| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 20139 |
tcp |
trojan |
Premium scan |
#skanbotz IRC-SubSeven trojan |
| 20168 |
tcp |
worm |
Premium scan |
W32.HLLW.Lovgate.C@mm |
| 20171 |
tcp |
applications |
not scanned |
Yokogawa CENTUM CS 3000 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the BKHOdeq.exe service. By sending specially-crafted packets to TCP port 20171, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2014-0783], [BID-66111], [XFDB-91784], [EDB-32209] |
| 20192 |
tcp |
trojans |
not scanned |
Backdoor.Ranky.V [Symantec-2005-110215-2104-99] (2005.11.02) - a trojan horse that allows the compromised computer to be used as a covert proxy. Starts a proxy on a random TCP port between 1025 and 65535, uses port 20192/tcp to send notifications of infection. |
| 20203 |
tcp |
trojans |
not scanned |
Chupacabra, Logged! |
| 20222 |
tcp |
applications |
not scanned |
Unspecified vulnerability in the Open Database Connectivity (ODBC) component in 7T Interactive Graphical SCADA System (IGSS) before 9.0.0.11143 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 20222, which triggers memory corruption related to an "invalid structure being used."
References: [CVE-2011-2214], [BID-47960]
Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222.
References: [CVE-2008-2639] [BID-29634] [SECUNIA-30638]
iPulse-ICS (IANA official) |
| 20226 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam.20.Q [Symantec-2003-082907-5935-99] (2003.08.29) - a backdoor trojan horse that gives its creator access to a computer. By default this trojan listens on ports 20226 and 52559. The existence of the file nas.exe is in indication of a possible infection. This threat is written in the Delphi programming language. |
| 20331 |
tcp |
trojan |
Premium scan |
Backdoor.Bla.Trojan [Symantec-2000-121815-1846-99] - opens TCP ports 20331, 22456, 22457 by default. |
| 20432 |
tcp,udp |
ddos |
not scanned |
Shaft (DDoS) |
| 20433 |
udp |
trojan |
not scanned |
Shaft Agent |
| 20480 |
tcp |
trojan |
Premium scan |
Trojan.Adnap trojan [Symantec-2002-081616-4214-99] |
| 20499 |
tcp |
applications |
not scanned |
OMICRON StationGuard before 1.10 allows remote attackers to cause a denial of service (connectivity outage) via crafted tcp/20499 packets to the CTRL Ethernet port.
References: [CVE-2021-30464] |
| 20500 |
udp |
applications |
not scanned |
Default Call of Duty 2 CD-Key Validation |
| 20510 |
udp |
applications |
not scanned |
Default Call of Duty 2 Master Server |
| 20547 |
tcp,udp |
applications |
not scanned |
A Stack-based Buffer Overflow issue was discovered in Emerson Process Management ControlWave Micro Process Automation Controller: ControlWave Micro [ProConOS v.4.01.280] firmware: CWM v.05.78.00 and prior. A stack-based buffer overflow vulnerability caused by sending crafted packets on Port 20547 could force the PLC to change its state into halt mode.
References: [CVE-2018-5452], [BID-103180] |
| 20560 |
udp |
applications |
not scanned |
Killing Floor |
| 20561 |
udp |
mikrotik |
not scanned |
MikroTik RouterOS uses the following ports:
5678/udp - Mikrotik Neighbor Discovery Protocol
6343/tcp - Default OpenFlow port
8080/tcp - HTTP Web Proxy
8291/tcp - Winbox GUI
8728/tcp - API
8729/tcp - API-SSL
20561/udp - MAC Winbox GUI |
| 20580 |
tcp,udp |
applications |
not scanned |
Walljam device communications |
| 20581 |
tcp,udp |
applications |
not scanned |
Walljam device communications |
| 20600 |
udp |
games |
not scanned |
Call of Duty - United Offensive |
| 20610 |
udp |
games |
not scanned |
Call of Duty - United Offensive |
| 20702 |
tcp |
applications |
not scanned |
Precise TPM Listener Agent |
| 20720 |
tcp |
applications |
not scanned |
Symantec i3 Web GUI server |
| 20742 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.E [Symantec-2004-031315-1648-99] (2004.03.13) - Mail Relay trojan. Affects all current Windows versions, creates a listening proxy on a configurable high port that allows the ability to relay email. By default, the Trojan listens on port 20742. |
| 20790 |
tcp |
applications |
not scanned |
Precise TPM Web GUI server |
| 20800 |
udp |
games |
not scanned |
Call of Duty 4 |
| 20803 |
tcp,udp |
games |
not scanned |
Tiger Woods 2004 uses ports 20803-20809 |
| 20809 |
tcp,udp |
games |
not scanned |
Tiger Woods 2004 uses ports 20803-20809 |
| 20810 |
udp |
games |
not scanned |
Call of Duty 4 |
| 20810 |
tcp |
crtech-nlm |
not scanned |
CRTech NLM (IANA official) |
| 20851 |
tcp |
games |
not scanned |
Arcanum |
| 20871 |
tcp |
games |
not scanned |
Throne of Darkness |
| 20888 |
tcp |
malware |
not scanned |
Backdoor.Win32.XRat.d / Unauthenticated Remote Command Execution - XRat malware runs with SYSTEM integrity and listens on TCP port 20888. Third-party attackers who can reach the system can connect, switch to DOS prompt mode and run any OS commands re-compromising the already infected system.
References: [MVID-2021-0242]
Backdoor.Win32.XRat.k / Unauthenticated Remote Command Execution - XRat malware listens on TCP port 20888. Third-party attackers who can reach the system can run commands hijacking the infected host.
References: [MVID-2022-0482] |
| 20931 |
tcp,udp |
applications |
not scanned |
WanCatan |
| 20941 |
tcp |
games |
not scanned |
Emperor: Rise of the Middle Kingdom |
| 21000 |
udp |
games |
not scanned |
Soldier of Fortune 2, IL2 Sturmovik (TCP/UDP), IL2 Sturmovik: Forgotten Battles (TCP/UDP), Pacific Fighters: IL2 (TCP/UDP) |
| 21000 |
tcp |
malware |
not scanned |
Backdoor.Win32.Coredoor.10.a / Port Bounce Scan - the malware listens on TCP port 21000. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0411]
Backdoor.Win32.Coredoor.10.a / Authentication Bypass - the malware runs an FTP server on TCP port 21000. Third-party
attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2022-0618] |
| 21001 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-admin default port |
| 21009 |
tcp |
trojans |
Premium scan |
Backdoor.Djump [Symantec-2003-090116-0418-99] (2003.09.01) - a trojan horse that opens TCP ports 21009 and 2485 on a computer
SonicWall Global Management System Virtual Appliance could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to prevent unauthenticated, external entities from making XML-RPC requests to port 21009 of the virtual app. An attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.
References: [XFDB-147770] |
| 21011 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-01 default http port |
| 21012 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-01 default https port |
| 21021 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-02 default http port |
| 21022 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-02 default https port |
| 21027 |
udp |
syncthing |
not scanned |
Syncthing uses the following ports:
8384/TCP - web GUI
22000/TCP - listening port
21027/UDP - discovery broadcasts on IPv4, multicasts on IPv6. |
| 21030 |
tcp |
tablo |
not scanned |
Tablo Connect (TV streaming) uses the following ports: TCP 21030, 21031, 21032.
Tablo can instead use the following set of ports: TCP 31887, 31880, 31883 (3188x public/WAN ports are mapped to different private/LAN ports as follows: 31887 WAN -> 8887 LAN, 31880 WAN -> 80 LAN, 31883 WAN -> 443 LAN). |
| 21031 |
tcp |
tablo |
not scanned |
Tablo Connect (TV streaming) uses the following ports: TCP 21030, 21031, 21032.
Tablo can instead use the following set of ports: TCP 31887, 31880, 31883 (3188x public/WAN ports are mapped to different private/LAN ports as follows: 31887 WAN -> 8887 LAN, 31880 WAN -> 80 LAN, 31883 WAN -> 443 LAN). |
| 21032 |
tcp |
tablo |
not scanned |
Tablo Connect (TV streaming) uses the following ports: TCP 21030, 21031, 21032.
Tablo can instead use the following set of ports: TCP 31887, 31880, 31883 (3188x public/WAN ports are mapped to different private/LAN ports as follows: 31887 WAN -> 8887 LAN, 31880 WAN -> 80 LAN, 31883 WAN -> 443 LAN). |
| 21064 |
tcp |
citrix |
not scanned |
Citrix XenServer clustering uses these ports: 5404, 5405 UDP, and 8892, 21064 TCP
Default port for Ingres DBMS server |
| 21101 |
tcp |
games |
not scanned |
UEFA EURO 2004 uses ports 21101-21109 |
| 21109 |
tcp |
games |
not scanned |
UEFA EURO 2004 uses ports 21101-21109 |
| 21112 |
tcp,udp |
applications |
not scanned |
GeoVision |
| 21114 |
tcp |
rustdesk |
Premium scan |
RustDesk (open-source remote access and support tool) uses ports 21114-21119 TCP and 21116 UDP |
| 21115 |
tcp |
rustdesk |
Premium scan |
RustDesk (open-source remote access and support tool) uses ports 21114-21119 TCP and 21116 UDP |
| 21116 |
tcp,udp |
rustdesk |
not scanned |
RustDesk (open-source remote access and support tool) uses ports 21114-21119 TCP and 21116 UDP |
| 21117 |
tcp |
rustdesk |
not scanned |
RustDesk (open-source remote access and support tool) uses ports 21114-21119 TCP and 21116 UDP |
| 21118 |
tcp |
rustdesk |
not scanned |
RustDesk (open-source remote access and support tool) uses ports 21114-21119 TCP and 21116 UDP |
| 21119 |
tcp |
rustdesk |
not scanned |
RustDesk (open-source remote access and support tool) uses ports 21114-21119 TCP and 21116 UDP |
| 21157 |
udp |
games |
not scanned |
Activision gaming protocol [RFC 3027] |
| 21201 |
tcp |
memcachedb |
not scanned |
Port used by Memcachedb |
| 21211 |
tcp |
trojans |
Members scan |
W32.Dasher.B [Symantec-2005-121610-5037-99] (2005.12.16) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp. |
| 21212 |
tcp |
trojans |
Premium scan |
Schwindler, Sensive
IANA registered for Distributed artificial intelligence |
| 21213 |
tcp |
cohesity-agent |
not scanned |
IANA registered for: Cohesity backup agents |
| 21220 |
tcp |
malware |
not scanned |
Backdoor.Win32.Kurbadur.A / Remote Stack Buffer Overflow - the malware listens on TCP port 21220, by sending incrementing HTTP TRACE requests with an increasing payload size, we trigger buffer overflow overwriting EIP. Upon running a fake error message box will appear, the specimen also tries to connect to SMTP port 25.
References: [MVID-2021-2023] |
| 21221 |
tcp |
aigairserver |
not scanned |
IANA registered for: Services for Air Server |
| 21274 |
tcp,udp |
games |
not scanned |
Port used by Minecraft |
| 21300 |
tcp,udp |
applications |
not scanned |
FreeTel audioconferencing |
| 21301 |
tcp,udp |
applications |
not scanned |
FreeTel audioconferencing |
| 21302 |
tcp,udp |
applications |
not scanned |
BitchX IRC Client, FreeTel audioconferencing |
| 21303 |
tcp,udp |
applications |
not scanned |
FreeTel audioconferencing |
| 21315 |
tcp |
botnet |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 21325 |
tcp |
trezord |
not scanned |
Trezor Bridge - an application for communication between the Trezor cryptocurrency hardware wallet and supported browsers. |
| 21422 |
tcp |
malware |
not scanned |
Backdoor.Win32.Serman.a / Unauthenticated Open Proxy - the malware listens on TCP port 21422 by default but it can be changed. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2022-0659] |
| 21509 |
tcp,udp |
applications |
not scanned |
An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters.
References: [CVE-2019-14514], [XFDB-176467]
|
| 21544 |
tcp |
trojans |
Members scan |
Unknown Trojan, Exploiter, Girl Friend, Kid Terror, Matrix, Schwindler, Winsp00fer |
| 21553 |
tcp |
rdm-tfs |
not scanned |
IANA registered for: Raima RDM TFS |
| 21554 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Exploiter, Kid Terror, Winsp00fer, GirlFriend
Scwhindler remote access trojan - ports 21554, 50766
Backdoor.Win32.GF.j / Unauthenticated Remote Command Execution - the malware listens on TCP port 21554. Third-party adversaries who can reach infected hosts can run commands made available by the backdoor.
References: [MVID-2022-0566]
|
| 21579 |
tcp |
trojan |
Premium scan |
Breach trojan |
| 21584 |
tcp |
trojan |
Premium scan |
Breach trojan |
| 21605 |
tcp |
citrix |
not scanned |
Citrix XenServer 5.6 and earlier: SOAP over HTTP integrated Storage Link traffic |
| 21684 |
tcp |
trojan |
Premium scan |
Intruse trojan |
| 21700 |
tcp |
applications |
not scanned |
Directory traversal vulnerability in the web server for 3Com Network Supervisor 5.0.2 allows remote attackers to read arbitrary files via ".." sequences in the URL to TCP port 21700.
References: [CVE-2005-2020] |
| 21801 |
tcp |
sal |
not scanned |
Safe AutoLogon (IANA official) |
| 21810 |
tcp |
trojan |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 21840 |
tcp,udp |
games |
not scanned |
Burnout Paradise - The Ultimate Box, developer: Criterion Games |
| 21957 |
tcp |
trojan |
Premium scan |
Backdoor.Latinus [Symantec-2002-060710-5206-99] - remote access trojan, afects Windows 9x/ME/NT/2k/XP, opens TCP port 11831/tcp for direct control, 29559/tcp for file transfer, may also use ports 21957/tcp, 24289/tcp, 29559/tcp. |
| 21964 |
tcp |
applications |
not scanned |
Exteel |
| 22000 |
udp |
applications |
not scanned |
Gamespy Lan Port (for LAN games only), Battlefield Vietnam, Medal of Honor Allied Assault |
| 22000 |
tcp |
applications |
not scanned |
Syncthing uses the following ports:
8384/TCP - web GUI
22000/TCP - listening port
21027/UDP - discovery broadcasts on IPv4, multicasts on IPv6.
Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values.
References: [CVE-2020-10612] |
| 22003 |
tcp,udp |
applications |
not scanned |
MTA SA R1.0
Directory traversal vulnerability in the FTP server (port 22003/tcp) in Farmers WIFE 4.4 SP1 allows remote attackers to create arbitrary files via .. (dot dot) sequences in a (1) PUT, (2) SIZE, and possibly other commands.
References: [CVE-2006-0319], [BID-16321]
Port is also IANA registered for Opto Host Port 3 |
| 22067 |
tcp |
syncthing |
Premium scan |
Syncthing listens on TCP ports 443, 22067, 22070 |
| 22068 |
tcp |
trojan |
Premium scan |
AcidShiver trojan |
| 22070 |
tcp |
syncthing |
Premium scan |
Syncthing listens on TCP ports 443, 22067, 22070 |
| 22101 |
tcp,udp |
games |
not scanned |
Star Trek: Bridge Commander |
| 22115 |
tcp |
trojan |
Premium scan |
Cyn trojan |
| 22125 |
tcp |
dcap |
not scanned |
dCache Access Protocol |
| 22126 |
tcp,udp |
applications |
not scanned |
MTA SA R1.0 |
| 22128 |
tcp |
gsidcap |
not scanned |
GSI dCache Access Protocol |
| 22136 |
tcp |
applications |
not scanned |
FLIR Systems, Camera Resource Protocol (IANA official) |
| 22200 |
udp |
applications |
not scanned |
Ultimate Baseball Online Client uses ports 20000-22200 |
| 22202 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the Open Database Connectivity (ODBC) service (Odbcixv9se.exe) in 7-Technologies Interactive Graphical SCADA System (IGSS) 9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet to TCP port 22202.
References: [CVE-2011-2959], [BID-47597] |
