Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 27016 |
tcp |
applications |
Premium scan |
Space Engineers dedicated servers
Ace Attorney Online dedicated servers
Magicka game uses ports 7331, 27016
Cloud hosting environment network (IANA official) |
| 27017 |
udp |
steam |
not scanned |
Port used by Valve Steam Friends, an instant messaging protocol that is built into Steam, Counter-Strike, Xpire, MBL TF2 Tango.
IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a session on port 27017.
References: [CVE-2015-1937] |
| 27017 |
tcp |
mongodb |
not scanned |
IANA registered for: Mongo database system |
| 27020 |
tcp,udp |
steam |
not scanned |
Valve Steam Client
Team Fortress 2, Day of Defeat, Counter Strike uses ports 27020-27039 (TCP/UDP). |
| 27030 |
tcp,udp |
applications |
not scanned |
Counter Strike, Day of Defeat Source, Half Life Steam, Steam Client |
| 27031 |
tcp,udp |
applications |
not scanned |
Port used by: UKS UT server, Flex-net managed application VRCO (TrackD), Counter Strike, Day of Defeat Source, Half Life Steam, Steam Client. |
| 27039 |
tcp,udp |
games |
not scanned |
Team Fortress 2 uses ports 27020-27039 |
| 27040 |
tcp,udp |
games |
not scanned |
Left 4 Dead 2 uses ports 27000-27040 |
| 27041 |
tcp,udp |
applications |
not scanned |
Steam Client |
| 27045 |
tcp,udp |
applications |
not scanned |
Steam Client |
| 27050 |
tcp |
applications |
not scanned |
Steam Client, Breach, Homefront, Left 4 Dead and Team Fortress 2 use ports 27014-27050 |
| 27155 |
udp |
applications |
not scanned |
GlobalSunTech Wireless Access Points WISECOM GL2422AP-0T, and possibly OEM products such as D-Link DWL-900AP+ B1 2.1 and 2.2, ALLOY GL-2422AP-S, EUSSO GL2422-AP, and LINKSYS WAP11-V2.2, allow remote attackers to obtain sensitive information like WEP keys, the administrator password, and the MAC filter via a "getsearch" request to UDP port 27155.
References: [CVE-2002-2137], [BID-6100] |
| 27160 |
tcp |
trojan |
Premium scan |
MoonPie trojan |
| 27184 |
tcp,udp |
trojan |
not scanned |
Alvgus trojan 2000 |
| 27224 |
tcp,udp |
applications |
not scanned |
SideSaddle |
| 27225 |
tcp,udp |
applications |
not scanned |
SideSaddle |
| 27226 |
tcp,udp |
applications |
not scanned |
SideSaddle |
| 27227 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193] |
| 27275 |
tcp,udp |
applications |
not scanned |
In Avast Premium Security 19.8.2393, attackers can send a specially crafted request to the local web server run by Avast Antivirus on port 27275 to support Bank Mode functionality. A flaw in the processing of a command allows execution of arbitrary OS commands with the privileges of the currently logged in user. This allows for example attackers who compromised a browser extension to escape from the browser sandbox.
References: [CVE-2019-18894] |
| 27328 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.N [Symantec-2005-081216-4542-99] - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp. |
| 27373 |
tcp |
trojan |
Premium scan |
Charge trojan |
| 27374 |
tcp,udp |
SubSeven |
Basic scan |
Address Search Protocol Daemon (ASPD)
One of the most commonly probed ports used by many trojans.
SubSeven Trojan horse uses this port (TCP). Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.
Other trojan horses/backdoors that use this port: Bad Blood, Ramen, Seeker, Ttfloader, Webhead, TheSaint, Lion, EGO.
BackDoor-G [Symantec-2000-121907-4858-99] uses port 27374/tcp.
Backdoor.Win32.Jokerdoor / Weak Hardcoded Credentials - the malware listens on TCP port 27374. The password "mathiasJ" is weak and hardcoded in the PE file. Failed authentication generates a "POPUP incorrect password..." message, using TELNET results in an error "PWDPerror reading password..." Using Nc64.exe utility results in a trailing line feed character "\n" after the supplied password. This causes the cmp statement check to fail even if the password is correct due to the "\n" character.
References: [MVID-2022-0531]
Backdoor.Win32.Jokerdoor / Remote Stack Buffer Overflow - the malware listens on TCP port 27374. Attackers who can reach an infected system can send a large payload and trigger a classic stack buffer overflow overwriting the ECX, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS".
References: [MVID-2022-0628] |
| 27378 |
tcp |
trojans |
Premium scan |
Backdoor.Delf [Symantec-2003-050207-0707-99] - remote access and keylogging trojan family of backdoors, affect Windows. Different varians listen to these TCP ports: 23, 2189,2444,27378. |
| 27379 |
tcp |
trojans |
Premium scan |
Backdoor.optix.o4 [Symantec-2002-091017-3336-99] a.k.a. Optix Lite trojan |
| 27397 |
tcp |
worm |
Premium scan |
W32.Chaim [Symantec-2006-091909-4917-99] - a worm that spreads by sending messages using AOL Instant Messenger and opens a back door. |
| 27431 |
udp |
applications |
not scanned |
The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. The communication happens over UDP port 27431. An attacker on the local network can use the same key to encrypt and send commands to discover all smart plugs in a network, take over control of a device, and perform actions such as turning it on and off.
References: [CVE-2019-15745] |
| 27444 |
udp |
trojans |
not scanned |
Trin00 (DDoS attack tools) a.k.a. Trinoo and tribe flood network (TFN) use these ports: 27665/tcp (master control port), 27444/udp, 34555/udp, 35555/udp. See also CERT: IN-99-07 |
| 27500 |
udp |
games |
not scanned |
Star Trek Voyager: Elite Force, id Software's QuakeWorld |
| 27573 |
tcp |
trojan |
Premium scan |
SubSeven trojan [Symantec-2001-020114-5445-99] |
| 27589 |
tcp |
trojans |
Premium scan |
Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
| 27650 |
tcp,udp |
games |
not scanned |
Doom 3, Quake 4 |
| 27665 |
tcp |
trojan |
Premium scan |
Trin00 (DDoS attack tools) a.k.a. Trinoo and tribe flood network (TFN) use these ports: 27665/tcp (master control port), 27444/udp, 34555/udp, 35555/udp. See also CERT: IN-99-07 |
| 27666 |
tcp,udp |
games |
not scanned |
Doom 3 |
| 27700 |
tcp |
applications |
not scanned |
Risk Based Security has reported a vulnerability in multiple Schneider Electric products, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the modbus serial driver (ModbusDrv.exe) when parsing MBAP data and can be exploited to cause a stack-based buffer overflow by sending a specially crafted request to TCP port 27700.
References: [SECUNIA-52821] |
| 27719 |
tcp,udp |
games |
not scanned |
Prey |
| 27733 |
udp |
games |
not scanned |
Enemy Territory: Quake Wars, Wolfenstein |
| 27750 |
tcp,udp |
games |
not scanned |
Medieval 2: Total War |
| 27780 |
tcp |
games |
not scanned |
RF Online
Archlord Beta (TCP/UDP), developer: NHN Games Corporation |
| 27876 |
tcp |
astrolink |
not scanned |
Astrolink Protocol - Alanax Technologies Inc (IANA official) |
| 27886 |
tcp,udp |
applications |
not scanned |
Supercade |
| 27888 |
udp |
applications |
not scanned |
No One Lives Forever, F.E.A.R (TCP/UDP), Contract J.A.C.K. (TCP/UDP), Shogo: Mobile Armor Division (TCP/UDP), Kaillera server
Aliens vs Predator 2 uses ports 27888-27900
Multiple format string vulnerabilities in the Monolith Lithtech engine, as used by First Encounter Assault Recon (F.E.A.R.) 1.08 and earlier, when Punkbuster (PB) is enabled, allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in a PB_Y packet to the YPG server on UDP port 27888 or a PB_U packet to UCON on UDP port 27888.
References: [CVE-2007-5247] |
| 27900 |
udp |
games |
not scanned |
Battlefield 2142, ToCA Race Driver 3, Worms 4 Mayhem, Nintendo Wi-Fi Connection (TCP/UDP)
GameSpy Arcade - Master Server UDP Heartbeat. Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 27901 |
udp |
games |
not scanned |
Battlefield 2142 Stats, Star Trek Armada II, id Software's Quake II master server
Stack-based buffer overflow in the M_AddToServerList function in client/menu.c in Red Planet Arena Alien Arena 7.30 allows remote attackers to execute arbitrary code via a packet with a crafted server description to UDP port 27901 followed by a packet with a long print command.
References: [CVE-2009-3637], [BID-36782], [SECUNIA-37118] |
| 27910 |
tcp |
games |
not scanned |
Quake 2 |
| 27910 |
udp |
games |
not scanned |
Star Trek Voyager: Elite Force |
| 27942 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193] |
| 27950 |
tcp,udp |
games |
not scanned |
Quake 3, Return To Castle Wolfenstein (UDP), OpenArena outgoing port |
| 27952 |
tcp,udp |
games |
not scanned |
Quake 3, Return To Castle Wolfenstein (UDP) |
| 27960 |
udp |
games |
not scanned |
Return to Castle Wolfenstein: Enemy Territory, Quake (TCP/UDP), Star Trek Voyager: Elite Force
Vertex4 SunAge 1.08.1 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted join packet to UDP port 27960.
References: [CVE-2008-6671], [BID-29889]
Vertex4 SunAge 1.08.1 and earlier allows remote attackers to cause a denial of service ("runtime error") via a crafted join packet to UDP port 27960, probably related to an invalid nickname command.
References: [CVE-2008-6672] [BID-29889] [SECUNIA-30823]
Integer overflow in Vertex4 SunAge 1.08.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted packet to UDP port 27960.
References: [CVE-2008-6670] [BID-29889] [SECUNIA-30823] [OSVDB-46561]
Quake3 Arena is vulnerable to a denial of service attack caused by a buffer overflow when initiating a connect sequence with the server's default port 27960. By sending a UDP packet with a string containing 255 characters four times with "connectre", a remote attacker can overflow a buffer to cause the server to crash.
References: [CVE-2001-1289], [XFDB-6930], [BID-3123] |
| 27963 |
tcp,udp |
games |
not scanned |
Original War |
| 27965 |
tcp,udp |
games |
not scanned |
Quake 3, Return To Castle Wolfenstein |
| 27999 |
tcp |
trojans |
Members scan |
W32.Mytob.EU@mm [Symantec-2005-061509-3649-99] - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands on port 27999/tcp. W32.Mytob.GB@mm [Symantec-2005-062410-0444-99] and W32.Mytob.KE@mm [Symantec-2005-100711-1841-99] variants also use this port.
MechWarrior 4 - Mercenaries, Tribes also use this port. |
| 28000 |
tcp,udp |
games |
not scanned |
Siemens PLM Software license server
Games:
Fly For Fun, developer: Gpotato
Ski Racing 2006, Tribes, Bitfighter Common/default Bitfighter Server
The Better Mod - TBM uses ports 28000-28030
NX License Manager (IANA official) |
| 28001 |
tcp |
pqsp |
not scanned |
PQ Service
Starsiege Tribes also uses port 28001 (TCP/UDP), developer: Dynamix |
| 28004 |
tcp,udp |
games |
not scanned |
Quake 4 |
| 28008 |
tcp |
games |
not scanned |
Tribes |
| 28010 |
tcp |
gruber-cashreg |
not scanned |
IANA registered for: Gruber cash registry protocol |
| 28012 |
tcp |
applications |
not scanned |
The LAN game feature in Carom3D 5.06 allows remote authenticated users to cause a denial of service (application hang) via a crafted HTTP request to TCP port 28012.
References: [CVE-2009-2173] |
| 28020 |
tcp |
games |
not scanned |
Tribes |
| 28030 |
tcp,udp |
applications |
not scanned |
The Better Mod - TBM uses ports 28000-28030 |
| 28060 |
tcp,udp |
games |
not scanned |
Star Wars Jedi Knight II Jedi Outcast |
| 28061 |
tcp,udp |
games |
not scanned |
Star Wars Jedi Knight II Jedi Outcast |
| 28062 |
tcp,udp |
games |
not scanned |
Star Wars Jedi Knight II Jedi Outcast |
| 28070 |
tcp,udp |
games |
not scanned |
Star Wars Jedi Knight Jedi Academy uses ports 28070-28081 |
| 28072 |
tcp |
malware |
not scanned |
Backdoor.Win32.JustJoke.21 (BackDoor Pro) / Unauthenticated Remote Command Execution - The malware listens on TCP port 28072. Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file.
[MVID-2024-0689] |
| 28080 |
tcp |
thor-engine |
not scanned |
Thor/server - ML engine (IANA official) |
| 28081 |
tcp,udp |
games |
not scanned |
Star Wars Jedi Knight Jedi Academy uses ports 28070-28081 |
| 28088 |
udp |
games |
not scanned |
Lord of the Rings: Battle for Middle Earth uses ports 8088-28088 |
| 28119 |
udp |
a27-ran-ran |
not scanned |
A27 cdma2000 RAN Management [ThreeGPP2] (IANA official) |
| 28200 |
tcp,udp |
voxelstorm |
not scanned |
VoxelStorm game server [VoxelStorm] (IANA official) |
| 28201 |
tcp,udp |
pharos |
not scanned |
Pharos print server client |
| 28218 |
tcp |
trojan |
Premium scan |
Oracle trojan |
| 28221 |
tcp,udp |
emule |
not scanned |
eMule, BitTorrent |
| 28260 |
tcp |
applications |
not scanned |
Palo Alto Networks Panorama HA (High Availability) uses these ports:
28/tcp - HA1 control link for SSH over TCP encrypted communication
28260/tcp, 28769/tcp - used for HA1 control link for clear text communication between HA peer firewalls
28770/tcp - listening port for HA1 backup links
28771/tcp - heartbeat backups
29781/udp - HA2 link to synchronize sessions, table forwarding, IPSec, ARP tables |
| 28395 |
tcp |
applications |
not scanned |
www.SmartSystemsLLC.com Smart Sale 5.0 |
| 28429 |
tcp |
trojan |
Premium scan |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28430 |
tcp |
trojan |
Premium scan |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28431 |
tcp |
trojan |
Premium scan |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28432 |
udp |
trojan |
not scanned |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28433 |
tcp |
trojan |
Premium scan |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28434 |
tcp |
trojan |
Premium scan |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28435 |
tcp |
trojan |
Premium scan |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28436 |
tcp |
trojan |
Premium scan |
Hack 'a' Tack trojan - affects Windows 9x, communicates over TCP ports 31785, 31787 and UDP ports 31789, 31791 by default, may also use TCP ports 28429-28435. |
| 28443 |
tcp |
applications |
not scanned |
Palo Alto Networks' Panorama-to-managed devices software updates, PAN-OS 8.0 and later. |
| 28589 |
tcp |
bosswave |
not scanned |
IANA registered for: Building operating system services wide area verified exchange |
| 28678 |
tcp |
trojan |
Premium scan |
Exploiter trojan |
| 28769 |
tcp |
applications |
not scanned |
Palo Alto Networks Panorama HA (High Availability) uses these ports:
28/tcp - HA1 control link for SSH over TCP encrypted communication
28260/tcp, 28769/tcp - used for HA1 control link for clear text communication between HA peer firewalls
28770/tcp - listening port for HA1 backup links
28771/tcp - heartbeat backups
29781/udp - HA2 link to synchronize sessions, table forwarding, IPSec, ARP tables |
| 28770 |
tcp |
applications |
not scanned |
Palo Alto Networks Panorama HA (High Availability) uses these ports:
28/tcp - HA1 control link for SSH over TCP encrypted communication
28260/tcp, 28769/tcp - used for HA1 control link for clear text communication between HA peer firewalls
28770/tcp - Panorama HA1 backup sync port
28771/tcp - heartbeat backups
29781/udp - HA2 link to synchronize sessions, table forwarding, IPSec, ARP tables |
| 28771 |
tcp |
panorama |
not scanned |
Palo Alto Networks Panorama HA (High Availability) uses these ports:
28/tcp - HA1 control link for SSH over TCP encrypted communication
28260/tcp, 28769/tcp - used for HA1 control link for clear text communication between HA peer firewalls
28770/tcp - Panorama HA1 backup sync port
28771/tcp - heartbeat backups
29781/udp - HA2 link to synchronize sessions, table forwarding, IPSec, ARP tables |
| 28785 |
udp |
applications |
not scanned |
IANA registered for: Cube 2 Sauerbraten |
| 28786 |
udp |
applications |
not scanned |
IANA registered for: Cube 2 Sauerbraten |
| 28800 |
tcp |
games |
not scanned |
Age of Mythology |
| 28800 |
udp |
games |
not scanned |
MechWarrior 4 |
| 28801 |
tcp |
games |
not scanned |
Age of Mythology |
| 28802 |
tcp |
games |
not scanned |
Age of Mythology |
| 28803 |
tcp |
games |
not scanned |
Age of Mythology |
| 28804 |
tcp |
games |
not scanned |
Age of Mythology |
| 28805 |
tcp |
games |
not scanned |
Age of Mythology, MechWarrior 4 - Mercenaries |
| 28806 |
tcp |
games |
not scanned |
MechWarrior 4 - Mercenaries |
| 28807 |
tcp |
games |
not scanned |
MechWarrior 4 - Mercenaries |
Vulnerabilities listed: 100 (some use multiple ports)
|
