| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 19226 |
tcp |
applications |
not scanned |
Panda Software AdminSecure Communication Agent
Integer overflow in Panda Software AdminSecure allows remote attackers to execute arbitrary code via crafted packets with modified length values to TCP ports 19226 or 19227, resulting in a heap-based buffer overflow.
References: [CVE-2007-3026], [BID-25046]
Panda Security for Business and Panda Security for Enterprise products could allow a remote attacker to execute arbitrary code on the system, caused by a directory traversal flaw in the Panda AdminSecure Communications Agent (Pagent.exe). By sending a specially-crafted request to TCP port 19226, an attacker could exploit this vulnerability to create and overwrite arbitrary files and execute arbitrary code with SYSTEM privileges.
References: [XFDB-88091] |
| 19227 |
tcp |
applications |
not scanned |
Integer overflow in Panda Software AdminSecure allows remote attackers to execute arbitrary code via crafted packets with modified length values to TCP ports 19226 or 19227, resulting in a heap-based buffer overflow.
References: [CVE-2007-3026], [BID-25046] |
| 19234 |
tcp |
applications |
not scanned |
A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially crafted packets to port 19234/TCP.
References: [CVE-2016-9157], [BID-94549] |
| 19235 |
tcp |
applications |
not scanned |
A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to upload, download, or delete files in certain parts of the file system by sending specially crafted packets to port 19235/TCP.
References: [CVE-2016-9156], [BID-94549] |
| 19283 |
tcp,udp |
keysrvr |
not scanned |
Key Server for SASSAFRAS (IANA official) |
| 19294 |
tcp |
applications |
not scanned |
IANA registered for: Google Talk Voice and Video connections |
| 19295 |
udp |
applications |
not scanned |
IANA registered for: Google Talk Voice and Video connections |
| 19302 |
udp |
voip |
not scanned |
VoIP STUN servers (Session Traversal Utilities for NAT), i.e. IP phones behind a firewall/NAT commonly use UDP port 3470 and 19302
Google Talk, DUO, Hangouts commonly use ports 19302-19308 UDP and 19305-19308 TCP
IANA registered for: Google Talk Voice and Video connections |
| 19303-19308 |
tcp,udp |
voip |
not scanned |
Google Talk, DUO, Hangouts commonly use ports 19302-19308 UDP and 19305-19308 TCP |
| 19315 |
tcp,udp |
keyshadow |
not scanned |
Key Shadow for SASSAFRAS (IANA official) |
| 19334 |
tcp,udp |
malware |
not scanned |
HEUR:Trojan.MSIL.Agent.gen / Information Disclosure - the malware runs an HTTP service on port 19334. Attackers who can reach an infected host can make HTTP GET requests to download and or stat arbitrary files using forced browsing.
References: [MVID-2022-0654] |
| 19340 |
tcp,udp |
trojans |
not scanned |
Backdoor.RemoteNC.B [Symantec-2002-111518-0305-99] (2002.11.15) - a backdoor trojan that allows a hacker to gain access to your system. The hacker can then delete, copy, and execute files and perform other actions. By default it opens port 19340. |
| 19421 |
tcp,udp |
applications |
not scanned |
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
References: [CVE-2019-13450], [BID-109082]
In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421.
References: [CVE-2019-13449], [XFDB-163500], [XFDB-163501] |
| 19424 |
tcp,udp |
applications |
not scanned |
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
References: [CVE-2019-13450], [BID-109082], [XFDB-163501] |
| 19535 |
tcp |
malware |
not scanned |
Backdoor.Win32.Freddy.2001 / Authentication Bypass Command Execution - the malware listens on TCP port 19535. Third-party intruders who can reach an infected host can gain access using an empty password and run commands made available by the backdoor using TELNET.
References: [MVID-2022-0486] |
| 19540 |
tcp,udp |
sxuptp |
not scanned |
Belkin Network USB Hub
SXUPTP (IANA official) |
| 19545 |
tcp |
malware |
not scanned |
Backdoor.Win32.Prexot.a / Authentication Bypass - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0484]
Backdoor.Win32.Prexot.a / Port Bounce Scan (MITM) - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0485] |
| 19604 |
tcp |
trojan |
Premium scan |
Metal trojan |
| 19605 |
tcp |
trojan |
Premium scan |
Metal trojan |
| 19638 |
tcp |
applications |
not scanned |
Ensim Control Panel |
| 19650 |
tcp |
malware |
not scanned |
Trojan-Proxy.Win32.Ranky.ag / Unauthenticated Open Proxy - the malware listens on TCP port 19650. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0269] |
| 19712 |
tcp,udp |
games |
not scanned |
Giants: Citizen Kabuto |
| 19786 |
tcp,udp |
applications |
not scanned |
Risk II |
| 19788 |
udp |
mle |
not scanned |
Mesh Link Establishment [IESG] (IANA official) |
| 19790 |
tcp |
faircom-db |
not scanned |
FairCom Database (IANA official) |
| 19800 |
udp |
applications |
not scanned |
A vulnerability in Mxserver can be exploited to compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing network packets. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to UDP port 19800.
References: [SECUNIA-39051]
|
| 19801 |
tcp |
trojans |
Premium scan |
Backdoor.Wnetpols [Symantec-2008-042215-5247-99] (2008.04.22) - a trojan horse that opens a back door on the compromised computer. |
| 19810 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.26.5460 allows remote attackers to execute arbitrary code via a crafted request to TCP port 19810.
References: [CVE-2009-2227] |
| 19812 |
tcp |
applications |
not scanned |
4D database SQL Communication |
| 19813 |
tcp |
applications |
not scanned |
4D database Client Server Communication
HP Data Protector Media Operations is vulnerable to a denial of service, caused by a NULL pointer dereference in the DBServer.exe and DBTools.exe programs. By sending a specially-crafted packet to TCP port 19813, a local attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-61751], [BID-43167], [OSVDB-68528] |
| 19814 |
tcp |
applications |
not scanned |
4D database DB4D Communication |
| 19864 |
tcp |
trojan |
Premium scan |
ICQ Revenge trojan |
| 19937 |
tcp |
trojan |
Premium scan |
Backdoor.Gaster [Symantec-2003-122909-2907-99] |
| 19944 |
tcp |
phala |
not scanned |
Phala network default ports: 9944, 18000, 19944 |
| 19966 |
tcp,udp |
games |
not scanned |
Stronghold Legends |
| 19991 |
tcp |
trojan |
Premium scan |
Dfch trojan
Monopoly 3 also uses port 19991 (TCP/UDP) |
| 19998 |
tcp |
iec-104-sec |
not scanned |
IANA registered for: IEC 60870-5-104 process control - secure |
| 19999 |
tcp,udp |
dnp-sec |
not scanned |
Distributed Network Protocol - Secure (IANA official) |
| 20000 |
tcp,udp |
dnp |
Premium scan |
GlassWire service uses port 7010 by default, may also listen to port 20000.
QuickTime Streaming Server 4 also uses ports 10000-20000 (TCP).
Ultimate Baseball Online Client uses ports 20000-22200 (UDP)
Usermin, Web-based user tool, OpenWebNet - communications protocol used in Bticino products
Trojans that use this port: Millenium, PSYcho Files, XHX
The DNP Master Driver in Software Toolbox TOP Server before 5.12.140.0 allows remote attackers to cause a denial of service (master-station infinite loop) via crafted DNP3 packets to TCP port 20000 and allows physically proximate attackers to cause a denial of service (master-station infinite loop) via crafted input over a serial line.
References: [CVE-2013-2804]
The Kepware DNP Master Driver for the KEPServerEX Communications Platform before 5.12.140.0 allows remote attackers to cause a denial of service (master-station infinite loop) via crafted DNP3 packets to
TCP port 20000 and allows physically proximate attackers to cause a denial of service (master-station infinite loop) via crafted input over a serial line.
References: [CVE-2013-2789]
The master-station DNP3 driver before driver19.exe, and Beta2041.exe, in IOServer allows remote attackers to cause a denial of service (infinite loop) via crafted DNP3 packets to TCP port 20000.
References: [CVE-2013-2790]
IOServer is vulnerable to a denial of service, caused by improper handling of TCP packets within DNP3 drivers. By sending a specially-crafted packet to TCP port 20000, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop.
References: [BID-60450], [CVE-2013-2783]
A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.
References: [CVE-2018-7758]
DNP (IANA official) |
| 20001 |
tcp |
trojans |
Premium scan |
Insect, Millennium, PSYcho Files trojans |
| 20001 |
udp |
qnap |
not scanned |
QNAP CloudLink uses port 20001 UDP to allow access without explicit port forwarding (technology similar to STUN for VoIP). CloudLink is not required if ports are manually forwarded and the NAS accessible.
QNAP uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)
Game: Blazing Angels Squadrons of WWII (developer: Ubisoft Romania) |
| 20002 |
tcp |
trojans |
Premium scan |
Blazing Angels Squadrons of WWII also uses this port.
PSYcho Files, AcidkoR trojans
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tmpServer service, which listens on TCP port 20002. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9662.
References: [CVE-2020-10886] |
| 20002 |
udp |
applications |
not scanned |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.
References: [CVE-2020-10882]
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
References: [CVE-2020-10884] |
| 20005 |
tcp |
netusb |
Members scan |
MoSucker trojan (2010)
[CVE-2015-3036] KCodes NetUSB Linux kernel driver is vulnerable to a buffer overflow via the network over TCP port 20005 that may result in a denial of service or code execution. The KCodes NetUSB driver has been integrated into several routers and network products, including Netgear, TP-Link, Trendnet, etc. An unauthenticated attacker on the local network (and a remote attacker with the default configuration on some devices) can trigger a buffer overflow that may result in a denial of service, or code execution. The vulnerability is triggered by simply specifying a machine name longer than 64 characters.
Certain D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital devices are affected by an integer overflow by an unauthenticated attacker. Remote code execution from the WAN interface (TCP port 20005) cannot be ruled out; however, exploitability was judged to be of "rather significant complexity" but not "impossible." The overflow is in SoftwareBus_dispatchNormalEPMsgOut in the KCodes NetUSB kernel module. Affected NETGEAR devices are D7800 before 1.0.1.68, R6400v2 before 1.0.4.122, and R6700v3 before 1.0.4.122.
References: [CVE-2021-45608] |
| 20012 |
udp |
ss-idi-disc |
not scanned |
Samsung Interdevice Interaction discovery |
| 20013 |
tcp |
ss-idi |
not scanned |
Samsung Interdevice Interaction
Dark and Light game also uses port 20013 (TCP/UDP). |
| 20014 |
tcp,udp |
opendeploy |
not scanned |
DART Reporting server (TCP)
OpenDeploy Listener (IANA official) |
| 20023 |
tcp |
trojan |
Premium scan |
VP Killer trojan |
| 20031 |
tcp,udp |
applications |
not scanned |
Sony Bravia TV service may open TCP port 20031.
npvmgr.exe in BakBone NetVault Backup 8.22 Build 29 allows remote attackers to cause a denial of service (daemon crash) via a packet to TCP/UDP port 20031 with a large value in an unspecified size field, which is not properly handled in a malloc operation.
References: [CVE-2009-3448] [BID-36489]
Heap-based buffer overflow in the demo version of Bakbone Netvault, and possibly other versions, allows remote attackers to execute arbitrary commands via a large packet to port 20031.
References: [CVE-2005-1547]
NetVault is vulnerable to a stack-based buffer overflow caused by improper bounds checking of user-supplied input in the processing of the configure.cfg file. By creating a specially-crafted computername 'Name=' entry containing more than 111 bytes, a local attacker with access to the configure.cfg file, could overflow a buffer and execute arbitrary code on the system with SYSTEM level privileges, once the NetVault Process Manager restarts.
Note: A remote attacker could also exploit this vulnerability by connecting to port 20031 and sending a specially-crafted clientname entry in the Available NetVault Machines list to overflow a buffer and execute arbitrary code on the system.
References: [XFDB-19932], [CVE-2005-1009], [BID-12966], [BID-12967] |
| 20034 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: NetBus, NetRex, Whack Job |
| 20034 |
udp |
applications |
not scanned |
Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted NETB packet to UDP port 20034.
References: [CVE-2011-3492] |
| 20046 |
tcp,udp |
tmophl7mts |
not scanned |
TMOP HL7 Message Transfer Service |
| 20048 |
tcp,udp |
mountd |
not scanned |
NFS mount protocol |
| 20049 |
tcp,udp,sctp |
nfsrdma |
not scanned |
Network File System (NFS) over RDMA [RFC 5666] (IANA official) |
| 20050 |
udp |
games |
not scanned |
Blazing Angels Squadrons of WWII, developer: Ubisoft Romania |
| 20050 |
tcp |
applications |
not scanned |
In IXP EasyInstall 6.2.13723, there are cleartext credentials in network communication on TCP port 20050 when using the Administrator console remotely.
References: [CVE-2019-19898] |
| 20051 |
tcp |
applications |
not scanned |
In IXP EasyInstall 6.2.13723, there is Remote Code Execution via the Agent Service. An unauthenticated attacker can communicate with the Agent Service over TCP port 20051, and execute code in the NT AUTHORITY\SYSTEM context of the target system by using the Execute Command Line function.
References: [CVE-2019-19897] |
| 20057 |
tcp |
avesterra |
not scanned |
IANA registered for: AvesTerra Hypergraph Transfer Protocol (HGTP) |
| 20080 |
|
games |
not scanned |
Blazing Angels Squadrons of WWII, developer: Ubisoft Romania |
| 20100 |
udp |
games |
not scanned |
Soldier of Fortune 2 |
| 20101 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101.
References: [CVE-2011-5001], [BID-50965] |
| 20111 |
tcp |
applications |
not scanned |
Yokogawa CENTUM CS 3000 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the BKBCopyD.exe service. By sending specially-crafted packets to TCP port 20111, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [BID-66114], [XFDB-91785], [EDB-32210] |
| 20139 |
tcp |
trojan |
Premium scan |
#skanbotz IRC-SubSeven trojan |
| 20168 |
tcp |
worm |
Premium scan |
W32.HLLW.Lovgate.C@mm |
| 20171 |
tcp |
applications |
not scanned |
Yokogawa CENTUM CS 3000 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the BKHOdeq.exe service. By sending specially-crafted packets to TCP port 20171, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2014-0783], [BID-66111], [XFDB-91784], [EDB-32209] |
| 20192 |
tcp |
trojans |
not scanned |
Backdoor.Ranky.V [Symantec-2005-110215-2104-99] (2005.11.02) - a trojan horse that allows the compromised computer to be used as a covert proxy. Starts a proxy on a random TCP port between 1025 and 65535, uses port 20192/tcp to send notifications of infection. |
| 20203 |
tcp |
trojans |
not scanned |
Chupacabra, Logged! |
| 20222 |
tcp |
applications |
not scanned |
Unspecified vulnerability in the Open Database Connectivity (ODBC) component in 7T Interactive Graphical SCADA System (IGSS) before 9.0.0.11143 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 20222, which triggers memory corruption related to an "invalid structure being used."
References: [CVE-2011-2214], [BID-47960]
Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222.
References: [CVE-2008-2639] [BID-29634] [SECUNIA-30638]
iPulse-ICS (IANA official) |
| 20226 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam.20.Q [Symantec-2003-082907-5935-99] (2003.08.29) - a backdoor trojan horse that gives its creator access to a computer. By default this trojan listens on ports 20226 and 52559. The existence of the file nas.exe is in indication of a possible infection. This threat is written in the Delphi programming language. |
| 20331 |
tcp |
trojan |
Premium scan |
Backdoor.Bla.Trojan [Symantec-2000-121815-1846-99] - opens TCP ports 20331, 22456, 22457 by default. |
| 20432 |
tcp,udp |
ddos |
not scanned |
Shaft (DDoS) |
| 20433 |
udp |
trojan |
not scanned |
Shaft Agent |
| 20480 |
tcp |
trojan |
Premium scan |
Trojan.Adnap trojan [Symantec-2002-081616-4214-99] |
| 20499 |
tcp |
applications |
not scanned |
OMICRON StationGuard before 1.10 allows remote attackers to cause a denial of service (connectivity outage) via crafted tcp/20499 packets to the CTRL Ethernet port.
References: [CVE-2021-30464] |
| 20500 |
udp |
applications |
not scanned |
Default Call of Duty 2 CD-Key Validation |
| 20510 |
udp |
applications |
not scanned |
Default Call of Duty 2 Master Server |
| 20547 |
tcp,udp |
applications |
not scanned |
A Stack-based Buffer Overflow issue was discovered in Emerson Process Management ControlWave Micro Process Automation Controller: ControlWave Micro [ProConOS v.4.01.280] firmware: CWM v.05.78.00 and prior. A stack-based buffer overflow vulnerability caused by sending crafted packets on Port 20547 could force the PLC to change its state into halt mode.
References: [CVE-2018-5452], [BID-103180] |
| 20560 |
udp |
applications |
not scanned |
Killing Floor |
| 20561 |
udp |
mikrotik |
not scanned |
MikroTik RouterOS uses the following ports:
5678/udp - Mikrotik Neighbor Discovery Protocol
6343/tcp - Default OpenFlow port
8080/tcp - HTTP Web Proxy
8291/tcp - Winbox GUI
8728/tcp - API
8729/tcp - API-SSL
20561/udp - MAC Winbox GUI |
| 20600 |
udp |
games |
not scanned |
Call of Duty - United Offensive |
| 20610 |
udp |
games |
not scanned |
Call of Duty - United Offensive |
| 20702 |
tcp |
applications |
not scanned |
Precise TPM Listener Agent |
| 20720 |
tcp |
applications |
not scanned |
Symantec i3 Web GUI server |
| 20742 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.E [Symantec-2004-031315-1648-99] (2004.03.13) - Mail Relay trojan. Affects all current Windows versions, creates a listening proxy on a configurable high port that allows the ability to relay email. By default, the Trojan listens on port 20742. |
| 20790 |
tcp |
applications |
not scanned |
Precise TPM Web GUI server |
| 20800 |
udp |
games |
not scanned |
Call of Duty 4 |
| 20803 |
tcp,udp |
games |
not scanned |
Tiger Woods 2004 uses ports 20803-20809 |
| 20809 |
tcp,udp |
games |
not scanned |
Tiger Woods 2004 uses ports 20803-20809 |
| 20810 |
udp |
games |
not scanned |
Call of Duty 4 |
| 20810 |
tcp |
crtech-nlm |
not scanned |
CRTech NLM (IANA official) |
| 20851 |
tcp |
games |
not scanned |
Arcanum |
| 20871 |
tcp |
games |
not scanned |
Throne of Darkness |
| 20888 |
tcp |
malware |
not scanned |
Backdoor.Win32.XRat.d / Unauthenticated Remote Command Execution - XRat malware runs with SYSTEM integrity and listens on TCP port 20888. Third-party attackers who can reach the system can connect, switch to DOS prompt mode and run any OS commands re-compromising the already infected system.
References: [MVID-2021-0242]
Backdoor.Win32.XRat.k / Unauthenticated Remote Command Execution - XRat malware listens on TCP port 20888. Third-party attackers who can reach the system can run commands hijacking the infected host.
References: [MVID-2022-0482] |
| 20931 |
tcp,udp |
applications |
not scanned |
WanCatan |
| 20941 |
tcp |
games |
not scanned |
Emperor: Rise of the Middle Kingdom |
| 21000 |
udp |
games |
not scanned |
Soldier of Fortune 2, IL2 Sturmovik (TCP/UDP), IL2 Sturmovik: Forgotten Battles (TCP/UDP), Pacific Fighters: IL2 (TCP/UDP) |
| 21000 |
tcp |
malware |
not scanned |
Backdoor.Win32.Coredoor.10.a / Port Bounce Scan - the malware listens on TCP port 21000. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0411]
Backdoor.Win32.Coredoor.10.a / Authentication Bypass - the malware runs an FTP server on TCP port 21000. Third-party
attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2022-0618] |
| 21001 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-admin default port |
| 21009 |
tcp |
trojans |
Premium scan |
Backdoor.Djump [Symantec-2003-090116-0418-99] (2003.09.01) - a trojan horse that opens TCP ports 21009 and 2485 on a computer
SonicWall Global Management System Virtual Appliance could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to prevent unauthenticated, external entities from making XML-RPC requests to port 21009 of the virtual app. An attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.
References: [XFDB-147770] |
| 21011 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-01 default http port |
