exploit this vulnerability to execute arbitrary code NT AUTHORITY\SYSTEM privileges.
References: [XFDB-89534], [EDB-30211]
Vivint SkyControl Panel could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access permissions in Web interface. By sending a specially-crafted request, an attacker could exploit this vulnerability using port 8090 to bypass access restrictions and modify security settings.
References: [CVE-2014-8362], [XFDB-111196]
Siemens SPPA-T3000 Application Server could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending specially-crafted packets to 8090/tcp, an attacker could exploit this vulnerability to obtain filenames information, and use this information to launch further attacks against the affected system.
References: [CVE-2019-18333], [CVE-2019-18334], [XFDB-173119], [XFDB-173120]
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is accessible to anyone on the network that can reach the Kubernetes node that's running Envoy. There is no authentication in place that prevents a rogue actor on the network from shutting down Envoy via the shutdown manager endpoint. Successful exploitation of this issue will lead to bad actors shutting down all instances of Envoy, essentially killing the entire ingress data plane. This is fixed in version 1.7.0.
References: [CVE-2020-15127]
IANA registered for: Vehicle to station messaging |
| 8091 |
tcp |
couchbase |
not scanned |
Couchbase Server (open source NoSQL document-oriented database) uses port 8091 for administration, and port 8092 as an API port.
An issue was discovered in Couchbase Server. Authenticated users can send arbitrary Erlang code to the 'diag/eval' endpoint of the REST API (available by default on TCP/8091 and/or TCP/18091). The executed code in the underlying operating system will run with the privileges of the user running Couchbase server.
References: [CVE-2018-15728], [BID-105157]
Jam Link Framework |
| 8092 |
tcp |
couchbase |
not scanned |
Couchbase Server (open source NoSQL document-oriented database) uses port 8091 for administration, and port 8092 as an API port. |
| 8093 |
tcp |
applications |
not scanned |
Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.
References: [CVE-2023-49338] |
| 8094 |
tcp,udp |
applications |
not scanned |
In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094.
References: [CVE-2017-15665], [EDB-43454] |
| 8096 |
tcp |
web password reset |
not scanned |
Web password reset (Mac OS X Server v10.6.3 and later)
Emby and Jellyfin HTTP port
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
References: [CVE-2024-39864] |
| 8097 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro |
| 8100 |
tcp |
trojan |
Premium scan |
Console Gateway License Verification
Back streets trojan
BlueMap, a 3D Minecraft web viewer and mapping tool
Xprint Server (TCP/UDP) (IANA official) |
| 8101 |
tcp |
ldoms-migr |
not scanned |
SmartPTT SCADA 1.1.0.0 allows remote code execution (when the attacker has administrator privileges) by writing a malicious C# script and executing it on the server (via server settings in the administrator control panel on port 8101, by default).
References: [CVE-2023-30459]
Logical Domains Migration (IANA official) |
| 8102 |
tcp |
kz-migr |
not scanned |
IANA registered for: Oracle Kernel zones migration server |
| 8110 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
| 8111 |
tcp |
malware |
Premium scan |
Warthunder (WWII vehicular combat MMO) video game uses port 8111
Malware that uses this port:D LP, LoseLove
JOSM Remote Control
W32.Eboscro [Symantec-2006-110422-1903-99] (2006.11.04) - a worm that copies itself to removable drives, opens a back door, and lowers security settings on the compromised computer. |
| 8111 |
udp |
skynetflow |
not scanned |
IANA registered for: Skynetflow network services |
| 8116 |
tcp,udp |
cp-cluster |
not scanned |
Revo DVRNS
IANA registered for: Check Point Clustering |
| 8117 |
tcp |
purityrpc |
not scanned |
IANA registered for: clustering and remote management |
| 8118 |
tcp,udp |
privoxy |
not scanned |
adbyby v2.7 allows external users to make connections via port 8118. This can cause a program logic error and lead to a Denial of Service (DoS) via high CPU usage due to a large number of connections.
References: [CVE-2022-29767]
Privoxy HTTP proxy (IANA official) |
| 8123 |
tcp |
vipre |
Premium scan |
BURST Reference Software uses TCP ports 8123 (p2p), 8124 (standard mining pool port), 8125 (web interface)
ClickHouse Analytics DB (open source big data) uses TCP port 8123 for its HTTP interface.
Home Assistant (massive open source home automation project) uses port 8123 for WebUI. See: home-assistant.io/hassio/
Minecraft default dynmap mappiing port
Polipo open source web proxy, Bukkit DynMap Default Webserver Bind Address
VIPRE Business Security uses the following TCP ports: 8123, 18082, 18086, 18090. It may also communicate through TCP ports 135, 139, 445.
|
| 8124 |
tcp |
applications |
not scanned |
BURST Reference Software uses TCP ports 8123 (p2p), 8124 (standard mining pool port), 8125 (web interface) |
| 8125 |
tcp |
applications |
not scanned |
BURST Reference Software uses TCP ports 8123 (p2p), 8124 (standard mining pool port), 8125 (web interface)
StatsD server |
| 8126 |
tcp |
trojans |
Members scan |
W32.Pejaybot [Symantec-2005-011415-1848-99] (2005.01.14) - worm that spreads via file sharing networks. Connects to an IRC server and opens a backdoor on port 8126.
W32.Kelvir.Q [Symantec-2005-041213-2840-99] (2005.04.12) - worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm [Symantec-2003-053013-5943-99]. Connects to an IRC server on port 8126/tcp. |
| 8127 |
tcp,udp |
trojans |
not scanned |
9_119, Chonker |
| 8128 |
tcp,udp |
paycash-online |
not scanned |
PayCash Online Protocol [MegaZone] (IANA official) |
| 8129 |
tcp,udp |
paycash-wbp |
not scanned |
PayCash Wallet-Browser [MegaZone] (IANA official) |
| 8130 |
tcp |
trojans |
Premium scan |
9_119, Chonker, DLP
WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 perform authentication on the KAEClientManager console rather than on the server, which allows remote attackers to bypass intended access restrictions and discover credentials via a crafted packet to TCP port 8130.
References: [CVE-2013-2826] [XFDB-90513] |
| 8130 |
udp |
malware |
not scanned |
Backdoor.Win32.Loselove / Denial of Service - the malware listens on UDP ports 9329, 8329, 8322, 8131 and 8130. Attackers can send a large junk payload to UDP port 8131 causing it to crash.
References: [MVID-2022-0554] |
| 8131 |
tcp |
trojan |
Premium scan |
DLP trojan |
| 8131 |
udp |
malware |
not scanned |
Backdoor.Win32.Loselove / Denial of Service - the malware listens on UDP ports 9329, 8329, 8322, 8131 and 8130. Attackers can send a large junk payload to UDP port 8131 causing it to crash.
References: [MVID-2022-0554] |
| 8139 |
tcp |
applications |
not scanned |
Puppet (software) Client agent |
| 8140 |
tcp |
applications |
not scanned |
Puppet (software) Master server |
| 8143 |
tcp,udp |
applications |
not scanned |
ImapProxy, SCO SSH Tunneling |
| 8149 |
udp |
eor-game |
not scanned |
IANA registered for: Edge of Reality game data |
| 8153 |
tcp |
quantastor |
not scanned |
QuantaStor Management Interface [OS NEXUS] (IANA official) |
| 8162 |
tcp |
lpar2rrd |
not scanned |
IANA registered for: LPAR2RRD client server communication |
| 8170 |
tcp |
https |
not scanned |
Podcast Capture/podcast CLI |
| 8171 |
tcp |
https |
not scanned |
Podcast Capture/podcast CLI |
| 8172 |
tcp |
applications |
Premium scan |
Microsoft Remote Administration for IIS Manager
W32.Zotob.K trojan [Symantec-2005-082415-0814-99] exploits Windows vulnerabilities on port 445, opens UDP port 69 for TFTP, listens to TCP ports 6664 and 8172. |
| 8173 |
tcp |
trojans |
Premium scan |
Backdoor.Zebroxy [Symantec-2003-082113-3132-99] (2003.08.21) - a trojan horse that opens port 8173 and runs as a proxy server under Windows 2000/XP.
Port also used by: Y-cam Wireless IP Camera |
| 8175 |
tcp |
pcast tunnel |
not scanned |
Apple pcastagentd (for control operations, camera and so on) |
| 8181 |
tcp |
trojans |
Members scan |
W32.Erkez.D@mm [Symantec-2004-121413-4703-99] (2004.12.14) - mass mailing worm that can terminate processes, lower security settings, and allow remote access to the compromised computer. Opens a backdoor and listens for remote commands on port 8181/tcp.
Backdoor.Shangxing [Symantec-2007-030516-4150-99] (2007.03.06) also uses this port.
The Web Administrator service (STEMWADM.EXE) in Websense Personal Email Manager 7.1 before Hotfix 4 and Email Security 7.1 before Hotfix 4 allows remote attackers to cause a denial of service (crash) by sending a HTTP GET request to TCP port 8181 and closing the socket before the service can send a response.
References: [CVE-2009-3749], [BID-36740]
IPSwitch IMail is an e-mail server which provides WWW (HTTP) E-mail services. By default this web service resides on port 8181 (TCP/UDP) or 8383 (TCP/UDP). Sending an HTTP request with an extremely long "HOST" field multiple times can cause the system hosting the service to become unresponsive. Each long request "kills" a thread without freeing up the memory used by it. By repeating this request, the system's resources can be used up completely.
References: [BID-2011]
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
References: [CVE-2021-30127]
Intermapper network management system (IANA official) |
| 8182 |
tcp |
applications |
not scanned |
SQL servers
Port is IANA registered for VMware Fault Domain Manager (TCP/UDP). |
| 8183 |
tcp |
proremote |
not scanned |
ProRemote |
| 8184 |
tcp,udp |
itach |
not scanned |
Remote iTach Connection |
| 8188 |
tcp |
applications |
not scanned |
ComfyUI Web Interface |
| 8190 |
tcp |
iot |
Members scan |
Veeam Backup and replication suite uses these ports, in addition to common 80, 443, etc.:
6160 TCP - Veeam installer service
6165 TCP - WAN accelerator
6180 TCP/UDP - Veeam cloud gateway
6169, 8190, 8191 TCP - used by SP backup server
10003 TCP - communication with Veeam backup service
Port used by: Ecobee thermostats, Y-cam Wireless IP Cameras
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability ([MS04-011]). Opens backdoors on ports 3351/tcp and 8190/tcp.
Multiple stack-based buffer overflows in Medicomp MEDCIN Engine 2.22.20142.166 might allow remote attackers to execute arbitrary code via a crafted packet on port 8190, related to (1) the GetProperty info_getproperty function and (2) the GetProperty UdfCodeList function.
References: [CVE-2015-2901]
Heap-based buffer overflow in the QualifierList retrieve_qualifier_list function in Medicomp MEDCIN Engine before 2.22.20153.226 might allow remote attackers to execute arbitrary code via a long list name in a packet on port 8190.
References: [CVE-2015-2899]
Multiple stack-based buffer overflows in Medicomp MEDCIN Engine before 2.22.20153.226 might allow remote attackers to execute arbitrary code via a crafted packet on port 8190, related to (1) the SetGroupSequenceEx na_setgroupsequenceex function, (2) the FormatDate julptostr function, and (3) the UserFindingCodes addtocl function.
References: [CVE-2015-2898]
IANA registered for: Generic control plane for RPHY |
| 8191 |
tcp |
limnerpressure |
not scanned |
Veeam Backup and replication suite uses these ports, in addition to common 80, 443, etc.:
6160 TCP - Veeam installer service
6165 TCP - WAN accelerator
6180 TCP/UDP - Veeam cloud gateway
6169, 8190, 8191 TCP - used by SP backup server
10003 TCP - communication with Veeam backup service
Limner Pressure - a pressure sensitive tablet apllication for Mac and iPad (IANA official) |
| 8192 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, SnapStream PVS, SpyTech Phone Service, Y-cam Wireless IP Camera use this port. |
| 8193 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Y-cam Wireless IP Camera |
| 8194 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Bloomberg data API, Y-cam Wireless IP Camera use this port. |
| 8195 |
tcp |
blp2 |
not scanned |
Bloomberg feed |
| 8198 |
tcp |
applications |
not scanned |
Sophos Antivirus, Y-cam Wireless IP Camera |
| 8199 |
tcp |
applications |
not scanned |
Citrix AppDNA Server uses port 8199 for HTTP connections between AppDNA and IIS.
Y-cam Wireless IP Camera
The administrative service in Symantec Veritas Volume Replicator (VVR) for Windows and VVR for Unix, in Symantec Storage Foundation products allows remote attackers to cause a denial of service (memory consumption and service crash) via a crafted packet to the service port (8199/tcp) that triggers a request for more memory than available, which causes the service to write to an invalid pointer.
References: [CVE-2007-1593], [BID-24160]
Port is also IANA registered for VVR data. |
| 8200 |
tcp,udp |
applications |
not scanned |
Duplicati web server (open source remote backup solution)
Revo DVRNS
GoToMyPC
GoToMeeting, also Citrix workstation GoToMeeting service broker
MiniDLNA media server Web Interface
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255]
TRIVNET (IANA official) |
| 8201 |
tcp,udp |
trivnet2 |
not scanned |
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255]
TRIVNET (IANA official) |
| 8202 |
udp |
aesop |
not scanned |
Audio+Ethernet Standard Open Protocol [POWERSOFT SRL] (IANA official) |
| 8202 |
tcp |
malware |
not scanned |
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255] |
| 8203 |
tcp |
worm |
not scanned |
W32.Neeris.B [Symantec-2007-091303-4952-99] (2007.09.12) - a worm that spreads through MSN instant messaging applications. It also opens a back door on the compromised computer.
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255] |
| 8204 |
tcp,udp |
lm-perfworks |
not scanned |
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255]
LM Perfworks (IANA official) |
| 8211 |
tcp |
applications |
not scanned |
Dealing Office Server
Palworld Server
Y-cam Wireless IP Camera
|
| 8211 |
udp |
aruba-papi |
not scanned |
There are multiple buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending especially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211) of access-points or controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below.
References: [CVE-2020-24633]
An attacker is able to remotely inject arbitrary commands by sending especially crafted packets destined to the PAPI (Aruba Networks AP Management protocol) UDP port (8211) of access-pointsor controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below ; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below.
References: [CVE-2020-24634]
There is a command injection vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
References: [CVE-2022-37897]
There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address these security vulnerabilities.
References: [CVE-2022-37885], [CVE-2022-37886], [CVE-2022-37887], [CVE-2022-37888], [CVE-2022-37889]
There is a buffer overflow vulnerability in the underlying AirWave client service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
References: [CVE-2023-45614], [CVE-2023-45615], [CVE-2023-45616]
Unauthenticated Command Injection Vulnerability in the CLI Service Accessed by the PAPI Protocol. Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
References: [CVE-2024-47460]
Aruba Networks AP management (IANA official) |
| 8212 |
tcp,udp |
|
not scanned |
Palworld Server REST API |
| 8222 |
tcp |
applications |
not scanned |
VMWare, Y-cam Wireless IP Camera |
| 8225 |
tcp |
applications |
not scanned |
IP/IPX gateway for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service via a connection to port 8225 with a large amount of random data, which causes ipipxgw.nlm to ABEND.
References: [CVE-2002-0780], [BID-4697] |
| 8231 |
udp |
hncp-udp-port |
not scanned |
IANA registered for: HNCP |
| 8232 |
udp |
hncp-dtls-port |
not scanned |
IANA registered for: HNCP over DTLS |
| 8236 |
tcp,udp |
applications |
not scanned |
jRCS listener for Rocket Software jBASE Remote Connectivity Server |
| 8243 |
tcp,udp |
synapse-nhttps |
not scanned |
Synapse Non Blocking HTTPS, HTTPS listener for Apache Synapse, Y-cam Wireless IP Camera |
| 8245 |
tcp |
applications |
not scanned |
No-IP, DynDNS, Y-cam Wireless IP Camera use this port. |
| 8257 |
tcp |
applications |
not scanned |
Papenmeier WiFi Baby Monitor Free & Lite before 2.02.2 allows remote attackers to obtain audio data via certain requests to TCP ports 8258 and 8257.
References: [CVE-2018-7661], [EDB-442322]
|
| 8258 |
tcp |
applications |
not scanned |
Papenmeier WiFi Baby Monitor Free & Lite before 2.02.2 allows remote attackers to obtain audio data via certain requests to TCP ports 8258 and 8257.
References: [CVE-2018-7661], [EDB-442322] |
| 8270 |
tcp |
robot-remote |
not scanned |
IANA registered for: Robot Framework Remote Library Interface |
| 8276 |
tcp,udp |
ms-mcc |
not scanned |
Microsoft Connected Cache (IANA official) |
| 8280 |
tcp,udp |
synapse |
not scanned |
Apache Synapse, Y-cam Wireless IP Camera use this port. |
| 8282 |
tcp |
applications |
not scanned |
Y-cam Wireless IP Camera, SAS Server, CS Intranet use this port.
IANA registered for: Libelle EnterpriseBus |
| 8282 |
udp |
libelle-disc |
not scanned |
IANA registered for: Libelle EnterpriseBus discovery |
| 8284 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8285 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8286 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8287 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8291 |
tcp |
mikrotik |
not scanned |
MikroTik RouterOS uses the following ports:
5678/udp - Mikrotik Neighbor Discovery Protocol
6343/tcp - Default OpenFlow port
8080/tcp - HTTP Web Proxy
8291/tcp - Winbox GUI
8728/tcp - API
8729/tcp - API-SSL
20561/udp - MAC Winbox GUI
RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker's choice. The DNS responses are cached by the router, potentially resulting in cache poisoning.
References: [CVE-2019-3978], [XFDB-170447] |
| 8293 |
tcp |
hiperscan-id |
not scanned |
Hiperscan Identification Service |
| 8300 |
tcp |
applications |
not scanned |
Messenger Agents (nmma.exe) in Novell GroupWise allow remote attackers to cause a denial of service (crash) via a crafted HTTP POST request to TCP port 8300 with a modified val parameter, which triggers a null dereference related to "zero-size strings in blowfish routines."
References: [CVE-2006-4511], [BID-20316]
Port is also IANA registered for Transport Management Interface |
| 8301 |
tcp |
amberon |
Premium scan |
Hashicorp Consul (network service discovery platform)
Y-cam Wireless IP Camera
Trojans using this port: DLP, LoseLove
Amberon PPC/PPS (IANA official) |
| 8302 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
Vulnerabilities listed: 100 (some use multiple ports)
|
