Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 49159 |
tcp,udp |
applications |
Premium scan |
Bonjour for Windows - employed by iTunes and iChat for sharing files between Windows and Mac OS. |
| 49152 |
tcp,udp |
applications |
Members scan |
As the first port in the dynamic/private range (49152-65535), this port is commonly used by applications that utilize a dynamic/random/configurable port.
Many embedded Linux based systems (i.e. home routers, remote management devices, IP cameras) have UPnP enabled, broadcasting their kernel version and hardware architecture over port 49152.
Some P2P torernt clients often use this port: uTorrent, Azureus/Vuze, etc.
Older IPMI firmware versions reveal cleartext login credentials over UDP port 49152.
Apple AirPlay dynamic mirroring TCP port.
YotaPhone 2 opens port 49152.
Apple Xsan Filesystem Access uses the dynamic/private range 49152-65535.
Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures an unauthenticated proxy service on WAN TCP port 49152, which allows remote attackers to establish arbitrary TCP connections to intranet hosts by sending \x2a\xce\x01 followed by other predictable values.
References: [CVE-2017-14117], [BID-100585]
The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions. The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily. The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152.
References: [CVE-2022-30521] |
| 27020 |
tcp,udp |
steam |
not scanned |
Valve Steam Client
Team Fortress 2, Day of Defeat, Counter Strike uses ports 27020-27039 (TCP/UDP). |
| 48002 |
tcp,udp |
nimhub |
not scanned |
Nimbus Hub |
| 47624 |
tcp,udp |
applications |
not scanned |
Battlecom, Age of Empires II, MechCommander 2, Star Wars Galactic Battlegrounds, Flight Simulator 2002 (TCP), Total Annihilation (TCP), Stronghold Crusader (TCP), Cossacks (TCP).
Spiral Knights uses ports 47624-47634.
IANA registered for Direct Play Server. |
| 2400 |
tcp,udp |
applications |
not scanned |
Battlecom, Homeworld 2
Portd trojan also uses this port (TCP).
Buffer overflow in ZfHIPCND.exe in Novell ZENworks Handheld Management 7.0 allows remote attackers to execute arbitrary code via a crafted IP Conduit packet to TCP port 2400.
References: [CVE-2011-0742], [BID-46024]
Heap-based buffer overflow in ZfHIPCND.exe in Novell Zenworks 7 Handheld Management (ZHM) allows remote attackers to execute arbitrary code via a crafted request to TCP port 2400.
References: [CVE-2010-4299] [SECUNIA-42130]
Port also IANA registered for OpEquus Server |
| 2300 |
tcp,udp |
applications |
not scanned |
Combat Flight Simulator 3: Battle For Europe (UDP), Battlecom, Age of Empires III (ports 2300-2310), eJamming Station, Heroes of Might and Magic III (TCP), Realflight G3 (UDP)
Aliens vs Predator uses ports 2300-2400 (UDP)
Storm, Xplorer trojans also use port 2300 (TCP). |
| 48000 |
tcp,udp |
nimcontroller |
not scanned |
World in Conflict (WIC) 1.008 and earlier allows remote attackers to cause a denial of service (access violation and crash) via a zero-byte data block to TCP port 48000, which triggers a NULL pointer dereference.
References: [CVE-2008-6713], [BID-29888]
Massive Entertainment World in Conflict 1.001 and earlier allows remote attackers to cause a denial of service (failed assertion and daemon crash) via a large packet to TCP or UDP port 48000.
References: [CVE-2007-5711] [OSVDB-39019] [SECUNIA-27417]
Port is also IANA registered for Nimbus Controller. |
| 48003 |
tcp,udp |
nimgtw |
not scanned |
Nimbus Gateway |
| 45682 |
tcp,udp |
applications |
not scanned |
pseudo-default uTorrent port |
| 45100 |
tcp,udp |
applications |
not scanned |
Limewire client magnet, Azureus |
| 42510 |
tcp,udp |
caerpc |
not scanned |
Computer Associates eTrust RPC |
| 42508 |
tcp,udp |
candp |
not scanned |
Computer Associates network discovery protocol |
| 42509 |
tcp,udp |
candrp |
not scanned |
Computer Associates discovery response |
| 41952 |
tcp,udp |
applications |
not scanned |
Tversity Media Player - this application uses port 41952 to download video, audio and/or music files from the Internet. You can run TVersity in PCs, as well as in Playstations, Nintendo Wii, and the Xbox 360.
BitTorrent also uses this port. |
| 40116 |
tcp,udp |
applications |
not scanned |
GMPlayer - application uses port 40116 for downloading/upstreaming music, audio and/or video files from the Internet. |
| 38121 |
tcp,udp |
applications |
not scanned |
Squid - a caching proxy server for the Web supporting HTTP, HTTPS, FTP, Telnet and SSL. It reduces bandwidth and improves response times by caching repeated requests. Squid is free software, intended to run on Unix-like systems but it also runs on Windows-based systems.
Cabal Server Online also uses this port. |
| 38080 |
tcp,udp |
applications |
not scanned |
hpcmips, JBoss Application Server |
| 37892 |
tcp,udp |
applications |
not scanned |
devel/haddock 0.2 |
| 36987 |
tcp,udp |
robocode |
not scanned |
Robocode - an educational game, intended to help gamers learn Java programming. |
| 35332 |
tcp,udp |
bribble |
not scanned |
Bribble Chat |
| 32769 |
tcp,udp |
first-os-ports |
not scanned |
FileNet RPC (TCP)
first ports typically used for outgoing connections by some Linux distros like Red Hat: see /etc/rc.d/init.d/network and /proc/sys/net/ipv4/ip_local_port_range |
| 32770 |
tcp,udp |
first-os-ports |
not scanned |
first ports typically used for outgoing connections by some Linux distros like Red Hat: see /etc/rc.d/init.d/network and /proc/sys/net/ipv4/ip_local_port_range |
| 31000 |
tcp,udp |
applications |
not scanned |
OpCon/xps
Titan FTP server |
| 29831 |
tcp,udp |
slapd |
not scanned |
Slapd |
| 29000 |
tcp,udp |
saltd-licensing |
not scanned |
PWI and PWI patches
Battlefield 2
IANA registered for: Siemens Licensing Server (TCP) |
| 48049 |
tcp,udp |
3gpp |
not scanned |
3GPP Cell Broadcast Service Protocol |
| 28221 |
tcp,udp |
emule |
not scanned |
eMule, BitTorrent |
| 27031 |
tcp,udp |
applications |
not scanned |
Port used by: UKS UT server, Flex-net managed application VRCO (TrackD), Counter Strike, Day of Defeat Source, Half Life Steam, Steam Client. |
| 27030 |
tcp,udp |
applications |
not scanned |
Counter Strike, Day of Defeat Source, Half Life Steam, Steam Client |
| 27041 |
tcp,udp |
applications |
not scanned |
Steam Client |
| 27045 |
tcp,udp |
applications |
not scanned |
Steam Client |
| 27000 |
tcp,udp |
games |
not scanned |
id Software's QuakeWorld master server
FLEXlm (Network License Manager) uses ports 27000-27009 tcp.
Autodesk Network License Manager (adskflex.exe) also needs port 2080 tcp in addition to 27000-27009.
Citrix License Server uses ports 7279 and 27000 TCP.
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client) |
| 27001 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27002 |
tcp,udp |
flexlm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27003 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27004 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27005 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27006 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27007 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27008 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 27009 |
tcp,udp |
flex-lm |
not scanned |
Ports 27000+ are used by some online games:
Team Fortress 2, Day of Defeat, Counter Strike use ports 27000-27015
Left 4 Dead 2 (Valve Software) uses ports 27000-27040
Vindictus MMORPG (devCAT/Nexon) uses ports 27000-27025, 36567, and 47611 tcp/udp
Steam (Valve gaming platform) uses these ports:
27000-27015 udp (Steam client game client traffic)
27015-27030 tcp/udp (typically matchmaking and HLTV, also used to download Steam content)
27031 udp, 27036 tcp/udp, and 27037 tcp (incoming for in-home streaming)
3478 udp, 4379 udp, 4380 udp (outbound - Steamworks P2P networking and voice chat)
4380 udp (Steam client)
FLEXlm (Network License Manager) uses ports 27000-27009 tcp |
| 26675 |
tcp,udp |
applications |
not scanned |
ActiveSync - data synchronization between a mobile computer and a desktop computer, connected to the Internet. |
| 25121 |
tcp,udp |
applications |
not scanned |
VOISpeed VoIP |
| 25080 |
tcp,udp |
applications |
not scanned |
Ninja Email Security - port for checking against phishing attacks, spam, and malware. |
| 21302 |
tcp,udp |
applications |
not scanned |
BitchX IRC Client, FreeTel audioconferencing |
| 18923 |
tcp,udp |
jahia |
not scanned |
Jahia |
| 18302 |
tcp,udp |
portmon |
not scanned |
Portmon- monitors and displays all serial and parallel port activity on a system. |
| 11000 |
tcp,udp |
applications |
Premium scan |
Port used by Cisco Border Gateway Protocol, Microsoft Visual Studio, .Net Framework, SCInterface, Video Insight Health Monitor.
Games using this port: Everquest Online Adventrures, The Matrix Online, The Matrix Online (TCP), Archlord, Subnautica multiplayer mod Nitrox
Malware using this port: Senna Spy Trojan Generator, DataRape |
| 8280 |
tcp,udp |
synapse |
not scanned |
Apache Synapse, Y-cam Wireless IP Camera use this port. |
| 8243 |
tcp,udp |
synapse-nhttps |
not scanned |
Synapse Non Blocking HTTPS, HTTPS listener for Apache Synapse, Y-cam Wireless IP Camera |
| 8192 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, SnapStream PVS, SpyTech Phone Service, Y-cam Wireless IP Camera use this port. |
| 8193 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Y-cam Wireless IP Camera |
| 8194 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Bloomberg data API, Y-cam Wireless IP Camera use this port. |
| 8143 |
tcp,udp |
applications |
not scanned |
ImapProxy, SCO SSH Tunneling |
| 8009 |
tcp,udp |
netware-http |
not scanned |
Netware HTTP Server, Apache JServ Protocol v13 (TCP)
Apache Tomcat in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allows connections from external interfaces via port 8009, which exposes it to attacks from outside parties.
References: [CVE-2007-1491]
The HTTPSTK service in the novell-nrm package before 2.0.2-297.305.302.3 in Novell Open Enterprise Server 2 (OES 2) Linux, and OES 11 Linux Gold and SP1, does not make the intended SSL_free and SSL_shutdown calls for the close of a TCP connection, which allows remote attackers to cause a denial of service (service crash) by establishing many TCP connections to port 8009.
References: [CVE-2013-3707]
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
References: [CVE-2020-1745]
IANA registered for: NVMe over Fabrics Discovery Service (TCP) |
| 591 |
tcp,udp |
http-alt |
not scanned |
FileMaker, Inc. - HTTP Alternate |
| 7968 |
tcp,udp |
applications |
not scanned |
Odyssey |
| 7811 |
tcp,udp |
trojans |
Premium scan |
Backdoor.RemoteSOB [Symantec-2003-010815-3452-99] (2003.01.08) - allows unauthorized access to the infected computer, listens to port 7811 by default and uses ICQ to notify the hacker. |
| 7798 |
tcp,udp |
pnet-enc |
not scanned |
Propel Encoder port, GunZ |
| 7725 |
tcp,udp |
applications |
not scanned |
Nitrogen Service
GunZ
Faronics Deep Freeze (workstation OS protection software) - uses either port 1971 or 7725. |
| 7724 |
tcp,udp |
nsdeepfreezectl |
not scanned |
Novell Snap-in Deep Freeze Control, GunZ |
| 7101 |
tcp,udp |
elcn |
not scanned |
Embedded Light Control Network, RealAudio, Dungeon Fighter Online |
| 7128 |
tcp,udp |
scenidm |
Premium scan |
intelligent data manager, RealAudio
Trojan.Riler.F (TCP) [Symantec-2006-071812-3213-99] (2006.07.17) - a back door trojan horse that installs itself as a layered service provider (LSP), and allows a remote attacker to have unauthorized access to the compromised computer. It is dropped by Trojan.PPDropper.C. |
| 7007 |
tcp,udp |
applications |
Members scan |
Port used by: Windows Media Player Encoder-to-Server Communication, Skype Session Manager, G3Torrent, X-Men Movieverse, Silent Spy, basic overseer process, City of Heroes, City of Villains, RealAudio.
Trojans that use this port: W32.Spybot.Gen3, Silent Spy
MicroSeven MYM71080i-B 2.0.5 through 2.0.20 devices send admin credentials in cleartext to pnp.microseven.com TCP port 7007. An attacker on the same network as the device can capture these credentials.
References: [CVE-2021-29255] |
| 7001 |
tcp,udp |
afs3-callback |
Premium scan |
Callback To Cache Manager, MSN Messenger, Avira Server Management Console
Default for BEA WebLogic Server's HTTP server, though often changed during installation (TCP).
Command and Conquer Renegade also uses this port (TCP).
Trojans that use this port: Freak2k, Freak88, NetSnooper Gold.
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
References: [CVE-2015-4852] |
| 7002 |
tcp,udp |
afs3-pserver |
not scanned |
users & groups database
Default for BEA WebLogic Server's HTTP server, though often changed during installation (TCP).
Command and Conquer Renegade also uses this port (TCP). |
| 7003 |
tcp,udp |
afs3-vlserver |
not scanned |
Volume location database, City of Heroes, City of Villains, RealAudio
MA Lighting Technology grandMA onPC is vulnerable to a denial of service, caused by an error when processing socket connection negotiation. By sending a single malicious packet to TCP port 7003, an attacker could exploit this vulnerability to cause the device to crash.
References: [BID-66645], [XFDB-92300] |
| 7004 |
tcp,udp |
afs3-kaserver |
not scanned |
AFS/Kerberos authentication service, City of Heroes, City of Villains, RealAudio |
| 7005 |
tcp,udp |
afs3-volser |
not scanned |
VMware vCenter Single Sign On base shutdown port.
Volume management server
RealAudio
BMC Control-M/Server
BMC Control-M/Agent
Oracle HTTP
Games: City of Heroes, City of Villains |
| 7006 |
tcp,udp |
afs3-errors |
not scanned |
RealAudio, Error interpretation service, BMC Software CONTROL-M/Server and CONTROL-M/AgentServer-to-Agent, City of Heroes, City of Villains
Trojan.JBosser opens command and control communication on port 7006. |
| 6999 |
tcp,udp |
iatp-normalpri |
Premium scan |
IATP-normalPri, World of Warcraft, Blizzard Downloader, BitTorrent, Line Request for VoIP, Video Streaming service, OfficePax, QuickTime 4 server, RealAudio
Malicios services using this port: Worm_MYTOB.LW |
| 6970 |
tcp,udp |
applications |
Members scan |
Port used by Tivoli Software, RTP (Real Time Transport Protocol), RTSP (Real Time Streaming Protocol), BitTorrent, QuickTime 4 server, RealAudio.
Trojans using this port: GateCrasher |
| 6963 |
tcp,udp |
swismgr1 |
not scanned |
swismgr1, BitTorrent |
| 6964 |
tcp,udp |
swismgr2 |
not scanned |
swismgr2, BitTorrent |
| 6900 |
tcp,udp |
applications |
not scanned |
BitTorrent part, Windows Live Messenger, MSN Messenger, Ragnarok Online Server
IANA registered for: R*TIME Viewer Data Interface (TCP) |
| 6891 |
tcp,udp |
applications |
Premium scan |
BitTorrent, Windows Live Messenger, MSN Messenger
Trojans using this port: Force (6891/tcp only)
aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891).
References: [CVE-2006-0138] |
| 6892 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger |
| 6893 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger |
| 6894 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6895 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6896 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6897 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6898 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6899 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
| 6809 |
tcp,udp |
applications |
not scanned |
cman (cluster manager)
Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and FSFDT FSD 3.000 d9 and earlier, allow (1) remote attackers to execute arbitrary code via a long HELP command on TCP port 3010 to the sysuser::exechelp function in sysuser.cc and (2) remote authenticated users to execute arbitrary code via long commands on TCP port 6809 to the servinterface::sendmulticast function in servinterface.cc, as demonstrated by a PIcallsign command.
References: [CVE-2007-5256] [BID-25883] [SECUNIA-27008] |
| 6786 |
tcp,udp |
smc-jmx |
not scanned |
Sun Java Web Console JMX |
| 6787 |
tcp,udp |
smc-admin |
not scanned |
Sun Web Console Admin |
| 6788 |
tcp,udp |
smc-http |
not scanned |
SMC-HTTP |
| 6777 |
tcp,udp |
applications |
Premium scan |
BlackSite - Area 51
Trojans using this port: W32.Gaobot, W32/Bagle@MM [Symantec-2004-011815-3332-99]
Backdoor.Win32.IRCBot.gen / Unauthenticated Remote Command Execution - the malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail.
References: [MVID-2021-0300]
IANA registered for: netTsunami Tracker (TCP) |
| 6754 |
tcp,udp |
trojans |
Premium scan |
Backdoor.Mapsy [Symantec-2002-120615-0547-99] (a.k.a. BackDoor-AMI, 2002.12.06) - a backdoor trojan that gives an attacker unauthorized access to an infected computer |
| 6681 |
tcp,udp |
applications |
not scanned |
UPnP, Bittorent, peer-to-peer |
| 6666 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Some TechniColor routers allow for SSH connections on this port using root/root as login.
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire, TCPshell.c.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp.
Verint 5620PTZ Verint_FW_0_42 and Verint 4320 V4320_FW_0_23, and V4320_FW_0_31 units feature an autodiscovery service implemented in the binary executable '/usr/sbin/DM' that listens on port TCP 6666. The service is vulnerable to a stack buffer overflow. It is worth noting that this service does not require any authentication.
References: [CVE-2020-24055]
Backdoor.Win32.FTP.Lana.01.d / Weak Hardcoded Password - The malware listens on TCP port 6666. The credentials "user" and "pass" are weak and stored in plaintext with the executable.
References: [MVID-2022-0468]
Backdoor.Win32.FTP.Lana.01.d / Port Bounce Scan (MITM) - the malware listens on TCP port 6666. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0469]
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 6667 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire, Moses, Maniacrootkit, kaitex, EGO.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp.
Backdoor.Win32.Adverbot / Remote Stack Corruption - null instruction pointer read stack corruption when connecting to an IRC server Port 6667. The NetControl.File component allows connecting to server to IRC servers to file share or send messages under Menu/connect.
References: [MVID-2021-0003]
Backdoor.Win32.Whisper.b / Remote Stack Corruption - Whisper.b listens on TCP port 113 and connects to port 6667, deletes itself drops executable named rundll32.exe in Windows\System dir. The malware is prone to stack corruption issues when receiving unexpected characters of random sizes.
References: [MVID-2021-0039] |
| 6668 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp.
Backdoor.Win32.Kraimer.11 / Missing Authentication - Kraimer listens for commands on TCP port 6668, due to a lack of authentication anyone can telnet to the infected host. Seems only one established connection at a time is allowed, so if you telnet in then no other connections are honored. Therefore, if you make TCP connection and theres already an established connection you will get refused.
References: [MVID-2021-0046] |
| 6669 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6620 |
tcp,udp |
kftp-data |
not scanned |
Kerberos V5 FTP Data |
| 6621 |
tcp,udp |
kftp |
not scanned |
Kerberos V5 FTP Control |
| 6623 |
tcp,udp |
ktelnet |
not scanned |
Kerberos V5 Telnet |
| 6580 |
tcp,udp |
parsec-master |
not scanned |
Parsec Masterserver |
Vulnerabilities listed: 100 (some use multiple ports)
|
