| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 49159 |
tcp,udp |
applications |
Premium scan |
Bonjour for Windows - employed by iTunes and iChat for sharing files between Windows and Mac OS. |
| 49160 |
tcp,udp |
applications |
not scanned |
SJPhone (VoIP softphone), Azureus/Vuze BitTorrent client |
| 49165 |
tcp,udp |
applications |
not scanned |
Siebel Server - Siebel Customer Relationship Management application |
| 49177 |
tcp |
applications |
not scanned |
Monsoon Vulkano |
| 49181 |
tcp |
games |
not scanned |
Empire: Total War, developer: The Creative Assembly |
| 49182 |
tcp,udp |
applications |
not scanned |
BlueHeat/Net Port 15 - Command Port |
| 49201 |
tcp |
applications |
not scanned |
Borland StarTeam is vulnerable to a heap-based buffer overflow, caused by an integer overflow error in the StarTeam Server service (starteamserver.exe). By sending specially-crafted packets to TCP port 49201, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Reference: [XFDB-40965] |
| 49301 |
tcp |
trojan |
Premium scan |
Online Keylogger (TCP) |
| 49495 |
tcp |
trojans |
Premium scan |
Backdoor.Danrit [Symantec-2005-111515-2142-99] (2005.11.15) - a trojan that opens a backdoor and logs keystrokes, opens a backdoor on port 49495/tcp. |
| 49683 |
tcp,udp |
trojan |
not scanned |
Fenster trojan (a.k.a. Trojan.Win32.Fenster, Backdoor.Fenster.21) |
| 49698 |
udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 49701 |
tcp |
malware |
not scanned |
Backdoor.Win32.DirectConnection.103 (1.0 RAT-Tool) / Weak Hardcoded Password - the malware listens on random incrementing high TCP ports 49701,49702 etc. When updating the backdoor the output files password "1234!" is weak and hardcoded in cleartext within the PE file.
References: [MVID-2022-0508] |
| 49702 |
tcp |
malware |
not scanned |
Backdoor.Win32.DirectConnection.103 (1.0 RAT-Tool) / Weak Hardcoded Password - the malware listens on random incrementing high TCP ports 49701,49702 etc. When updating the backdoor the output files password "1234!" is weak and hardcoded in cleartext within the PE file.
References: [MVID-2022-0508] |
| 49752 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 49875 |
tcp |
xsan |
not scanned |
Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access
|
| 49896 |
tcp |
oracle |
not scanned |
Oracle Database Management uses the following ports:
1521 TCP - Oracle SQL Net Listener and Data Guard
1832 TCP - Oracle Enterprise Management Agent HTTP (range 1830-1849)
49896 TCP - Oracle Clusterware (CRS daemon)
|
| 49941 |
tcp |
malware |
not scanned |
Backdoor.Win32.RemoteNC.beta4 / Unauthenticated Remote Command Execution - the malware listens on TCP port 49941. Third-party attackers who can reach an infected host can execute any OS commands hijacking taking over the system.
References: [MVID-2022-0507] |
| 49955 |
tcp,udp |
applications |
not scanned |
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a session on port 49955 and then installing new software, such as BusyBox with "nc -l" support.
References: [CVE-2017-14116], [BID-100585] |
| 49971 |
tcp |
malware |
not scanned |
Backdoor.Win32.Upload.a / Remote Denial of Service - the malware listens on TCP port 49971, each time it is run the port increments by one 49972 etc. Third-party attackers who can reach the infected host can send a payload of just few bytes to crash the backdoor.
References: [MVID-2021-0224] |
| 50000 |
tcp |
applications |
Premium scan |
LAN Messenger uses port 50000 tcp/udp
SVAT CLEARVU1, Serv-U use ports 50000-50004 tcp/udp
IBM License Metric Tool ports
1433 TCP - SQL server connection
9081 TCP - HTTPS web browser connections to server
50000 TCP - DB2 server connection
52311 TCP - BigFix clients and console connect to the server
Infector [trojan]
SubSARI [Symantec-2003-030315-2821-99] |
| 50000 |
udp |
applications |
not scanned |
LAN Messenger uses port 50000 tcp/udp
SVAT CLEARVU1, Serv-U use ports 50000-50004 tcp/udp
The EN100 module with firmware before 4.25 for Siemens SIPROTEC 4 and SIPROTEC Compact devices allows remote attackers to cause a denial of service via crafted packets on UDP port 50000.
References: [CVE-2015-5374], [XFDB-104946]
A vulnerability has been identified in SIPROTEC 4 and SIPROTEC Compact relays equipped with EN100 Ethernet communication modules (All versions). Specially crafted packets sent to port 50000/UDP of the EN100 Ethernet communication modules could cause a Denial-of-Service of the affected device. A manual reboot is required to recover the service of the device. At the time of advisory publication no public exploitation of this security vulnerability was known to Siemens.
References: [CVE-2019-19279], [XFDB-176112] |
| 50001 |
tcp,udp |
applications |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004
Java Remote Shell Server, Zotero, IBM DB2
M*Modal Fluency Direct (3M medical dictation software)
The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot) via a %0d%0a sequence in the page parameter to the xslt program on TCP port 50001.
References: [CVE-2009-3962] |
| 50002 |
tcp,udp |
discord |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004 |
| 50003 |
tcp,udp |
applications |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004
Apple FileMaker server service |
| 50004 |
tcp,udp |
applications |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004 |
| 50005 |
tcp |
trojan |
Premium scan |
Trojan.Fulamer.25 |
| 50006 |
tcp,udp |
applications |
not scanned |
Apple FileMaker helper service |
| 50021 |
tcp |
trojan |
Premium scan |
Optix Pro trojan
Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device.
References: [CVE-2016-8731], [BID-99193] |
| 50047 |
udp |
games |
not scanned |
Virtual Tennis, developer: Strangelite |
| 50050 |
tcp |
|
not scanned |
Cobalt Strike (network security assessment tool) default port. See: www.cobaltstrike.com/help-setup-collaboration |
| 50123 |
udp |
applications |
not scanned |
Vulnerability in GpsDrive, can cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. The vulnerability is caused due to a format string error in the "dg_echo()" function in "friendsd.c" when displaying received GPS position data. This can potentially be exploited to execute arbitrary code via a specially crafted UDP packet. Successful exploitation requires the ability to send UDP packets to port 50123/udp.
References: [CVE-2005-3523] [SECUNIA-17473]
|
| 50130 |
tcp |
trojan |
Premium scan |
Enterprise trojan |
| 50138 |
udp |
applications |
not scanned |
Network Assistant (Nassi) is vulnerable to a denial of service attack. A remote attacker could send a specially-crafted UDP packet to UDP port 50138, which is the default port for Nassi, to cause the service to crash.
References: [BID-12226], [XFDB-18826], [SECUNIA-13770] |
| 50160 |
tcp,udp |
applications |
not scanned |
S-CONNECT protocol - data exchange (TCP) and manual device pairing (UDP) |
| 50161 |
udp |
applications |
not scanned |
S-CONNECT protocol - automatic device pairing |
| 50200 |
tcp,udp |
altiris-wol |
not scanned |
Symantec Altiris Notification and Task Server WOL magic packets use this port.
libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.
References: [CVE-2022-32985] |
| 50201 |
tcp,udp |
applications |
not scanned |
libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.
References: [CVE-2022-32985] |
| 50305 |
tcp |
trojans |
Members scan |
Backdoor.Longnu [Symantec-2003-031111-4501-99] (2003.03.11) - a trojan that gives a hacker access to your computer. It downloads other components from specific Web sites. Upon execution, this trojan also displays a fake error message, "Error #251: Failed to init randomized generator." |
| 50318 |
tcp,udp |
whatsapp |
not scanned |
WhatsApp uses these ports:
80, 443, 4244, 5222, 5223, 5228, 5242 TCP
50318, 59234 TCP/UDP
3478, 45395 UDP
|
| 50370 |
tcp |
trojans |
Members scan |
Backdoor.Cycbot [Symantec-2010-103008-0555-99] - a trojan that opens a back door on TCP port 50370 to listen for inbound connections. It may use this port to act as a proxy server. It modifies the proxy settings of Internet Explorer, Mozilla Firefox, and Opera browsers to point to the proxy server on port 50370. It may also contact a malicious server and report back what version of itself is running and may download updates. The trojan may monitor activity on popular websites, such as social networks, search engines, e-commerce, and video websites. |
| 50505 |
tcp |
trojans |
Premium scan |
Sockets des Trois2 trojan. Typically uses ports 5000, 5001, 30303, and 50505. Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion. |
| 50530 |
udp |
malware |
not scanned |
HEUR.Backdoor.Win32.Denis.gen / Remote Denial of Service (UDP Datagram) - the malware listens on UDP port 50530 and the last digit increments by one each time the malware is restarted e.g. 50531. Third-party attackers who can reach infected systems can send 16 byte UDP packet to trigger an access violation and crash.
References: [MVID-2021-0395] |
| 50551 |
tcp |
trojan |
Premium scan |
R0xr4t [Symantec-2002-082915-1621-99], a.k.a. RoxRat backdoor, BD R0xr4t 1.0. Uses ports 5050,50551,50552,60551,60552. |
| 50552 |
tcp |
trojan |
Premium scan |
R0xr4t [Symantec-2002-082915-1621-99], a.k.a. RoxRat backdoor, BD R0xr4t 1.0. Uses ports 5050,50551,50552,60551,60552. |
| 50726 |
tcp,udp |
voddler |
not scanned |
Voddler uses ports 42042-42051 and 50726. |
| 50766 |
tcp |
trojans |
Premium scan |
Fore remote access trojan - ports 21, 50766
Scwhindler remote access trojan - ports 21554, 50766 |
| 50776 |
tcp |
trojans |
Premium scan |
Fore, Fore 1.0, Remote Windows Shutdown |
| 50777 |
tcp |
applications |
not scanned |
zenAdminSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted packet to TCP port 50777, aka Reference Number 25240.
References: [CVE-2011-4533], [BID-51897] |
| 50829 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99]
Backdoor.Win32.BirdSpy.b / Weak Hardcoded Credentials - the malware listens on TCP port 50829. Authentication is required, however the password "ccbird" is weak and hardcoded in the PE file.
References: [MVID-2022-0523] |
| 51000 |
tcp |
systracer |
not scanned |
SysTracer software (Blue Project Software) default listening port for remote scan server/client connections.
Honeywell Experion PKS Safety Manager through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0051, there is a Honeywell Experion PKS Safety Manager multiple proprietary protocols with unauthenticated functionality issue. The affected components are characterized as: Honeywell Experion TCP (51000/TCP), Safety Builder (51010/TCP). The potential impact is: Manipulate controller state, Manipulate controller configuration, Manipulate controller logic, Manipulate controller files, Manipulate IO. The Honeywell Experion PKS Distributed Control System (DCS) Safety Manager utilizes several proprietary protocols for a wide variety of functionality, including process data acquisition, controller steering and configuration management. These protocols include: Experion TCP (51000/TCP) and Safety Builder (51010/TCP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocols in question. An attacker capable of invoking the protocols' functionalities could achieve a wide range of adverse impacts, including (but not limited to), the following: for Experion TCP (51000/TCP): Issue IO manipulation commands, Issue file read/write commands; and for Safety Builder (51010/TCP): Issue controller start/stop commands, Issue logic download/upload commands, Issue file read commands, Issue system time change commands. A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position.
References: [CVE-2022-30313] |
| 51003 |
tcp |
applications |
not scanned |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allow remote attackers to perform actions as administrators via unspecified POST requests, as demonstrated by enabling an inbound remote-assistance HTTPS session on TCP port 51003.
NOTE: an authentication bypass can be leveraged to exploit this in the absence of an existing administrative session.
References: [CVE-2007-5384], [BID-25972] |
| 51010 |
tcp |
applications |
not scanned |
Honeywell Experion PKS Safety Manager through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0051, there is a Honeywell Experion PKS Safety Manager multiple proprietary protocols with unauthenticated functionality issue. The affected components are characterized as: Honeywell Experion TCP (51000/TCP), Safety Builder (51010/TCP). The potential impact is: Manipulate controller state, Manipulate controller configuration, Manipulate controller logic, Manipulate controller files, Manipulate IO. The Honeywell Experion PKS Distributed Control System (DCS) Safety Manager utilizes several proprietary protocols for a wide variety of functionality, including process data acquisition, controller steering and configuration management. These protocols include: Experion TCP (51000/TCP) and Safety Builder (51010/TCP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocols in question. An attacker capable of invoking the protocols' functionalities could achieve a wide range of adverse impacts, including (but not limited to), the following: for Experion TCP (51000/TCP): Issue IO manipulation commands, Issue file read/write commands; and for Safety Builder (51010/TCP): Issue controller start/stop commands, Issue logic download/upload commands, Issue file read commands, Issue system time change commands. A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position.
References: [CVE-2022-30313] |
| 51069 |
tcp |
cognex |
not scanned |
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure |
| 51100 |
tcp |
applications |
not scanned |
The web GUI for Novell iChain 2.2 and 2.3 SP2 and SP3 allows attackers to hijack sessions and gain administrator privileges by sniffing the connection on TCP port 51100 and replaying the authentication information or obtaining and replaying the PCZQX02 authentication cookie from the browser.
References: [CVE-2005-0744] |
| 51201 |
tcp,udp |
applications |
not scanned |
Dialpad |
| 51210 |
tcp |
applications |
not scanned |
Dialpad |
| 51234 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234.
Backdoor.Fearles [Symantec-2003-111910-1404-99] (2003.11.18) - a trojan horse that gives an attacker remote access to your computer. By default, the trojan listens on TCP port 51234.
Port also used by TeamSpeak server to telnet remotely. |
| 51410 |
tcp |
|
not scanned |
VDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when a user logs in, which allows remote authenticated users to obtain usernames and password hashes by logging in to TCP port 51410 and reading the response.
References: [CVE-2014-9577] |
| 51413 |
tcp,udp |
p2p |
Premium scan |
Commonly used by Transmission BitTorrent Client. |
| 51435 |
tcp |
trojans |
Members scan |
W32.Kalel.A@mm 2005-052419-5348-99 (2005.05.24) - mass-mailing worm that uses its own SMTP engine, also spreads through file-sharing networks. Opens a backdoor for remote access on port 51435/tcp. |
| 51515 |
tcp |
applications |
not scanned |
Kopia server |
| 51820 |
udp |
wireguard |
not scanned |
Wireguard VPN default listening port |
| 51915 |
tcp |
vmware |
not scanned |
VMWare vSphere Authentication Proxy web service used to add host to Active Directory domain. |
| 51966 |
tcp |
trojans |
Premium scan |
Trojan Cafeini
Backdoor.Win32.Cafeini.b / Denial of Service - the malware listens on TCP port 51966 and is packed by a modified UPX implementation. Third-party adversaries who can reach an infected system can terminate the malware by issuing the cmd DIEDIEDIE, without being required to authenticate.
References: [MVID-2022-0525]
Backdoor.Win32.Cafeini.b / Weak Hardcoded Credentials - the malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.
References: [MVID-2022-0617] |
| 51996 |
tcp |
trojan |
Premium scan |
CafeIni trojan |
| 52001 |
tcp,udp |
applications |
not scanned |
Xlockmore, which is the maintained edition of Xlock, makes use of port 52001 to administer an X server network. Xlock prevents illegal access to the X server while the user is still keying in his or her password.
Jabber Session Manager (JSM) also employs port 52001 for administering instant messaging activities. |
| 52013 |
tcp |
trojans |
Premium scan |
Backdoor.Graybird.C [Symantec-2003-041516-5125-99] (2003.04.15) - a backdoor trojan and a variant of Backdoor.Graybird. It gives a hacker unauthorized access to your computer. It opens port 52013 to listen for commands. The existence of the file, HGZSERVER.EXE, is an indication of a possible infection. |
| 52028 |
tcp,udp |
applications |
not scanned |
Altiris Agent for Linux, Mac and Unix
BibleTime for Linux |
| 52179 |
tcp |
trojans |
Premium scan |
Backdoor.Tjserv.D [Symantec-2005-100415-4002-99] (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp. |
| 52217 |
udp |
fudjitsu |
not scanned |
Fudjitsu default Scan-to-Mobile port |
| 52303 |
udp |
applications |
not scanned |
Yokogawa CENTUM CS 3000 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the BKCLogSvr.exe service. By sending specially-crafted packets to UDP port 52303, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [BID-66130], [CVE-2014-0781], [XFDB-91783] |
| 52311 |
tcp |
IBM |
not scanned |
IBM License Metric Tool ports
1433 TCP - SQL server connection
9081 TCP - HTTPS web browser connections to server
50000 TCP - DB2 server connection
52311 TCP - BigFix clients and console connect to the server |
| 52317 |
tcp |
trojans |
Premium scan |
Port used by: Acid Battery 2000 trojan |
| 52365 |
tcp |
trojan |
Premium scan |
Way trojan |
| 52380 |
udp |
applications |
not scanned |
Sony VISCA Network Setting Protocol |
| 52381 |
udp |
applications |
not scanned |
Sony VISCA over IP Protocol |
| 52559 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam.20.Q [Symantec-2003-082907-5935-99] (2003.08.29) - a backdoor trojan horse that gives its creator access to a computer. By default this trojan listens on ports 20226 and 52559. The existence of the file nas.exe is in indication of a possible infection. This threat is written in the Delphi programming language. |
| 52805 |
tcp |
applications |
not scanned |
A security issue has been reported in NEC Universal RAID Utility, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application improperly restricting access permissions, which can be exploited to conduct arbitrary operations on a hard disk being managed by the application via TCP port 52805.
References: [CVE-2013-0706], [SECUNIA-52241] |
| 52810 |
udp |
malware |
not scanned |
HackTool.Win32.Hidd.b / Remote Stack Buffer Overflow (UDP Datagram) - the malware listens on UDP ports 52810 and 65423. Third-party attackers who can reach an infected system can send a 479 byte payload to port 65423 and trigger a classic stack buffer overflow overwriting the EIP, ECX registers.
References: [MVID-2021-0318] |
| 52901 |
udp |
trojan |
Premium scan |
Possibly the Omega DDoS tool. |
| 52978 |
tcp |
trojans |
Members scan |
Gspot, also known as Backdoor.Optix.Downloader, G-Spot, Trojan.Win32.GoBind, TrojanDownloader.Win32.G-Spot.10 and TrojanDownloader.Win32.G-Spot.15, is a backdoor Trojan written in Delphi affecting Microsoft Windows operating systems.
The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 52978, to allow the client system to connect. Gspot could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15165] |
| 52999 |
tcp |
applications |
not scanned |
The GetMagicNumberString function in Massive Entertainment World in Conflict 1.000 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a string to the VoIP port (52999/tcp) with an invalid value in the third byte.
References: [CVE-2007-5369], [BID-25985] |
| 53001 |
tcp |
trojans |
Premium scan |
Remote Windows Shutdown trojan |
| 53184 |
|
malware |
not scanned |
Backdoor.Win32.Delf.aez / Unauthenticated Remote Command Execution - the malware listens on several TCP ports and accepts unauthenticated commands on port 53187 and 53184. Commands are in Polish e.g. Wylogowuj translated is "Log out" and we get response "#Zmiany Profilu w│aczone" ("#Profile change enabled."). Sending a single characters "d" or "f" to port 53187 also returns system information.
References: [MVID-2021-0217] |
| 53187 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.aez / Unauthenticated Remote Command Execution - the malware listens on several TCP ports and accepts unauthenticated commands on port 53187 and 53184. Commands are in Polish e.g. Wylogowuj translated is "Log out" and we get response "#Zmiany Profilu w│aczone" ("#Profile change enabled."). Sending a single characters "d" or "f" to port 53187 also returns system information.
References: [MVID-2021-0217] |
| 53211 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ju (PSYRAT) / Authentication Bypass RCE - the PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet.
References: [MVID-2024-0677] |
| 53217 |
tcp |
trojan |
Premium scan |
Acid Battery 2000 trojan horse (TCP) |
| 53297 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ju (PSYRAT) / Authentication Bypass RCE - the PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet.
References: [MVID-2024-0677] |
| 53357 |
tcp,udp |
virus |
not scanned |
W95.Sma [Symantec-2002-060510-2532-99] (2002.05.29) - an oligomorphic stealth virus which affects Windows 9x environments. It is network-aware and has a payload that runs arbitrary code that originates from a specific IP address. |
| 53484 |
tcp |
linksys |
Premium scan |
Sony VLP Network Projectors use port 53484 by default.
Reportedly, some newer Linksys "Smart WiFi" routers like EA6300 can open port 53484 by default. To close the port on such routers, disable any "Remote Access", and "Smart Phone access". |
| 53535,53540,53541 |
tcp,udp |
activepdf |
not scanned |
ESET Live Grid, Antispam and Web Control
ActivePDF software - automates PDF generation process from different sources, such as a website
ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541 |
| 54045 |
udp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
| 54099 |
udp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
| 54112 |
tcp |
trojans |
Premium scan |
Backdoor.Ranky.F [Symantec-2004-040119-5250-99] (2004.04.01) - a trojan horse that runs as a proxy server. By default, the trojan opens TCP port 54112. |
| 54138 |
tcp |
applications |
not scanned |
Toshiba 4690 operating system could allow a remote attacker to obtain sensitive information. By sending a specially crafted string to TCP port 54138, an attacker could return environment variables to an unauthenticated client. An attacker could exploit this vulnerability to restricted data.
References: [CVE-2014-8476], [XFDB-103666] |
| 54188 |
tcp |
applications |
not scanned |
An issue was discovered on Askey AP4000W TDC_V1.01.003 devices. An attacker can perform Remote Code Execution (RCE) by sending a specially crafted network packer to the bd_svr service listening on TCP port 54188.
References: [CVE-2020-8614], [XFDB-176230] |
| 54236 |
tcp,udp |
applications |
not scanned |
Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created under "%PROGRAMDATA%\Razer Chroma\SDK\Apps" can be replaced before it is executed by the server. The attacker must have access to port 54236 for a registration step.
References: [CVE-2020-16602] |
| 54283 |
tcp |
trojan |
Premium scan |
Trojans using this port:
BackDoor-G, SubSeven, Sub7(*) (TCP) |
| 54312 |
tcp,udp |
trojans |
not scanned |
Backdoor.Niovadoor [Symantec-2002-103118-2307-99] (2002.10.31) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 54312 on the infected computer. The trojan attempts to disable some antivirus and firewall programs by terminating their active processes. |
| 54320 |
udp |
trojan |
not scanned |
Back Orifice 2000, BO2K(*) trojan horse (UDP) |
