The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 |....| 36 | 37 | 38 | 39 | 40 | 41 
Port(s) Protocol Service Scan level Description
 57341 tcp trojans Premium scan Port used by NetRaider trojan.
 57588 tcp,udp gtk not scanned Gtk#
The Gtk# GUI toolkit from Novell employs port 57588 to connect with its host site. It contains a collection of .NET bindings and an assortment of GNOME libraries.
 57621 udp spotify not scanned Port 57621 UDP is used by Spotify client for P2P communication
 57621 udp spotify not scanned Spotify client uses port 57621 UDP for P2P communication
 57785 tcp trojan Premium scan G.R.O.B.
 57851-57943 tcp arx not scanned Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235)
 58008 tcp trojans Premium scan Backdoor.Tron - remote access trojan, 06.2002.Affects all current Windows versions, has the ability to kill software firewall processes.
 58009 tcp trojan Premium scan Backdoor.Tron - remote access trojan, 06.2002.Affects all current Windows versions, has the ability to kill software firewall processes.
 58134 tcp trojan Premium scan Charge trojan
 58339 tcp trojan Members scan ButtFunnel trojan
 58343 tcp trojans Premium scan Backdoor.Prorat - Delphi remote access trojan, 06.2003. Affects Windows. It opens port 58343 by default.
 58641 tcp trojans Premium scan W32.Kalel.B@mm (06.15.2005) - mass-mailing worm with keylogger and backdoor capabilities. Spreads through email and file-sharing networks. Opens a backdoor and listens for remote commands on port 58641/tcp.
 58642 tcp applications not scanned Jamcast
 58666 tcp trojans Premium scan Backdoor.Redkod - remote access trojan, 02.2003. Affects all current Windows versions.
 58723 tcp applications not scanned Open Automation Software OPC Systems.NET before 5.0 allows remote attackers to cause a denial of service via a malformed .NET RPC packet on TCP port 58723.
References: [CVE-2011-4871]
 59000 tcp,udp applications not scanned Tekkotsu, Cisco Agent Desktop
Tekkotsu is an open-source environment for the programming of robots.
Cisco Agent Desktop is an application for Computer Telephony Integration (CTI).
 59211 tcp trojans Premium scan Backdoor.Ducktoy (2002.07) - remote access trojan, affects all current Windows versions, listens to ports 29559 and 59211 by default.

NewFuture trojan
 59278 tcp,udp applications not scanned WS-Proxy in Eye-Fi 1.1.2 allows remote attackers to cause a denial of service (crash) via an empty query string to port 59278 and other unspecified vectors.
References: [CVE-2008-7137], [BID-28085]
 59969 tcp,udp games not scanned Genesis Rising: The Universal Crusade Beta
 60000 tcp trojans Premium scan Trojans/backdoors that use this port: DeepThroat/BackDoor-J, F0replay/WiNNUke eXtreame, Sockets des Troie, MiniBacklash
 60000 udp sco not scanned SCO Copy Protection Demon (CPD)
Among the products protected by SCO CPD are the SCO UnixWare, SCO OpenServer, Smallfoot, SCOoffice Server, WebFace, SCOx Web Services Substrate, Me Inc., and Caldera WebSpyder.
 60001 tcp trojans Premium scan Trojans that use this port: Entitee trojan, Trinity trojan (DoS)
 60001 udp nat-traverse not scanned nat-traverse, Vorsis
The nat-traverse application utilizes UDP port 60001 to pass through NAT gateways to generate links between nodes located behind these gateways.
Vorsis audio processors employ UDP and TCP port 60001 to communicate with their host.
 60006 tcp trojan Premium scan Trojan.Fulamer.25
 60008 tcp trojans Premium scan T0rn Rootkit, Lion Trojan - exploits Linux Bind servers' TSIG vulnerability
 60023 tcp applications not scanned Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone running firmware 1.1.12 (051129) and CP-100E VoIP 802.11b Wireless Phone running firmware 1.1.60 allows remote attackers to gain unauthorized access via the debug service on TCP port 60023.
References: [CVE-2006-0305], [BID-16289]
 60068 tcp trojans Premium scan Xzip trojan, T0rn rootkit
 60101 tcp trojans Premium scan Backdoor.Stealer (2003.07.04) - a trojan that gives its creator full control over the infected computer
 60411 tcp trojan Premium scan Connection.100, Connection.130 trojan
 60412 tcp trojan not scanned Connection.130 trojan
 60551 tcp trojan Premium scan R0xr4t
 60552 tcp trojan Premium scan R0xr4t
 60666 tcp trojan Premium scan Basic Hell trojan
 61000 tcp trojans Premium scan Backdoor.Mite - remote access trojan, 09.2002. Affects all current Windows versions, listens on port 61000.
 61115 tcp trojan Premium scan Protoss trojan
 61183 tcp,udp worm not scanned W32.Quadrule.A (2007.05.28) - a worm that spreads through network and removable drives. It also opens a back door on the compromised computer.
 61282 tcp worm not scanned W32.Pandem.B.Worm (2003.08.19) - an Internet worm that is written in C++ and is packed with PEBundle
 61337 tcp trojan Premium scan Nota trojan
 61348 tcp trojans Premium scan Bunker-Hill trojan. Uses ports 61348, 61603, 63485
 61427 tcp applications not scanned Desktop Rover 3.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a crafted packet to TCP port 61427, which causes an invalid memory access.
References: [CVE-2005-1204]
 61440 tcp trojan Premium scan Orion trojan
 61441 tcp netprowler not scanned Axent NetProwler sensor

Cisco TelePresence Endpoint could allow a remote attacker to execute arbitrary commands on the system, caused by an error in XML-RPC. By initiating a three-way handshake, a remote attacker could send a specially-crafted request to TCP port 61441 or TCP port 61445 to inject and execute arbitrary commands on the system.
References: [BID-46517], [CVE-2011-0378], [XFDB-65617]
 61445 tcp applications not scanned Cisco TelePresence Endpoint could allow a remote attacker to execute arbitrary commands on the system, caused by an error in XML-RPC. By initiating a three-way handshake, a remote attacker could send a specially-crafted request to TCP port 61441 or TCP port 61445 to inject and execute arbitrary commands on the system.
References: [BID-46517], [CVE-2011-0378], [XFDB-65617]
 61460 tcp not scanned An unspecified API on Cisco TelePresence Immersive Endpoint Devices before 1.9.1 allows remote attackers to execute arbitrary commands by leveraging certain adjacency and sending a malformed request on TCP port 61460, aka Bug ID CSCtz38382.
References: [CVE-2012-3074]
 61466 tcp trojans Premium scan TeleCommando trojan
 61603 tcp trojans Premium scan Bunker-Hill trojan. Uses ports 61348, 61603, 63485
 61613 tcp stomp not scanned Default listening port used by STOMP (Simple Text Oriented Messaging Protocol) - http://stomp.github.com
 61615 tcp applications not scanned Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets to port (1) 61615 or (2) 61616, aka Bug ID CSCtz90114.
References: [CVE-2013-3389]
 61616 tcp,udp activemq not scanned Apache ActiveMQ, Java Message Service (JMS)

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets to port (1) 61615 or (2) 61616, aka Bug ID CSCtz90114.
References: [CVE-2013-3389]
 61695 tcp,udp surfcontrol not scanned SurfControl Web Filter - uses port 61695 to establish communication with Juniper Networks Security Devices
 61746 tcp,udp trojan not scanned KiLo trojan
 61747 tcp,udp trojan not scanned KiLo trojan horse
 61748 udp trojan not scanned KiLo trojan horse
 61979 tcp trojan Premium scan Cool Remote Control trojan horse
 62011 tcp trojan Premium scan Ducktoy trojan
 62078 tcp,udp upnp not scanned UPnP (Universal Plug and Play), iTunes

Port used by UPnP for multimedia files sharing, also used for synchronizing iTunes files between devices.
 62514 udp vpn not scanned Cisco VPN Service to Cisco Systems IPSec Driver

Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long request to UDP port 62514.
References: [CVE-2009-1943], [BID-35154]
 62515 udp vpn not scanned Cisco VPN Client - also employs Network Admission Control (NAC)
 62516 udp ireike not scanned IREIKE, SonicWall VPN, NetScreen Remote Client

Port 62516 is used for communications between the IKE service and driver for interface detection. The IKE service sends a broadcast, and it should be blocked by the driver. But if DNE (Deterministic NDIS) is not bound to an interface, this broadcast will be sent out.
 62976 udp applications not scanned D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet.
References: [CVE-2004-1650], [BID-11072], [SECUNIA-12425]
 63000,63001 tcp trojans Premium scan W32.Gaobot.ADX - Worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. It can affect all current Windows versions, discovered 04-2004.

The worm can act as a backdoor server program and attack other systems, it also attempts to kill the process of many antivirus and security applications. It runs the following services:

Runs the following network services:

HTTP proxy on TCP port 63000
HTTPS proxy on TCP port 63001
SOCKS proxy on TCP port 30001
FTP server on randomly chosen TCP port
 63148 tcp applications not scanned Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeatedly sending large (> 10Kb) amounts of data to the DIIOP - CORBA service on TCP port 63148.
References: [CVE-2001-0603]
 63235 tcp arx not scanned Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235)
 63333 tcp TrippLite not scanned Tripp Lite PowerAlert UPS
 63392 tcp,udp applications not scanned Live For Speed Server
 63485 tcp trojans Premium scan Bunker-Hill trojan. Uses ports 61348, 61603, 63485
 63536 tcp trojan not scanned InsaneNetwork.500 trojan
 63808 tcp trojan Premium scan Phatbot
 63809 tcp trojans Premium scan Phatbot, W32.hllw.gaobot.dk worm
 63878 tcp trojan not scanned AphexFTP.100 trojan
 63879 tcp trojan not scanned AphexFTP.100 trojan
 64064 tcp,udp applications not scanned Gizmo Project
 64087 udp games not scanned Crysis game uses this port.

The ports for Crysis are as follows:
TCP 29900, 29901, 28910, 6667
UDP 64087

When hosting a server the following ports are used:
TCP 29900, 29901, 28910, 443, 80
UDP 64087, 29910, 27900, 27901
 64101 tcp trojans Premium scan Taskman trojan
 64320 tcp,udp activepdf not scanned Port used by ActivePDF software - automates PDF generation process from different sources, such as a website

ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541
 64429 tcp trojans Premium scan Backdoor.Amitis - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.
 64444 tcp trojans Premium scan Backdoor.Sdbot.AM (01.28.2005) - worm with backdoor and denial of service capabilities. Spreads via network shares. Connects via IRC and listens on port 64444/tcp.
 64738 tcp,udp voip not scanned Mumble VoIP server uses port 64738 TCP and UDP by default. 64738 UDP is the default connection port to Mumble servers (VoIP software for PC gamers).


 64969 tcp trojan not scanned Lithium.100 trojan
 64999 udp applications not scanned Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash".
References: [CVE-2006-6011]

Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999.
References: [CVE-2006-5785] [SECUNIA-22677] [BID-20873]
 65000 tcp trojans Premium scan Devil 13, Sockets des Troie, Stacheldraht trojans
 65000 udp trojans not scanned Devil trojan horse 1.03
 65001 tcp,udp hdhomerun not scanned HDHomeRun DVR from SiliconDust uses this port. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.

List of all used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000
 65100 tcp,udp applications not scanned Port used by the Sage Act! customer and contact manager. Port 65100 serves Act! as a link that offers remote access to information in the enterprise network. Act! can also be integrated into business programs such as accounting tools and MS Office.
 65111 tcp trojans Premium scan Backdoor.Microkos (08.10.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp.
 65112 tcp,udp tv-multicast not scanned Port used by One-to-One TV over IP Multicast. Used for IP-based multimedia "chunk streaming", extending the capability of multimedia streaming to provide every client with individual content over the Internet.
 65289 tcp trojan Premium scan yoyo trojan horse
 65301 tcp pcanywhere Premium scan Port used by PC Anywhere
 65390 tcp trojans Premium scan Xylo Eclypse trojan
 65421 tcp trojans Premium scan Alicia trojan, Jade trojan packed with neolite
 65422 tcp trojan Premium scan Alicia trojan horse
 65432 tcp trojans Premium scan Port used by The Traitor (th3tr41t0r) trojan. Also uses port 65532/udp
 65506 tcp trojans Premium scan Port 65506 is used by some trojans for a spam email relay.

PhatBot (a.k.a. Agobot, Gaobot) - most variants exploit the MS DCOM RPC vilnerability (MS Security Billetin [MS03-026]) and the RPC locator vulnerability (MS Security Bulletin [MS03-001]) to spread. Some variants scan port 65506 for a possible backdoor.
 65511 tcp applications not scanned A certain HTC update for Android 2.3.4 build GRJ22, when the Sense interface is used on the HTC EVO 3D, EVO 4G, ThunderBolt, and unspecified other devices, provides the HtcLoggers.apk application, which allows user-assisted remote attackers to obtain a list of telephone numbers from a log, and other sensitive information, by leveraging the android.permission.INTERNET application permission and establishing TCP sessions to 127.0.0.1 on port 65511 and a second port.
References: [CVE-2011-3975] [BID-49916]
 65520 tcp virus not scanned W32.Virut.B (2007.03.01) - a virus that infects executable files and opens a back door on the compromised computer
 65530 tcp trojan Members scan [trojan] Windows Mite
 65532 udp trojans Premium scan Port used by The Traitor (th3tr41t0r) trojan. Also uses port 65432/tcp
 65534 tcp trojans Premium scan [trojan] /sbin/initd - reported on Linux hosts as a hacked backdoor along with tcp port 1049

Port also used by NetMeeting with H323
 65535 tcp trojans Premium scan Port used by Adore, Sins, ShitHeep and Remote Control (RC) trojans.

Apple Xsan Filesystem Access uses the dynamic/private range 49152-65535 (TCP/UDP) as well.
 65535 udp games not scanned Lord of the Rings: Battle for Middle Earth 2, Dark Ages of Camelot, Final Fantasy XI (TCP/UDP)

Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.
References: [CVE-2007-1674], [BID-23483]

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About