| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 61746 |
tcp,udp |
trojan |
not scanned |
KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718. |
| 61747 |
tcp,udp |
trojan |
not scanned |
KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718. |
| 61748 |
udp |
trojan |
not scanned |
KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718. |
| 61979 |
tcp |
trojan |
Premium scan |
Cool Remote Control trojan horse |
| 62011 |
tcp |
trojan |
Premium scan |
Ducktoy trojan |
| 62078 |
tcp,udp |
upnp |
not scanned |
UPnP (Universal Plug and Play), iTunes
Port used by UPnP for multimedia files sharing, also used for synchronizing iTunes files between devices.
Apple's lockdownd protocol – used for communicating with iPhones and iPads. |
| 62514 |
udp |
vpn |
not scanned |
Cisco VPN Service to Cisco Systems IPSec Driver
Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long request to UDP port 62514.
References: [CVE-2009-1943], [BID-35154] |
| 62515 |
udp |
vpn |
not scanned |
Cisco VPN Client - also employs Network Admission Control (NAC) |
| 62516 |
udp |
ireike |
not scanned |
IREIKE, SonicWall VPN, NetScreen Remote Client
Port 62516 is used for communications between the IKE service and driver for interface detection. The IKE service sends a broadcast, and it should be blocked by the driver. But if DNE (Deterministic NDIS) is not bound to an interface, this broadcast will be sent out. |
| 62884 |
tcp |
malware |
not scanned |
Trojan.Win32.RASFlooder.b / Hardcoded Plaintext Password - the malware lets you create a backdoor server that will listen on TCP port 62884. Theres an option to specify a password if you choose. However, the malware allows weak passwords consisting of one character and stores user specified passwords in cleartext within the executable. The password is easily recoverable using strings util.
References: [MVID-2021-0287] |
| 62976 |
udp |
applications |
not scanned |
D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet.
References: [CVE-2004-1650], [BID-11072], [SECUNIA-12425] |
| 63000 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX [Symantec-2004-042412-3100-99] (2004.04.24) - Windows worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. Listens on these TCP ports: 63000 (HTTP), 63001 (HTTPS), 30001 (SOCKS proxy), and a FTP server on a random port. |
| 63001 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX [Symantec-2004-042412-3100-99] (2004.04.24) - Windows worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. Listens on these TCP ports: 63000 (HTTP), 63001 (HTTPS), 30001 (SOCKS proxy), and a FTP server on a random port. |
| 63148 |
tcp |
applications |
not scanned |
Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeatedly sending large (> 10Kb) amounts of data to the DIIOP - CORBA service on TCP port 63148.
References: [CVE-2001-0603] |
| 63235 |
tcp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
| 63333 |
tcp |
TrippLite |
not scanned |
Tripp Lite PowerAlert UPS |
| 63392 |
tcp,udp |
applications |
not scanned |
Live For Speed Server |
| 63485 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 63536 |
tcp |
trojan |
not scanned |
InsaneNetwork.500 trojan |
| 63808 |
tcp |
trojan |
Premium scan |
Phatbot |
| 63809 |
tcp |
trojans |
Premium scan |
Phatbot
W32.hllw.gaobot.dk worm [Symantec-2003-120514-4926-99] |
| 63878 |
tcp |
trojan |
not scanned |
AphexFTP.100 trojan |
| 63879 |
tcp |
trojan |
not scanned |
AphexFTP.100 trojan |
| 64064 |
tcp,udp |
applications |
not scanned |
Gizmo Project |
| 64087 |
udp |
games |
not scanned |
Crysis game uses this port.
The ports for Crysis are as follows:
TCP 29900, 29901, 28910, 6667
UDP 64087
When hosting a server the following ports are used:
TCP 29900, 29901, 28910, 443, 80
UDP 64087, 29910, 27900, 27901 |
| 64100-64299 |
udp |
warface |
not scanned |
Warface game ports: 5222 TCP, 64100-64299 UDP |
| 64101 |
tcp |
trojans |
Premium scan |
Taskman trojan |
| 64320 |
tcp,udp |
activepdf |
not scanned |
Port used by ActivePDF software - automates PDF generation process from different sources, such as a website
ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541 |
| 64429 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 64444 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AM [Symantec-2005-012716-1902-99] (2005.01.27) - worm with backdoor and denial of service capabilities. Spreads via network shares. Connects via IRC and listens on port 64444/tcp. |
| 64554 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.wr / Authentication Bypass RCE - the CrazyInvadres Group⌐ bY SMURF_NS malware runs an FTP server on TCP port 64554. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0326]
Backdoor.Win32.Delf.wr / Port Bounce Scan - the CrazyInvadres Group⌐ bY SMURF_NS malware runs an FTP server on TCP port 64554 and accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0327] |
| 64738 |
tcp,udp |
voip |
not scanned |
Mumble VoIP server uses port 64738 TCP and UDP by default. 64738 UDP is the default connection port to Mumble servers (VoIP software for PC gamers).
|
| 64969 |
tcp |
trojan |
not scanned |
Lithium.100 trojan |
| 64999 |
udp |
applications |
not scanned |
Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash".
References: [CVE-2006-6011]
Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999.
References: [CVE-2006-5785] [SECUNIA-22677] [BID-20873] |
| 65000 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Devil 13, Sockets des Troie, Stacheldraht (DDoS)
|
| 65000 |
udp |
trojans |
not scanned |
Devil trojan horse 1.03
Backdoor.Win32.Whgrx / Remote Host Header Stack Buffer Overflow - the specimen listens on datagram UDP port 65000, by sending a specially crafted HTTP PUT request and specifying a large string of characters for the HOST header we trigger the buffer overflow overwriting stack registers. Upon running the malware it may display a "Cannot load shared library wsocx.dll" message but still runs normally. The exploit payload specifies both 41414141 and 42424242 pattern with 42424242 overwriting SEH and ECX register, the 42424242 pattern was target the HTTP HOST header.
References: [MVID-2021-0030] |
| 65001 |
tcp,udp |
hdhomerun |
not scanned |
HDHomeRun DVR from SiliconDust uses this port. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.
List of all used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000 |
| 65002 |
tcp,udp |
applications |
not scanned |
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials.
References: [CVE-2020-9275] |
| 65100 |
tcp,udp |
applications |
not scanned |
Port used by the Sage Act! customer and contact manager. Port 65100 serves Act! as a link that offers remote access to information in the enterprise network. Act! can also be integrated into business programs such as accounting tools and MS Office. |
| 65111 |
tcp |
trojans |
Premium scan |
Backdoor.Microkos [Symantec-2005-081015-0341-99] (2005.08.10) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp. |
| 65112 |
tcp,udp |
tv-multicast |
not scanned |
Port used by One-to-One TV over IP Multicast. Used for IP-based multimedia "chunk streaming", extending the capability of multimedia streaming to provide every client with individual content over the Internet. |
| 65289 |
tcp |
trojan |
Premium scan |
yoyo trojan horse |
| 65301 |
tcp |
pcanywhere |
Premium scan |
Port used by PC Anywhere |
| 65390 |
tcp |
trojans |
Premium scan |
Xylo Eclypse trojan |
| 65421 |
tcp |
trojans |
Premium scan |
Alicia trojan, Jade trojan packed with neolite |
| 65422 |
tcp |
trojan |
Premium scan |
Alicia trojan horse |
| 65423 |
udp |
malware |
not scanned |
HackTool.Win32.Hidd.b / Remote Stack Buffer Overflow (UDP Datagram) - the malware listens on UDP ports 52810 and 65423. Third-party attackers who can reach an infected system can send a 479 byte payload to port 65423 and trigger a classic stack buffer overflow overwriting the EIP, ECX registers.
References: [MVID-2021-0318] |
| 65432 |
tcp |
trojans |
Premium scan |
The Traitor (th3tr41t0r) trojan uses ports 65432/tcp and 65532/udp |
| 65506 |
tcp |
trojans |
Premium scan |
Port 65506 is used by some trojans for a spam email relay.
PhatBot (a.k.a. Agobot, Gaobot) - most variants exploit the MS DCOM RPC vilnerability (MS Security Billetin [MS03-026]) and the RPC locator vulnerability (MS Security Bulletin [MS03-001]) to spread. Some variants scan port 65506 for a possible backdoor. |
| 65511 |
tcp |
applications |
not scanned |
A certain HTC update for Android 2.3.4 build GRJ22, when the Sense interface is used on the HTC EVO 3D, EVO 4G, ThunderBolt, and unspecified other devices, provides the HtcLoggers.apk application, which allows user-assisted remote attackers to obtain a list of telephone numbers from a log, and other sensitive information, by leveraging the android.permission.INTERNET application permission and establishing TCP sessions to 127.0.0.1 on port 65511 and a second port.
References: [CVE-2011-3975] [BID-49916] |
| 65520 |
tcp |
virus |
not scanned |
W32.Virut.B [Symantec-2007-030116-3455-99] (2007.03.01) - a virus that infects executable files and opens a back door on the compromised computer |
| 65530 |
tcp |
trojan |
Members scan |
Backdoor.Mite [Symantec-2002-090309-2255-99] - remote access trojan with password-stealing capabilities, affects Windows. Opens a backdoor on port 61000/tcp. BD Windows Mite 1.0 variant listens on port 65530/tcp. |
| 65532 |
udp |
trojans |
Premium scan |
The Traitor (th3tr41t0r) trojan uses ports 65432/tcp and 65532/udp |
| 65534 |
tcp |
trojans |
Premium scan |
[trojan] /sbin/initd - reported on Linux hosts as a hacked backdoor along with tcp port 1049
Port also used by NetMeeting with H323 |
| 65535 |
tcp |
trojans |
Premium scan |
Trojans using this port: Adore, Sins, ShitHeep, RC trojan
Apple Xsan Filesystem Access uses the dynamic/private range 49152-65535 (TCP/UDP) as well. |
| 65535 |
udp |
games |
not scanned |
Lord of the Rings: Battle for Middle Earth 2, Dark Ages of Camelot, Final Fantasy XI (TCP/UDP)
Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.
References: [CVE-2007-1674], [BID-23483] |
