| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 11095 |
udp |
weave |
not scanned |
device-to-service application protocol [Nest_Labs_Inc] (IANA official) |
| 11100 |
udp |
games |
not scanned |
Risk of Rain multiplayer server |
| 11103 |
tcp |
origo-sync |
not scanned |
IANA registered for: OrigoDB Server Sync Interface |
| 11104 |
tcp |
netapp-icmgmt |
not scanned |
NetApp Intercluster Management |
| 11105 |
tcp |
netapp-icdata |
not scanned |
NetApp Intercluster Data |
| 11108 |
udp |
myq-termlink |
not scanned |
IANA registered for: Hardware Terminals Discovery and Low-Level Communication Protocol |
| 11109 |
tcp |
sgi-dmfmgr |
not scanned |
Data migration facility Manager (DMF) is a browser based interface to DMF - SGI (IANA official) |
| 11110 |
tcp |
sgi-soap |
not scanned |
Data migration facility (DMF) SOAP is a web server protocol to support remote access to DMF - SGI (IANA official) |
| 11111 |
tcp |
trojan |
Premium scan |
Breach trojan |
| 11112 |
tcp,udp |
dicom |
not scanned |
DICOM (IANA official) |
| 11115 |
tcp,udp |
applications |
not scanned |
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.
References: [CVE-2023-22897]
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
References: [CVE-2023-22620] |
| 11142 |
tcp |
trojans |
not scanned |
Backdoor.SubSeven.215 [Symantec-2003-062916-3850-99] (2003.06.29) - variant of the SubSeven family. This trojan horse allows unauthorized access to an infected machine. By default it listens on port 11142. |
| 11143 |
tcp |
ubiquiti |
not scanned |
Ubiquiti Cloud Access uses the following ports:
80/tcp
3478/udp
8543/tcp
11143/tcp |
| 11155 |
udp |
applications |
not scanned |
Tunngle |
| 11171 |
udp |
snss |
not scanned |
IANA registered for: Surgical Notes Security Service Discovery (SNSS) |
| 11172 |
tcp |
oemcacao-jmxmp |
not scanned |
OEM cacao JMX-remoting access point |
| 11173 |
tcp |
t5-straton |
not scanned |
Straton Runtime Programing [COPALP] (IANA official) |
| 11174 |
tcp |
oemcacao-rmi |
not scanned |
OEM cacao rmi registry access point |
| 11175 |
tcp |
oemcacao-websvc |
not scanned |
OEM cacao web service access point |
| 11202 |
tcp |
dcsl-backup |
not scanned |
DCSL Network Backup Services [John_Reynolds] (IANA official) |
| 11211 |
tcp,udp |
memcached |
not scanned |
Port used by Memcachedb and Apple iCal Server
Memcached is vulnerable to a denial of service, caused by an error when handling TCP packets. By sending a specially-crafted packet containing an overly long string to TCP port 11211, a remote attacker could exploit this vulnerability to cause a segmentation fault and application to crash.
References: [XFDB-83915], [BID-59567]
Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default.
References: [CVE-2018-1000115], [EDB-44264], [EDB-44265] |
| 11223 |
tcp |
trojan |
Premium scan |
Progenic trojan, Secret Agent trojan |
| 11225 |
tcp,udp |
trojan |
not scanned |
Cyn trojan |
| 11234 |
tcp |
applications |
not scanned |
Graboid Video
Multiple stack-based buffer overflows in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long command to port 11234, as demonstrated with the TF command.
References: [CVE-2011-3490] |
| 11235 |
tcp,sctp |
xcompute |
not scanned |
Savage:Battle for Newerth Server Hosting
Numerical systems messaging (IANA official) |
| 11271 |
udp |
trojans |
Members scan |
Trojan.Peacomm [Symantec-2007-011917-1403-99] (2007.01.19) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271. |
| 11294 |
tcp,udp |
applications |
not scanned |
Blood Quest Online Server |
| 11300 |
tcp |
beanstalkd |
not scanned |
Beanstalkd (asynchronous job queue for web applications) |
| 11306 |
tcp |
trojan |
Premium scan |
Noknok trojan |
| 11311 |
tcp |
trojans |
not scanned |
Backdoor.Carufax.A [Symantec-2004-041911-4812-99] (2004.04.19) - a trojan horse that will attempt to download files, open a backdoor, connect to an IRC server and log keystrokes. |
| 11332 |
tcp |
rspamd |
not scanned |
Rspamd (email anti-spam filtering system) listens on these ports: 11332/tcp (proxy worker), 11333/tcp (normal worker), 11334/tcp (controller worker). |
| 11333 |
tcp |
rspamd |
not scanned |
Rspamd (email anti-spam filtering system) listens on these ports: 11332/tcp (proxy worker), 11333/tcp (normal worker), 11334/tcp (controller worker). |
| 11334 |
tcp |
rspamd |
not scanned |
Rspamd (email anti-spam filtering system) listens on these ports: 11332/tcp (proxy worker), 11333/tcp (normal worker), 11334/tcp (controller worker). |
| 11371 |
tcp,udp |
hkp |
not scanned |
IANA registered for: OpenPGP HTTP Keyserver |
| 11386 |
tcp |
malware |
not scanned |
Trojan-Proxy.Win32.Ranky.z / Unauthenticated Open Proxy - the malware listens on TCP port 11386. Third-party attackers
who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0366] |
| 11404 |
tcp |
malware |
not scanned |
Backdoor.Win32.Prexot.a / Authentication Bypass - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0484]
Backdoor.Win32.Prexot.a / Port Bounce Scan (MITM) - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0485] |
| 11427 |
udp |
canon |
not scanned |
Canon printers management console uses these ports (in addition to standard ports 25, 80, 110, 137, 389, 443, etc.):
427 UDP - SLP multicast discovery
5355 TCP/UDP - LLMNR device discovery for SNMP, SLP
8000, 8080 TCP - UI HTTP access
11427 UDP - device sleep notifications
47545 UDP - communication with devices
47547 TCP - communication with devices |
| 11430 |
udp |
lsdp |
not scanned |
Lenbrook Service Discovery Protocol [Lenbrook_Industries_Limited] (IANA official) |
| 11443 |
tcp,udp |
dogtag |
not scanned |
Plesk sw-cp-serverd (versions 9.0 to 10.2) uses ports 11443/tcp and 11444/tcp. Newer Plesk versions use port 6308/tcp.
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure) |
| 11444 |
tcp |
plesk |
not scanned |
Plesk sw-cp-serverd (versions 9.0 to 10.2) uses ports 11443/tcp and 11444/tcp. Newer Plesk versions use port 6308/tcp. |
| 11489 |
tcp |
asgcypresstcps |
not scanned |
ASG Cypress Secure Only |
| 11576 |
tcp,udp |
applications |
not scanned |
IPStor Server management communication |
| 11606 |
tcp,udp |
games |
not scanned |
Last Chaos, developer: Aeria Games |
| 11611 |
tcp,udp |
applications |
not scanned |
NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users, allowing attackers to execute arbitrary code.
References: [CVE-2023-49693] |
| 11623 |
tcp |
emc-xsw-dconfig |
not scanned |
IANA registered for: EMC XtremSW distributed config |
| 11660 |
tcp |
trojan |
Premium scan |
Back streets |
| 11675 |
tcp,udp |
applications |
not scanned |
V-Phone |
| 11718 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro trojan |
| 11720 |
tcp,udp |
h323 |
not scanned |
H.323 Call Control Signalling Alternate (IANA official) |
| 11723 |
tcp,udp |
emc-xsw-dcache |
not scanned |
IANA registered for: EMC XtremSW distributed cache |
| 11753 |
tcp |
applications |
not scanned |
OpenRCT2 multiplayer |
| 11768 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin [MS04-011]). Uses tcp ports 11768 and 15118.
Trojan.Netdepix [Symantec-2004-121913-4445-99] (2004.12.18) - a trojan horse program that attempts to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (Microsoft Security Bulletin [MS04-011]) on randomly selected computers causing it to download and execute a remote file. |
| 11783 |
tcp,udp |
applications |
not scanned |
Last Contact |
| 11796 |
tcp |
lanschool |
not scanned |
LanSchool [Stoneware Inc] (IANA official) |
| 11796 |
udp |
lanschool-mpt |
not scanned |
Lanschool Multipoint [Stoneware Inc] (IANA official) |
| 11831 |
tcp |
trojans |
Premium scan |
Backdoor.Latinus [Symantec-2002-060710-5206-99] - remote access trojan, afects Windows 9x/ME/NT/2k/XP, opens TCP port 11831/tcp for direct control, 29559/tcp for file transfer, may also use ports 24289/tcp, 29559/tcp.
Backdoor.Pestdoor [Symantec-2002-100314-3144-99] (2002.10.03) - remote access trojan, affects Windows 9x/ME/NT/2k/XP
DarkFace - remote access trojan, affects Windows
Vagr Nocker (2001.02) - remote access trojan, affects Windows
Backdoor.Win32.Backlash.101 / Missing Authentication - BackLash Server 1.0 Alpha drops an executable named "d3d8thk.exe" under Windows dir and listens on TCP ports 11831 and 29559. Telnet to port 11831 allows anyone to retrieve basic system information and run some of the malwares built-in commands on the infected host.
References: [MVID-2021-0085]
Backdoor.Win32.Antilam.11 / Unauthenticated Remote Code Execution - the Win32.Antilam.11 malware aka "Backdoor.Win32.Latinus.b" (MVID-2021-0029), listens on TCP ports 11831, 29559. Third-party attackers who can reach infected systems can execute commands made available by the backdoor.
References: [MVID-2021-0324] |
| 11876 |
tcp,udp |
xoraya |
not scanned |
X2E Xoraya Multichannel protocol |
| 11877 |
udp |
x2e-disc |
not scanned |
X2E service discovery protocol |
| 11885 |
tcp,udp |
games |
not scanned |
DD Tournament Poker |
| 11921 |
tcp |
citrix |
not scanned |
Citrix NetScaler Insight Center / Agent node / Connector node use port 1921 TCP to scale out deployment. |
| 11950 |
tcp |
applications |
not scanned |
Murraycoin JSON-RPC server[147] |
| 11951 |
tcp |
applications |
not scanned |
Murraycoin |
| 11971 |
tcp |
tibsd |
not scanned |
IANA registered for: TiBS Service |
| 11977 |
tcp |
trojan |
Premium scan |
Cool Remote Control trojan |
| 11978 |
tcp |
trojan |
Premium scan |
Cool Remote Control trojan |
| 11980 |
tcp |
trojan |
Premium scan |
Cool Remote Control trojan |
| 11991 |
tcp |
trojan |
Premium scan |
PitfallSurprise trojan |
| 11999 |
tcp |
yahoo-games |
not scanned |
Yahoo Games |
| 12000 |
tcp |
trojans |
Members scan |
Applications that use this port: Phantasy Star Universe, ClearCommerce Engine 4.x (www.clearcommerce.com), CubeForm, Multiplayer SandBox Game.
Wizard 101 uses ports 12000-12999 (TCP/UDP).
SatanCrew [Symantec-2002-082915-3335-99] - remote access trojan, 08.2002. Affects Windows 9x/Me,NT,2K,XP.
W32.Mytob.GN@mm [Symantec-2005-062916-0911-99] (2005.06.29) - mass-mailing worm with its own SMTP engine and backdoor capabilities. Sends itself to email addresses it finds on the compromised computer. Opens and IRC backdoor on port 12000/tcp.
eosfailoverservice.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service by sending a large amount of data to TCP port 12000.
References: [CVE-2012-1813]
Backdoor.Win32.ReverseTrojan.200 / Authentication Bypass Empty Password - ReverseTrojan by satan_addict listens on TCP ports, 12000 and 21. The malware accepts empty credentials for authentication as the default settings are set to blank. Third-party attackers who can reach an infected host can potentially gain access to the machine before or if no password is set.
References: [MVID-2021-0256]
IANA registered for: entextxid - IBM Enterprise Extender SNA XID Exchange |
| 12001 |
tcp |
seafile |
not scanned |
Think or Swim (TD Ameritrade) platform uses port 12001 TCP
Seafile Windows Server uses the following TCP ports: 8000 (seahub web interface), 8082 (seafile server), 10001 (ccnet), 12001 (seaf-server).
IANA registered: IBM Enterprise Extender SNA COS Network Priority |
| 12002 |
tcp,udp |
applications |
not scanned |
ImageCast Control Center 4.1.0 allows remote attackers to cause a denial of service (resource exhaustion or system crash) via a long string to port 12002.
References: [CVE-2001-0121], [BID-2174]
Port is also IANA registered for IBM Enterprise Extender SNA COS High Priority |
| 12003 |
tcp,udp |
entextmed |
not scanned |
Geutebrueck re_porter 16 before 7.8.974.20 has a possibility of unauthenticated access to sensitive information including usernames and hashes via a direct request for /statistics/gscsetup.xml on TCP port 12003.
References: [CVE-2018-15534], [EDB-45240]
IANA registered for: IBM Enterprise Extender SNA COS Medium Priority |
| 12005 |
|
dbisamserver1 |
not scanned |
A reflected cross-site scripting vulnerability exists in Geutebrueck re_porter 16 before 7.8.974.20 by appending a query string to /modifychannel/exec or /images/*.png on TCP port 12005.
References: [CVE-2018-15533], [EDB-45242]
IANA registered for: DBISAM Database Server |
| 12009 |
udp |
ghvpn |
not scanned |
Green Hills VPN [Green Hills Software] (IANA official) |
| 12010 |
tcp |
edbsrvr |
not scanned |
ElevateDB Server |
| 12011 |
tcp |
applications |
not scanned |
Axence nVision |
| 12012 |
tcp,udp |
vipera |
not scanned |
Audition Online Dance Battle, Korea Server—Status/Version Check (UDP), Axence nVision
Vipera Messaging Service (IANA official) |
| 12013 |
tcp,udp |
vipera-ssl |
not scanned |
IANA registered for: Vipera Messaging Service over SSL Communication, registered 2008-01-16
Audition Online Dance Battle, Korea Server also uses this port. |
| 12031 |
tcp |
applications |
not scanned |
Axence nVision |
| 12032 |
tcp |
applications |
not scanned |
Axence nVision |
| 12035 |
udp |
applications |
not scanned |
IANA registered for: Linden Lab viewer to sim on SecondLife |
| 12043 |
tcp |
trojan |
Premium scan |
Frenzy trojan
Second Life, used for LSL HTTPS in-bound |
| 12046 |
tcp |
applications |
not scanned |
Second Life, used for LSL HTTP in-bound |
| 12053 |
tcp,udp |
applications |
not scanned |
Delta Three PC to Phone |
| 12065 |
tcp |
trojan |
Premium scan |
Backdoor.Berbew.j [Symantec-2004-082414-4142-99] |
| 12076 |
tcp |
trojans |
Premium scan |
GJamer, MSH.104b trojans |
| 12080 |
tcp |
applications |
Members scan |
Port used by WebShield, Dwyco Video Conferencing, NetworkServer, Delta Three PC to Phone.
Trojan Troj/Agent-E, Win32.Disprox.A also use this port. |
| 12083 |
tcp |
applications |
not scanned |
Delta Three PC to Phone |
| 12088 |
tcp,udp |
applications |
not scanned |
Revo DVRNS |
| 12099 |
tcp |
games |
not scanned |
Phantasy Star Universe |
| 12120 |
udp |
applications |
not scanned |
Delta Three PC to Phone |
| 12121 |
tcp |
trojans |
Premium scan |
Backdoor.Balkart [Symantec-2004-090212-3607-99] (2004.09.02) - a backdoor trojan horse that can act as a HTTP proxy or FTP server
Port is also IANA registered for NuPaper Session Service |
| 12122 |
udp |
applications |
not scanned |
Delta Three PC to Phone |
| 12122 |
tcp |
trojans |
Members scan |
Hellz Addiction, also known as Backdoor.Hellza.110, Backdoor.Hellza.115, and Backdoor.Hellza.120, is a backdoor Trojan affecting Microsoft Windows operating systems.
The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 12122, to allow the client system to connect. Hellz Addiction could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15163]
Backdoor.Win32.Hellza.120 / Unauthorized Remote Command Execution - the malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can issue commands made available by the backdoor.
References: [MVID-2022-0641] |
| 12168 |
tcp,udp |
cawas |
not scanned |
Computer Associates eTrust AntiVirus Server contains a buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code, or create a denial of service condition. eTrust AntiVirus Server installs a service called inoweb that listens on port 12168/tcp.
References: [CVE-2007-2522], [OSVDB-34585], [BID- 23906]
IANA registered for: CA Web Access Service |
| 12174 |
tcp |
applications |
not scanned |
Multiple Symantec Alert Management System 2 (AMS2) components could allow a remote attacker to execute arbitrary commands on the system, caused by an error in the Intel LANDesk Common Base Agent (CBA). By sending a specially-crafted packet to TCP port 12174, a remote attacker could pass packet content as an argument to the CreateProcessA() function and execute arbitrary commands on the system with SYSTEM level privileges.
References: [CVE-2009-1429], [BID-34671] |
| 12200 |
tcp |
applications |
not scanned |
GNucDNA, Tenebril GhostSurf |
| 12201 |
udp |
games |
not scanned |
Medal of Honor: Allied Asasult Monitoring Port
Graylog Extended Log Format (GELF) also uses this port (TCP/UDP) |
| 12202 |
udp |
games |
not scanned |
Medal of Honor: Allied Asasult Alternate Game Port (Opt. w/net port) |
| 12203 |
udp |
games |
not scanned |
Medal of Honor: Allied Asasult Default Server Port |
