| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 6631 |
tcp |
worm |
Premium scan |
Backdoor.Sdbot.AG [Symantec-2004-111817-1202-99] (2004.11.18) - network-aware worm with backdoor capabilities that spreads through network shares. Affects all current Windows versions.
It opens a backdoor by connecting to an IRC server (ronz1.afraid.org or ronz2.afraid.org) on port 6631/tcp. |
| 3436,3437 |
tcp |
trojans |
Premium scan |
Backdoor.Netjoe [Symantec-2004-111613-5136-99] (2004.11.16) - remote access trojan. Affects all current Windows versions, opens TCP ports 3436 and 3437. |
| 1639 |
tcp |
trojans |
Members scan |
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] (2004.11.12) - a mass-mailing worm that exploits the MS Internet Explorer IFRAME vulnerability [BID-11515]. Affects all current Windows versions.
Runs as an HTTP server on port 1639/tcp, Attempts to connect to IRC servers on port 6667/tcp.
W32.Bofra.C@mm [Symantec-2004-111113-3948-99] (2004.11.11) - another variant of the Bofra worm. It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] (2004.11.08).
W32.Bofra.D@mm [Symantec-2004-110911-3939-99] (2004.11.09). |
| 1088 |
tcp |
trojans |
Premium scan |
Trojan.Webus.D [Symantec-2004-111216-2213-99] (2004.11.12) - remote access trojan, affects all current Windows versions. Opens a backdoor by connecting via port 1088 to IRC servers serv.gigaset.org or gimp.robobot.org. It then can receive a range of commands, including downloading and executing remote files. It can also open another random tcp port for incoming connections.
Trojan.Webus.E [Symantec-2005-040511-3347-99] (2005.04.05) - trojan that opens a backdoor and connects to IRC servers for remote access on port 1088/tcp.
Trojan.Webus.H [Symantec-2005-070318-0714-99] (2005.07.03) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
| 1640 |
tcp |
trojans |
Premium scan |
W32.Bofra.C@mm [Symantec-2004-111113-3948-99] (2004.11.11) - mass-mailing worm that exploits the MS Internet Explorer IFRAME Vulnerability [BID-11515]. Also spreads by sending email to addresses found on the infected computer. It can affect all current Windows versions.
It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp. |
| 2080 |
tcp |
trojans |
Premium scan |
Autodesk Network License Manager (FLEXlm, adskflex.exe) uses port 2080 tcp. See also ports 27000-27009 tcp.
IRLP - Internet Radio Linking Project uses port 2080/tcp.
Some versions of WinGate 3.0 contain a bug that allows the service to be crashed by connecting to this port and sending 2000 characters
Backdoor.TJServ [Symantec-2004-111117-0241-99] (2004.11.11) a.k.a. Backdoor.Curdeal - backdoor trojan, affect Windows, notifies websites on the domain currentdeal.biz on port 2080/tcp, and opens a random port to listen for remote commands.
WinHole trojan horse also uses port 2080/tcp |
| 1409 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Bifrut [Symantec-2004-110817-2626-99] (2004.11.08) - remote access trojan, can affect all current Windows versions. Opens a backdoor on port 1409/tcp bound to the command shell.
Backdoor.Brakkeshell [Symantec-2005-092114-3621-99] (2005.09.20) - a trojan horse that opens a back door on the compromised computer and waits for commands.
Port is IANA registered for: Here License Manager |
| 4662 |
tcp |
edonkey |
Members scan |
eDonkey 2000 P2P file sharing service.
Applications that use this port: Overnet P2P Server, Pruna, eMule
eMule p2p file sharing software uses ports 4661/tcp, 4662/tcp, 4665/udp, 4672/udp, 4711/tcp (web interface) by default. Some versions of this P2P client are vulnerable to a DecodeBase16 buffer overflow, which would allow an attacker to execute arbitrary code.
IANA registered for: OrbitNet Message Service |
| 60068 |
tcp |
trojans |
Premium scan |
Xzip trojan, T0rn rootkit |
| 60001 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Entitee trojan, Trinity trojan (DoS) |
| 60008 |
tcp |
trojans |
Premium scan |
T0rn Rootkit trojan
Lion trojan - exploits Linux Bind servers' TSIG vulnerability |
| 65432 |
tcp |
trojans |
Premium scan |
The Traitor (th3tr41t0r) trojan uses ports 65432/tcp and 65532/udp |
| 65421 |
tcp |
trojans |
Premium scan |
Alicia trojan, Jade trojan packed with neolite |
| 65390 |
tcp |
trojans |
Premium scan |
Xylo Eclypse trojan |
| 65301 |
tcp |
pcanywhere |
Premium scan |
Port used by PC Anywhere |
| 64101 |
tcp |
trojans |
Premium scan |
Taskman trojan |
| 63485 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 61603 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 61348 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 53001 |
tcp |
trojans |
Premium scan |
Remote Windows Shutdown trojan |
| 52317 |
tcp |
trojans |
Premium scan |
Port used by: Acid Battery 2000 trojan |
| 51966 |
tcp |
trojans |
Premium scan |
Trojan Cafeini
Backdoor.Win32.Cafeini.b / Denial of Service - the malware listens on TCP port 51966 and is packed by a modified UPX implementation. Third-party adversaries who can reach an infected system can terminate the malware by issuing the cmd DIEDIEDIE, without being required to authenticate.
References: [MVID-2022-0525]
Backdoor.Win32.Cafeini.b / Weak Hardcoded Credentials - the malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.
References: [MVID-2022-0617] |
| 30 |
tcp |
trojans |
Premium scan |
Agent 40421 trojan. Also uses port 40421/tcp
ATC Battlefield 1942 (TCP/UDP), ATC Ghost Recon 2 (TCP/UDP), ATC Splinter Cell Chaos Theory (TCP/UDP), developer: Foolish Entertainment |
| 50766 |
tcp |
trojans |
Premium scan |
Fore remote access trojan - ports 21, 50766
Scwhindler remote access trojan - ports 21554, 50766 |
| 5321 |
tcp |
trojans |
Premium scan |
Port used by Firehotcker remote access trojan (uses ports 79, 5321). |
| 15858 |
tcp |
trojans |
Premium scan |
CDK trojan (ports 79, 15858) |
| 146 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000
ISO-IP0 (TCP/UDP) (IANA official) |
| 1208 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 17569 |
tcp |
trojans |
Premium scan |
Infector trojan, 04,1999. Affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000 |
| 24000 |
tcp |
trojans |
Premium scan |
Infector trojan (1999.04) - affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000
Apple med-ltp web service (with performance cache) uses the range 24000-24999/tcp. |
| 30000 |
tcp |
trojans |
Premium scan |
Pokemon Netbattle
GnomeMeeting (audio and videoconference) uses ports 30000-30010
Infector trojan (1999-04) - affects Windows 9x (ICQ). Uses ports 146, 1208, 17569, 24000, 30000
Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business One 2005 A 6.80.123 and 6.80.320 allows remote attackers to execute arbitrary code via a long GIOP request to TCP port 30000.
References: [CVE-2009-4988], [BID-35933]
In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem.
References: [CVE-2018-1002103]
ndmps - Secure Network Data Management Protocol (IANA official) |
| 667 |
tcp |
trojans |
Premium scan |
SniperNet remote access trojan, 02.2000. Affects Windows 9x |
| 1020 |
tcp |
trojans |
Premium scan |
Vampire remote access trojan (1999) - affects Windows 9x/NT, uses ports 1020 and 6669. |
| 1050 |
tcp |
trojans |
Basic scan |
MiniCommand trojan
MS DNS Server on Windows Server 2003 machines may possibly use this port for DNS if other ports are being blocked by a firewall. See MS KB 198410, registry key "SendOnNonDnsPort" (unconfirmed).
Fortinet FortiNAC could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization of untrusted data vulnerability. By sending a specially crafted request to the tcp/1050 service, an attacker could exploit this vulnerability to execute arbitrary code or commands on the system.
References: [CVE-2023-33299], [XFDB-258701]
CORBA Management Agent (IANA official) |
| 1090 |
tcp |
trojans |
Premium scan |
Port used by Xtreme remote access trojan with keylogger capabilities. It also installs NetBus 2.1 Pro in the background.
Jana Server is vulnerable to a denial of service attack. A remote attacker could send specially-crafted data to the http-server module listening on TCP port 2506 and the pna-proxy module listening on TCP port 1090 to cause the server to enter into an infinite loop.
References: [BID-11780], [XFDB-18308]
Port is also IANA registered for FF Fieldbus Message Specification (TCP/UDP) |
| 1338 |
tcp |
|
Premium scan |
Millenium Worm, affects Unix/Linux. |
| 4711 |
tcp |
emule |
Premium scan |
McAfee Web Gateway 7 - Default GUI HTTP port
eMule p2p file sharing software uses ports 4661/tcp, 4662/tcp, 4665/udp, 4672/udp, 4711/tcp (web interface) by default. Some versions of this P2P client are vulnerable to a DecodeBase16 buffer overflow, which would allow an attacker to execute arbitrary code.
Battlefield 2142 (Game) remote console
IANA registered for: Trinity Trust Network Node Communication (TCP/UDP/SCTP) |
| 5521 |
tcp |
skype |
Premium scan |
Port used by Skype VoIP.
Illusion Mailer trojan also uses port 5521 (TCP). |
| 7329 |
tcp |
trojans |
Premium scan |
Backdoor.Netshadow [Symantec-2005-020912-0845-99] (2005.02.09) - a trojan horse with backdoor capabilities. Listens on port 7329 by default (port configurable). |
| 2784 |
tcp |
trojans |
Members scan |
Backdoor.Sdbot.AO [Symantec-2005-013016-4636-99] (2005.01.30) - worm with backdoor capabilities. Gives remote access to the compromised PC, via IRC channels on port 2784. |
| 64444 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AM [Symantec-2005-012716-1902-99] (2005.01.27) - worm with backdoor and denial of service capabilities. Spreads via network shares. Connects via IRC and listens on port 64444/tcp. |
| 5002 |
tcp |
trojans |
Members scan |
SOLICARD ARX
W32.Spybot.IVQ [Symantec-2005-012715-3315-99] (2005.01.26) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445). Opens a backdoor on one or more of these ports: 1927, 1930, 5002, 5003
SouthWest is vulnerable to a denial of service attack. A remote attacker could send a specially-crafted HTTP request to the HTTP server listening on port 5002 to cause the service to crash. The service must be restarted to regain normal functionality.
References: [BID-4362], [CVE-2002-0496]
Unspecified vulnerability in HP LoadRunner 9.52 allows remote attackers to execute arbitrary code via network traffic to TCP port 5001 or 5002, related to the HttpTunnel feature.
References: [CVE-2011-0272] [BID-45792] [SECUNIA-42898] [OSVDB-70432]
An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock.
References: [CVE-2016-8368], [BID-94632]
The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted telnet and executing commands using the Equinox "exec" command. As the process is running as "root" full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and assigns a MAC address based IPv6 address.
References: [CVE-2017-7649]
Some other trojans also use this port: cd00r, Shaft, Linux Rootkit IV (4) |
| 1927 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ [Symantec-2005-012715-3315-99] (2005.01.26) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445). Opens a backdoor on one or more of these ports: 1927, 1930, 5002, 5003. |
| 8000 |
tcp |
trojans |
Basic scan |
Commonly used as an alternate HTTP port. Some firewalls use it for HTTP web administration. Also commonly used for internet radio streams using Nicecast/Icecast/Shoutcast/Winamp audio streaming.
Applications that use this port:
PFSense
VmWare VMotion
Nortel Firewall User Authentication
Barracuda Web Administration
AWS Local DynamoDB
Canon Management Console
Dell OpenManage (remote management for Dell Servers)
MediaBank
JRun Management Console
Splunk
Django Dev Server
Chef service "opscode-erchef" uses 8000/TCP to handle Chef server API requests
HIKVISION iVMS software uses 8000 port for connect clients to PCNVR server
Seafile Windows Server uses the following TCP ports: 8000 (seahub web interface), 8082 (seafile server), 10001 (ccnet), 12001 (seaf-server).
X-Lite
Verint Vid-Center [vid-center.exe], Windows enterprise network DVR application
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Malware using this port:
W32.Gaobot.CEZ [Symantec-2005-012609-1021-99] (01.25.2005) - Worm with backdoor capabilities. Spreads trough exploiting various vulnerabilities (ports 80, 135, 445). Blocks access to security-related websites and terminates some processes. Connects to an IRC server and listens on port 8000.
W32.Spybot.OGX [Symantec-2005-050217-0724-99] (2005.05.02) - network-aware worm with distributed denial of service and backdoor capabilities. Opens a backdoor by connecting to an IRC server on port 8000/tcp.
W32.Mytob.JW@mm [Symantec-2005-100312-4423-99] (2005.10.04) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm.
JSMP3OGGWt.dll in JetCast Server 2.0.0.4308 allows remote attackers to cause a denial of service (daemon crash) via a long .mp3 URI to TCP port 8000.
References: [CVE-2007-4911] [BID-25660]
Gordano NTMail 6.0.3c allows a remote attacker to create a denial of service via a long (>= 255 characters) URL request to port 8000 or port 9000.
References: [CVE-2001-0585] [BID-2494]
Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a large PROCESS_HELLO message to the Message Dispatcher on TCP port 8000.
References: [CVE-2015-2281]
Port is also IANA registered for iRDMI. |
| 16661 |
tcp |
trojans |
Premium scan |
Backdoor.Haxdoor.D [Symantec-2005-012411-2332-99] (2005.01.24) - backdoor trojan program. Also attempts to log key strokes and steal passwords. Listens on port 16661/tcp, opens two additional high random ports.
Backdoor.Haxdoor.E [Symantec-2005-080212-3505-99] (2005.08.01) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp.
|
| 8081 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic. See also TCP ports 80, 81, 8080.
Dreambox 8000 also uses port 8081 (TCP/UDP).
Azure Cosmos DB Emulator uses port 8081 by default. https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator
McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, SSL LDAP
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages
If you're not running web services on this ports, keep in mind that some trojans also use it:
W32.Bufei [Symantec-2005-041809-5835-99] (2005.04.17) - virus with backdoor and keylogger capabilities. Attempts to connect to URLs for remote access on port 8081 every 3 minutes.
A vulnerability has been reported in McAfee Agent, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error within the McAfee Framework Service (FrameworkService.exe) when handling HTTP requests and can be exploited to cause a crash by sending a specially crafted HTTP request to default TCP port 8081.
References: [CVE-2013-3627], [SECUNIA-55158]
A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions.
References: [CVE-2017-2683], [BID-96455]
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
References: [CVE-2017-2682], [BID-96458]
An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.
References: [CVE-2018-17178]
A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all.
References: [CVE-2018-17176] |
| 9999 |
tcp |
crypto |
Premium scan |
Football Manager Live (TCP/UDP), Warzone 2100 (TCP/UDP), Ultima, TP-Link Smart Outlet remote console access, Hydranode—edonkey2000 TELNET control, Lantronix UDS-10/UDS100 RS-485 to Ethernet Converter TELNET control, Urchin Web Analytics
Dash cryptocurrency uses port 9999.
Common cryptocurrency ports (TCP):
Bitcoin: 8333
Litecoin: 9333
Dash: 9999
Dogecoin: 22556
Ethereum: 30303
Port vulnerabilities and malware that uses this port:
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] (2005.01.17) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
Backdoor.Lateda.C [Symantec-2005-033112-4545-99] (2005.03.31) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
The remote web management interface of Aprelium Technologies Abyss Web Server 1.1.2 and earlier does not log connection attempts to the web management port (9999), which allows remote attackers to mount brute force attacks on the administration console without detection.
References: [CVE-2003-1363] [BID-6842]
Firefly Media Server is vulnerable to a denial of service, caused by multiple NULL pointer dereference errors in the firefly.exe binary file. By sending a specially-crafted packet to TCP Port 9999 with a malformed header, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [EDB-23574]
This vulnerability allows remote attackers to execute arbitrary code on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the control service, which listens on TCP port 9999 by default. The issue results from the lack of authentication prior to allowing alterations to the system configuration. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10493.
References: [CVE-2020-10920]
A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256272.
Refereces: [CVE-2024-2318]
TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection
References: [EDB-51906]
TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution
References: [EDB-51853]
The Prayer 1 trojan horse (TCP)
distinct (TCP/UDP) (IANA official) |
| 3195 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Whisper.B [Symantec-2005-011711-0033-99] (2005.01.17) - backdoor trojan. Connects to an IRC channel for remote access on port 3195/tcp.
IANA registered for: Network Control Unit |
| 8126 |
tcp |
trojans |
Members scan |
W32.Pejaybot [Symantec-2005-011415-1848-99] (2005.01.14) - worm that spreads via file sharing networks. Connects to an IRC server and opens a backdoor on port 8126.
W32.Kelvir.Q [Symantec-2005-041213-2840-99] (2005.04.12) - worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm [Symantec-2003-053013-5943-99]. Connects to an IRC server on port 8126/tcp. |
| 15118 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin [MS04-011]). Uses tcp ports 11768 and 15118. |
| 11768 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin [MS04-011]). Uses tcp ports 11768 and 15118.
Trojan.Netdepix [Symantec-2004-121913-4445-99] (2004.12.18) - a trojan horse program that attempts to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (Microsoft Security Bulletin [MS04-011]) on randomly selected computers causing it to download and execute a remote file. |
| 559 |
tcp |
trojans |
Premium scan |
Port used by Domwis remote access trojan. Creates a backdoor and spam proxy on port 559.
Backdoor.Solufina [Symantec-2005-030813-5906-99] also uses this port. |
| 10087 |
tcp |
trojans |
Members scan |
W32.Mytob.AD@mm [Symantec-2005-040800-3252-99] - mass-mailing worm with built-in SMTP engine. Spreads by exploiting the MS DCOM RPC vulnerability ([MS03-026]) and the MS Windows Local Security Authority Service Remote Buffer Overflow ([MS04-011]). Opens a backdoor on port 10087/tcp. Also connects to an IRC channel on the ircd.dists.com domain on port 6667 and listens for commands. Compromised PCs can be rebooted remotely, files can be downloaded/executed, and IRC commands can be performed. W32.Mytob.AA@mm [Symantec-2005-040421-3550-99] and W32.Mytob.AQ@mm [Symantec-2005-041112-3912-99] variants also open this port. W32.Mytob.IH@mm variant listens on port 31113/tcp. W32.Mytob.FP@mm opens backdoors on ports 10087/tcp and 12347/tcp. |
| 1930 |
tcp |
trojan |
Premium scan |
W32.Spybot.IVQ [Symantec-2005-012715-3315-99] (2005.01.26) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445). Opens a backdoor on one or more of these ports: 1927, 1930, 5002, 5003.
IANA registered for: Drive AppServer |
| 4592 |
tcp |
applications |
not scanned |
webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers to execute arbitrary code or obtain a security-code value via a long string in an RPC request to TCP port 4592.
References: [CVE-2011-4041], [BID-47008] |
| 1906 |
tcp |
trojans |
Premium scan |
Backdoor.Verify [Symantec-2005-040711-2720-99] (2005.04.06) - backdoor trojan that that allows remote access to the compromised computer, opens ports 1906/tcp and 1907/tcp for remote access.
Backdoor.Win32.Verify.h / Unauthenticated Remote Command Execution - the malware listens on TCP ports 1906 and 1907. Third-party adversaries who can reach an infected host on either port can gain access and or run any OS command.
References: [MVID-2022-0538] |
| 40404 |
tcp |
trojans |
Members scan |
W32.Randex.DFJ [Symantec-2005-040512-3029-99] (2005.04.06) - network-aware worm that spreads via network shares exploiting weak passwords. Opens a backdoor on port 40404/tcp and connects to IRC server on the tunit.p2p.com.hk doman. It can be remotely controlled via IRC. |
| 34330 |
tcp |
trojans |
Premium scan |
W32.Myfip.AB [Symantec-2005-040810-5834-99] - network aware worm that steals files from compromised computers. Sends files to a remote server on port 34330/tcp. |
| 9000 |
tcp |
trojans |
Members scan |
Buffalo LinkSystem Web access (unofficial), DBGp, SqueezeCenter web server & streaming, Play! Framework web server
Cisco WebEx
ManageEngine AssetExplorer (IT asset management software) uses port 9000 TCP by default
MIS Comunicator Sysdev MSS (Mobile Sales System) default port
SonarQube Web Server uses port 9000
Emidate
Games that use this port:
EverQuest World server
Dungeons & Dragons Online uses ports 9000-9010 (TCP/UDP)
Lord of the Rings Online uses ports 9000-9010
W32.Randex.CZZ [Symantec-2005-031510-5713-99] (2005.03.15) - network aware worm that attempts to connect to an IRC server on port 9000/tcp for remote instructions.
W32.Mytob.GK@mm [Symantec-2005-062814-3052-99] (2005.06.28) - mass-mailing worm that opens a backdoor on port 9000/tcp.
Netministrator trojan uses port 9000.
Gordano NTMail 6.0.3c allows a remote attacker to create a denial of service via a long (>= 255 characters) URL request to port 8000 or port 9000.
References: [CVE-2001-0585] [BID-2494]
Multiple KWORLD products could allow a remote attacker to bypass security restrictions, caused by the failure to validate communications on port 9000. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
References: [XFDB-101454]
Zhuhai RaySharp firmware has a hardcoded root password, which makes it easier for remote attackers to obtain access via a session on TCP port 23 or 9000.
References: [CVE-2015-8286]
Astoria ARV7510 could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104630]
Huawei HG553 could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104618]
Observa Telecom VH4032N could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104554]
Huawei HG556a could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104624]
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request.
References: [CVE-2018-17440], [EDB-45533]
WonderCMS is vulnerable to SSRF Vulnerability. In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. The theme/plugin installer does not sanitize the destination of github/gitlab url, so attacker can point the destination to localhost. When the attacker points the request to localhost, this leads to SSRF vulnerability. The highest impact leads to RCE with gopher scheme and FastCGI running on port 9000.
References: [EDB-49154]
Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.
References: [CVE-2021-20108]
Otris Update Manager 1.2.1.0 allows local users to achieve SYSTEM access via unauthenticated calls to exposed interfaces over a .NET named pipe. A remote attack may be possible as well, by leveraging WsHTTPBinding for HTTP traffic on TCP port 9000.
References: [CVE-2021-40376]
Trojan.Win32.Delf.bna / Information Disclosure - the malware listens on TCP port 9000 and has the option to set a password in "Config.ini". Third party attackers who can reach an infected system can view the password in the response, as the malware leaks it upon connecting.
References: [MVID-2021-0385]
Missing Authentication for Critical Function in SICK FX0-GENT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on TCP port 9000.
References: [CVE-2023-23452], [CVE-2023-23453], [XFDB-248005], [XFDB-248006] |
| 9125 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.J [Symantec-2005-032410-4542-99] - back door and a keylogger, periodically sending the stolen info via email. Listens on port 9125/tcp for instructions from a remote attacker.
Backdoor.Nibu.N [Symantec-2005-081216-4542-99] - a trojan that blocks access to security-related sites, and opens a backdoor on the compromised computer. It also runs a keylogger, sending information periodically via email. Opens a backdoor and listens for remote commands on ports 9125/tcp, and 27328/tcp.
Backdoor.Nibu.L [Symantec-2005-062110-3427-99] - trojan that opens a backdoor and blocks access to security-related websites and runs a keylogger, periodically sending the information to a remote attacker. Opens a backdoor on port 9125/tcp. |
| 5232 |
tcp |
trojans |
Members scan |
Backdoor.Lateda.C [Symantec-2005-033112-4545-99] (2005.03.31) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
W32.Mytob.EP@mm [Symantec-2005-061413-5518-99] (2005.06.14) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on this port.
W32.Spybot.UBH [Symantec-2005-081412-4342-99] (2005.08.14) - a worm with backdoor and distributed denial of service (DDoS) capabilities. Spreads by exploiting the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]).
Opens a backdoor and listens for remote commands via IRC on this port.
The presence of the Distributed GL Daemon (dgld) service on port 5232 on SGI IRIX systems allows remote attackers to identify the target host as an SGI system.
References: [CVE-2000-0893]
Silicon Graphics Distributed Graphics Library daemon
Cruse Scanning System Service (IANA official) |
| 1879 |
tcp |
virus |
Premium scan |
W32.Zori.B [Symantec-2005-033110-4910-99] (2005.03.31) - virus that spreads through network shares and prepends .exe files. It deletes files from all disks 9 days after the original infection.
It also opens a backdoor on port 1879/tcp and listens for remote commands from an attacker. |
| 4367 |
tcp |
trojans |
Premium scan |
W32.Spybot.NLX [Symantec-2005-041214-0247-99] (2005.04.12) - wom that exploits a number of MS vulnerabilities. It has distributed denial of service (DDoS), and backdoor capabilities. Opens a backdoor by connecting to an IRC channel using port 4367/tcp. |
| 10089 |
tcp |
trojans |
Premium scan |
W32.Mytob.AR@mm [Symantec-2005-041116-0718-99] (2005.04.11) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine. Opens a backdoor on port 10089/tcp, and connects to an IRC server on port 8080. |
| 2442 |
tcp |
trojans |
Premium scan |
W32.Spybot.NYT [Symantec-2005-041715-4455-99] (2005.04.17) - worm with DDoS (distributed denial of service) and backdoor capabilities. Spreads through network shares, exploits multiple vulnerabilities, and opens a backdoor via IRC channels on port 2442/tcp.
|
| 80 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - port used for web traffic.
Some broadband routers run a web server on port 80 or 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using the Web Admin interface.
AnyDesk remote desktop software uses TCP ports 80, 443, 6568, 7070 (direct line connection)
If you're not running web services, keep in mind that a number of trojans/worms/backdoors propagate via TCP port 80 (HTTP):
Code Red, Nimda, 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader
Trojan.Webus.C [Symantec-2004-101212-0903-99]
W32.Beagle.AO@mm [Symantec-2004-080911-3251-99] - mass-mailing worm with backdoor functionality. Uses its own SMTP engine, discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S [Symantec-2005-013015-4228-99] (2005.01.30) - runs proxy on port 80.
W32.Crowt.A@mm [Symantec-2005-012310-2158-99] (2005.01.23) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
Backdoor.Darkmoon.B [Symantec-2005-102115-3914-99] (2005.10.21) - a backdoor trojan with keylogger capabilities. Opens a backdoor and listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.16) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E [Symantec-2005-121516-1510-99]. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Trojan.Lodear.F [Symantec-2005-121513-5818-99] (2005.12.18) - trojan that attempts to download remote files.
W32.Feebs [Symantec-2006-013122-5631-99] (2006.01.07)
Xbox 360 (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP
Some Apple applications also use port 80 (TCP): MobileMe, Sherlock, QuickTime Installer, iTunes Store and Radio, Software Update, RAID Admin, Backup, iCal calendar publishing, iWeb, MobileMe Web Gallery Publishing, WebDAV (iDisk), Final Cut Server.
Siemens SIPROTEC 4 and SIPROTEC Compact is vulnerable to a denial of service, caused by an error in the EN100 Ethernet module. By sending specially-crafted HTTP packets to TCP port 80, a remote attacker could exploit this vulnerability to cause the device to go into defect mode.
References: [CVE-2016-7113] [XFDB-116647]
A vulnerability was discovered in Siemens ViewPort for Web Office Portal before revision number 1453 that could allow an unauthenticated remote user to upload arbitrary code and execute it with the permissions of the operating-system user running the web server by sending specially crafted network packets to port 443/TCP or port 80/TCP.
References: [CVE-2017-6869], [BID-99343] |
| 81 |
tcp |
http |
Basic scan |
Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See also TCP ports 80, 8080, 8081.
Some common uses for port 81/tcp include web administration (cobalt cube), web proxy servers, McAfee Framework Service, TigerVPN (servers speed check), etc.
If you're not running web services on this port, keep in mind it is also used by some trojans:
Backdoor.Asylum [Symantec-2000-121815-0609-99] (2000.05.02) - remote access trojan, uses ports 81, 2343, 23432 by default.
W32.Beagle.AR@mm [Symantec-2004-092811-5825-99] (2004.09.28) - port 81.
Stack-based buffer overflow in the RespondeHTTPPendiente function in the HTTP server for SUMUS 0.2.2 allows remote attackers to execute arbitrary code via a large packet sent to TCP port 81.
References: [CVE-2005-1110]
RemoConChubo trojan and Blue Iris also use this port. |
| 1701 |
tcp |
vpn |
Premium scan |
L2TP VPN (Virtual Private Networking)
See also:
port 500/udp (IPSec IKE)
port 1723/tcp (PPTP)
Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to TCP port 1701 in JBoss 3.2.1, and port 1476 in JBoss 3.0.8.
References: [CVE-2003-0845], [BID-8773] |
| 514 |
tcp |
shell |
Members scan |
Used by rsh and (also rcp), interactive shell without any logging.
Citrix NetScaler appliance MAS syslog port.
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Games that use this port: America's Army
Malware using this port: RPC Backdoor, Whacky, ADM worm
Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 allows remote attackers to execute arbitrary code via a long string to the shell port (514/tcp). NOTE: this might overlap [CVE-2007-4006].
References: [CVE-2007-4005] [BID-25044] [SECUNIA-26197]
Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a denial of service (crash) via a long string to port 514.
References: [CVE-2001-0707]
A vulnerability has been reported in Cisco IOS, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785] |
| 511 |
tcp |
|
Premium scan |
Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port. |
| 665 |
tcp |
trojans |
Members scan |
W32.Netsky.Z@mm [Symantec-2004-042110-2302-99] (2004.04.21) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 665/tcp to receive and execute a file from an attacker.
Some other trojans also use this port: lpdw0rm, Shadow Phyre, ServU, Satans Back Door - SBD, NokNok, Cain & Abel, Back Construction, BLA trojan, th3r1pp3rz (= Therippers) |
| 82 |
tcp |
trojans |
Members scan |
W32.Netsky.X@mm [Symantec-2004-042010-3056-99] (2004.04.20) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 82/tcp to receive and execute a file from an attacker.
The W32.Netsky.Y@mm [Symantec-2004-042011-2621-99] variant also opens port 82/tcp.
ET TROJAN LD Pinch Checkin uses port 82/udp. |
| 6789 |
tcp |
trojans |
Premium scan |
Campbell Scientific Loggernet Software
Bucky's Instant Messaging Program
W32.Netsky.T@mm [Symantec-2004-040616-1824-99] (2004.04.06) - a Netsky variant that uses its own SMTP engine to email itself. It has backdoor and DoS (Denial of Service) capabilities. Listens on port 6789/tcp to receive and execute a file from an attacker.
The W32.Netsky.S@mm [Symantec-2004-040512-2436-99] variant opens this port as well.
Doly Trojan also uses port 6789 (TCP).
Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) service in IBM DB2 9.x and earlier allow remote attackers to execute arbitrary code via a crafted packet to the DB2JDS service on tcp/6789 and cause a denial of service via an invalid LANG parameter or a long packet that generates a "MemTree overflow."
References: [CVE-2007-2582], [BID-26010]
IANA registered for: GSS-API for Oracle Remote Administration Daemon |
| 10102 |
tcp |
backdoor |
Premium scan |
Backdoor.Staprew.B [Symantec-2005-050215-0935-99] (2005.05.02) - backdoor program, contacts the lowesapr.net domain on port 10102/tcp with the IP of the compromised computer and a number of the random tcp port of the backdoor.
Backdoor.Urat [Symantec-2003-063013-1558-99] (2003.06.30) - allows unauthorized access to an infected computer. This Trojan Horse opens port 10102 to communicate with the attacker.
Port is also IANA registered for eZproxy |
| 6660 |
tcp |
trojans |
Members scan |
W32.Spybot.OBZ [Symantec-2005-042413-0059-99] (2005.04.24) - worm with DDoS and backdoor capabilities. Exploits multiple vulnerabilities, spreads through network shares. Opens a backdoor on port 6660/tcp.
Internet Relay Chat (IRC)
LameSpy trojan also uses this port.
Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.
References: [CVE-2009-4660], [BID-36407]
|
| 10085 |
tcp |
trojans |
Premium scan |
W32.Mytob.BL@mm [Symantec-2005-042416-0006-99] (2005.04.24) - mass-mailing worm with backdoor capabilities. Connects to an IRC server on port 6667/tcp, opens a backdoor FTP server on port 10085.
Syphillis trojan horse also uses port 10085 (TCP). |
| 51435 |
tcp |
trojans |
Members scan |
W32.Kalel.A@mm 2005-052419-5348-99 (2005.05.24) - mass-mailing worm that uses its own SMTP engine, also spreads through file-sharing networks. Opens a backdoor for remote access on port 51435/tcp. |
| 10082 |
tcp |
trojans |
Premium scan |
W32.Mytob.CP@mm [Symantec-2005-052214-0509-99] (2005.05.22) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, spreads by exploiting the MS Security Bulletin [MS04-011] vulnerability. Starts an FTP server on a random TCP port. Uses port 10082/tcp to download the worm as "bingoo.exe". |
| 8076 |
tcp |
trojans |
Members scan |
W32.Spybot.PEN [Symantec-2005-051916-0450-99] (2005.05.19) - worm with DDoS and backdoor capabilities. Spreads through network shares and by exploiting multiple vulnerabilities. Can be dropped by W32.Kelvir.CG. Opens a backdoor by connecting to IRC channel on port 8076/tcp. Exploits vulnerabilities on port 445/tcp ([MS04-011]), and 1433/udp ([MS02-061]).
W32.Mytob.HI@mm [Symantec-2005-071123-0807-99] (2005.07.11) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 8076/tcp.
AtlasVPN Linux Client 1.0.3 IP Leak Exploit - the AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code. |
| 4495 |
tcp |
trojans |
Premium scan |
Backdoor.Berbew.R [Symantec-2005-051915-2101-99] (2005.05.19) - remote access trojan that steals passwords and opens backdoors on ports 2525/tcp and 4495/tcp. |
| 4888 |
tcp |
trojans |
Premium scan |
W32.Opanki [Symantec-2005-051810-1834-99] (2005.05.18) - IRC worm that spreads through AOL Instant Messenger. Connects to ftpd.there3d.com on port 4888/tcp and opens a backdoor for remote access.
Port also used by the W32.Opanki.D [Symantec-2005-072112-0816-99] variant of the worm.
Applications that use this port: IPNAT, Veritas Storage
IANA registered for: xcap code analysis portal public user access |
| 6677 |
tcp |
trojans |
Premium scan |
W32.Mydoom.BT@mm [Symantec-2005-051416-1428-99] (2005.05.14) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 6677/tcp.
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine's SAM and SYSTEM database files, as well as remote code execution.
References: [CVE-2019-8385] |
| 26418 |
tcp |
trojans |
Premium scan |
W32.Mytob.HH@mm [2005-071116-2302-99] - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 26418/tcp. Also opens a backdoor on port 5000/tcp. |
| 7745 |
tcp |
trojans |
Premium scan |
W32.Mytob.HG@mm [Symantec-2005-071115-1349-99] (2005.07.11) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 7745/tcp. |
| 48094 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.M [2005-071112-2150-99] - a trojan with backdoor capabilities, that runs a keylogger, sends information periodically to a remote server (via http), and also blocks access to security-related websites. Listens for remote commands on port 48094/tcp. |
| 1021 |
tcp |
trojans |
Premium scan |
Trojan.Webus.H [Symantec-2005-070318-0714-99] (2005.07.03) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
| 9040 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.R [Symantec-2005-070117-2559-99] (2005.07.01) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp. |
| 3344 |
tcp |
trojans |
Premium scan |
Repetier-Server (TCP/UDP)
W32.Mytob.GP@mm [Symantec-2005-063017-0607-99] (2005.06.30) - mass mailing worm that opens a backdoor on the compromised computer. Contacts IRC servers and listens for remote commands on port 3344/tcp. |
| 6556 |
tcp |
multiple |
Members scan |
Check MK Agent uses this port.
check_mk could allow a local attacker to obtain sensitive information, caused by the creation of temporary insecure files by the check_mk_agent/job directory. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to the service on port 6556, which could allow the attacker to gain access to files on the system and obtain sensitive information.
References: [XFDB-93520], [CVE-2014-0243], [BID-67674]
W32.Toxbot.C [Symantec-2005-063015-3130-99] (2005.06.30) - worm that opens a backdoor on the compromised computer. Spreads by exploiting common Windows vulnerabilities. Opens and IRC backdoor on port 6556/tcp.
Also: W32.Toxbot.AL [Symantec-2005-100715-4523-99] (2005.10.07).
Malware that uses port 6556/tcp:
AutoSpY trojan
W32.Toxbot |
| 4564 |
tcp |
trojans |
Premium scan |
W32.Spybot.RDW [Symantec-2005-062911-3840-99] (2005.06.29) - a worm with DDoS (distributed denial of service) and backdoor capabilities. Spreads by exploiting common vulnerabilities and through network shares with weak passwords. Opens an IRC backdoor on port 4564/tcp. |
| 27999 |
tcp |
trojans |
Members scan |
W32.Mytob.EU@mm [Symantec-2005-061509-3649-99] - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands on port 27999/tcp. W32.Mytob.GB@mm [Symantec-2005-062410-0444-99] and W32.Mytob.KE@mm [Symantec-2005-100711-1841-99] variants also use this port.
MechWarrior 4 - Mercenaries, Tribes also use this port. |
| 6663 |
tcp |
trojans |
Premium scan |
W32.Mytob.GA@mm [Symantec-2005-062409-5944-99] (2005.06.24) - mass-mailing worm that opens a backdoor and listens for remote commands on port 6663/tcp.
Port also used by the W32.Mytob.HM@mm [Symantec-2005-071400-1143-99] variant of the worm.
Internet Relay Chat also uses this port. |
| 36311 |
tcp |
trojans |
Premium scan |
W32.Mytob.FX@mm [Symantec-2005-062313-5401-99] - mass-mailing worm that opens a backdoor and listens for remote commands on port 36311/tcp, also runs an FTP server on port 10099/tcp. |
| 10099 |
tcp |
trojans |
Premium scan |
W32.Mytob.FX@mm [Symantec-2005-062313-5401-99] - mass-mailing worm that opens a backdoor and listens for remote commands on port 36311/tcp, also runs an FTP server on port 10099/tcp. |
| 12347 |
tcp |
trojans |
Premium scan |
W32.Mytob.FP@mm [Symantec-2005-062017-2756-99] - mass-mailing worm that opens backdoors on ports 10087/tcp and 12347/tcp. |
| 2094 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm [Symantec-2005-061910-3159-99] (2005.06.19) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp.
W32.Opanki.C [Symantec-2005-070409-5849-99] (2005.07.04) - an IRC worm that may spread through AOL Instant Messenger.
Port is also IANA registered for NBX AU |
| 6543 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm [Symantec-2005-061910-3159-99] (2005.06.19) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp.
Port 6543 (TCP) is Pylons project#Pyramid Default Pylons Pyramid web service port
IANA registered for: lds_distrib (TCP/UDP) |
| 5985 |
tcp |
winrm |
Premium scan |
WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.
IANA Registered for: WBEM WS-Management HTTP, registered 2006-11 |
| 2817 |
tcp |
trojans |
Premium scan |
W32.Mytob.FI@mm [Symantec-2005-061710-5807-99] (2005.06.17) - mass-mailing worm that opens a backdoor and listens for remote commands on port 2817/tcp. |
| 58641 |
tcp |
trojans |
Premium scan |
W32.Kalel.B@mm [Symantec-2005-061615-2836-99] (2005.06.15) - mass-mailing worm with keylogger and backdoor capabilities. Spreads through email and file-sharing networks. Opens a backdoor and listens for remote commands on port 58641/tcp. |
