Port(s) |
Protocol |
Service |
Scan level |
Description |
991 |
tcp |
trojan |
Premium scan |
Snape |
992 |
tcp |
trojan |
Members scan |
SoftEther VPN (Ethernet over HTTPS) uses TCP Ports 443, 992 and 5555
Malware using port 992 TCP: Snape trojan
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443 |
993 |
tcp |
IMAP-SSL |
Basic scan |
IMAP over SSL |
994 |
tcp |
ircs |
Members scan |
Secure IRC (over TLS/SSL)
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443 |
995 |
tcp |
POP3-SSL |
Basic scan |
Incoming POP3 mail over SSL
used by Gmail
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443 |
996 |
tcp,udp |
vsinet |
not scanned |
Central Point Software Xtree License Server (TCP)
vsinet (IANA official) |
997 |
tcp,udp |
maitrd |
not scanned |
Maitrd |
998 |
tcp |
busboy |
not scanned |
Busboy |
998 |
udp |
puparp |
not scanned |
Puparp |
999 |
tcp |
garcon |
Members scan |
Garcon, ScimoreDB Database System, Puprouter (TCP/UDP)
Trojans that run on this port: DeepThroat (a.k.a. DTV2, DTV3, BackDoor-J), F0replay (a.k.a. WiNNUke eXtreame), WinSatan
Delta Force game also uses port 999 (TCP/UDP) |
999 |
udp |
applix |
not scanned |
Applix ac (IANA official) |
1000 |
tcp |
trojans |
Members scan |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Cadlock / Cadlock2
Trojans using this port: Der Spaeher, Direct Connection, GOTHIC Intruder, Theef
Veritas Backup Exec Agents could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free vulnerability in multiple agents. By sending specially crafted NDMP data over SSL to TCP port 1000, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
References: [CVE-2017-8895], [XFDB-125969], [BID-98386], [EDB-42282] |
1000 |
udp |
games |
not scanned |
Cadlock2 / Ock
Burnout Paradise - The Ultimate Box (game, developer: Criterion Games) |
1001 |
tcp |
trojans |
Members scan |
Trojans using this port: Der Spaeher, Le Guardien, Silencer, WebEx, GOTHIC Intruder, Lula, One Windows Trojan, Theef
The Sabserv client component in Sabre Desktop Reservation Software 4.2 through 4.4 allows remote attackers to cause a denial of service via malformed input to TCP port 1001.
References: [CVE-2002-1191], [BID-5974]
Stack-based buffer overflow in Ubisoft Rayman Legends before 1.3.140380 allows remote attackers to execute arbitrary code via a long string in the "second connection" to TCP port 1001.
References: [CVE-2014-4334]
IANA registered for: HTTP Web Push
|
1001 |
udp |
games |
not scanned |
Tom Clancy's H.A.W.X., developer: Ubisoft Romania |
1002 |
tcp |
ms-ils |
Basic scan |
Opsware agent (aka cogbot)
Windows Internet Locator Server service, used by MS NetMeeting. ILS is a MS NetMeeting service that is now preferred by MS over the Internet standard LDAP service (port 389). This port does not appear in "netstat" command listings. |
1003 |
tcp |
fortinet |
Premium scan |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
BackDoor 2.0x trojan horse |
1005 |
tcp |
trojans |
Premium scan |
Trojan.Nitedrem
[trojan] Pest (remote access, keyloger, steals passwords, backdoor)
[trojan] Theef - anti-protection, remote access, keylogger, port proxy, FTP server, a.k.a. Backdoor.Theef, BackDoor.QW, Bkdr_Delf.AX
ipcserver - Mac OS X RPC-based services. Used by NetInfo, for example. |
1008 |
tcp |
trojans |
Premium scan |
AutoSpY, li0n
Backdoor.Win32.Autospy.10 / Unauthenticated Remote Command Execution - the malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.
References: [MVID-2024-0671] |
1010 |
tcp |
thinklinc |
Premium scan |
ThinLinc Web Administration
Doly trojan v 1.3/v1.35 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)
CafeIni 0.9 trojan
Surf (IANA official) |
1010 |
udp |
surf |
not scanned |
Surf |
1011 |
tcp |
trojans |
Premium scan |
Doly trojan v1.1/v1.2 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)
Backdoor.Win32.Augudor.a / Unauthenticated Remote File Write Code Execution - Augudor.a drops an empty file named "zy.exe" and listens on TCP port 1011. Attackers who can reach the infected host can write any binary file they like to the empty "zy.exe" file on the system and it will execute as soon as the binary transfer has completed.
References: [MVID-2021-0083]
Backdoor.Win32.Augudor.a / Unauthenticated Remote File Write - RCE - Augudor.a drops an empty file named "zy.exe" and listens on TCP port 1011. Attackers who can reach the infected host can write any binary file they like to the empty "zy.exe" file on the system and it will execute as soon as the binary transfer has completed.
References: [MVID-2022-0501] |
1012 |
tcp |
trojan |
Premium scan |
Doly trojan v1.5 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016) |
1015 |
tcp |
trojans |
Premium scan |
Doly trojan v1.6 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)
Backdoor.Win32.Wollf.16 / Authentication Bypass - the malware listens on TCP port 1015 and has an FTPD feature that when enabled listens on TCP port 21. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0462]
Backdoor.Win32.Wollf.16 / Weak Hardcoded Credentials - the malware runs with SYSTEM integrity, listens on TCP port 1015 and is protected by Armadillo(3.00a-3.70a) & UPX(1.07)NRV,brute. However, the password "ddr_bkdoor" is weak and can be found at offset 0019F58C.
References: [MVID-2022-0463] |
1016 |
tcp |
trojan |
Premium scan |
Doly trojan (different versions use TCP ports 1010, 1011, 1012, 1015, 1016) |
1020 |
tcp |
trojans |
Premium scan |
Vampire remote access trojan (1999) - affects Windows 9x/NT, uses ports 1020 and 6669. |
1021 |
tcp |
trojans |
Premium scan |
Trojan.Webus.H [Symantec-2005-070318-0714-99] (2005.07.03) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
1023 |
tcp |
trojan |
Premium scan |
Sasser.e FTP
The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when used in conjunction with a Baxter Spectrum v8.x (model 35700BAX2), operates a Telnet service on Port 1023 with hard-coded credentials.
References: [CVE-2020-12045], [XFDB-183637] |
1024 |
tcp |
kdm |
Basic scan |
K Display Manager (KDE version of xdm)
Trojans taht use this port: Jade, Latinus, Lithium, NetSpy, Ptakks, RAT, YAI
Backdoor.Lingosky [Symantec-2005-032311-2503-99] (2005.03.23) - trojan with backdoor capabilities. Opens a backdoor on port 1024/tcp.
Applications using this port: AIM Video IM, ICUII, NetMeeting with H323, Lingo VoIP, Battlefield 2142, Everquest
The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.
References: [CVE-1999-0816] |
1024 |
udp |
applications |
not scanned |
The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT. It is possible to replay Sinilink aka SINILINK521 protocol (udp/1024) commands interfacing directly with the target device. This, in turn, allows for an attack to control the onboard relay without requiring authentication via the mobile application. This might result in an unacceptable temperature within the target device's physical environment.
References: [CVE-2022-43704] |
1025-1029 |
tcp,udp |
nfc-iis |
Basic scan |
Ports > 1024 are designated for dynamic allocation by Windows. When programs ask for the "next available" socket, they usually get sequential ports starting at 1025.
Ports 1026-1027/udp were historically used for Windows Messenger popup spam |
1025 |
tcp |
nfc-iis |
not scanned |
NFS
IIS
Teradata
ShopPro accounting software
Trojans that use this port: NetSpy, Maverick's Matrix, RemoteStorm (TCP/UDP)
Backdoor.Win32.Ramus / Unauthenticated Remote Code Execution - the malware listens on TCP port 1025. Third-party attackers who can reach an infected system can execute arbitrary code further compromising the host. To call programs use "executa" which translated from Romanian is execute and the target program wrapped in quotes E.g. executa "PROGRAM".
References: [MVID-2021-0427]
network blackjack (TCP/UDP) (IANA official) |
1026 |
tcp,udp |
cap |
not scanned |
Microsoft DCOM services often uses ports 1026/tcp and 1029/tcp
CAP - Calendar Access Protocol (IANA official) |
1027 |
tcp |
trojans |
not scanned |
Infostealer.ABCHlp [Symantec-2003-060511-5140-99] (2003.06.05) - a password-stealing, Backdoor trojan horse. The program attempts to send password information from a compromised computer to an address in China. By default it makes use of port 1027.
ICKiller trojan uses this port
Microsoft operating systems tend to allocate one or more publicly exposed services (DCOM, etc.) among the first few ports immediately above the end of the system ports (1024+). |
1027 |
udp |
6a44 |
not scanned |
IPv6 behind IPv4-to-IPv4 NAT Customer Premises Equipment CPEs [IESG] (IANA official) [RFC 6751] |
1029 |
tcp |
dcom |
not scanned |
Microsoft DCOM services often uses ports 1026/tcp and 1029/tcp
Trojans that use this port: InCommand (TCP/UDP)
Email-Worm.Win32.Kipis.a / Unauthenticated Remote Code Execution - the malware listens on TCP port 1029 and writes incoming packets to an executable file that is renamed as "winlogins.exe". Third-party attackers who can reach the infected host can use socket utils like netcat to transfer files which get stored in the Windows\SysWOW64 dir, this may result in remote code execution.
References: [MVID-2021-0250]
Backdoor.IRC.Subhuman / Unauthenticated Open Proxy - the malware listens on TCP port 1029. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0418] |
1030 |
tcp |
trojans |
Members scan |
Gibbon, KWM trojans
Need for Speed 3- Hot Pursuit game
The Project administration application in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, has a hardcoded encryption key, which allows remote attackers to obtain sensitive information by
extracting this key from another product installation and then employing this key during the sniffing of network traffic on TCP port 1030.
References: [CVE-2014-4686]
Backdoor.Win32.Bushtrommel.122 / Authentication Bypass - the malware listens on TCP port 31745 runs an ftp server on port 1030. Attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.
References: [MVID-2022-0629]
Backdoor.Win32.Bushtrommel.122 / Unauthenticated Remote Command Execution - the malware listens on TCP port 31745 and 1030. Adversaries who can reach infected hosts can run commands made available by the backdoor. The "*RUN" command calls CreateProcess() based on CL input, errors will result in a pop up dialog on the infected host:
"CreateProcess() in function () GetConsoleOuput() failed!". Correct syntax is as follows *RUN"calc.exe", successful code execution results in the response "*EVA*" from the backdoored host.
References: [MVID-2022-0630] |
1031 |
tcp |
trojans |
Premium scan |
KWM, Little Witch, Xanadu, Xot |
1032 |
tcp |
trojans |
Premium scan |
Akosch4, Dosh, ICQ Trojan, KWM
W32.Grifout.Worm [Symantec-2002-030510-2009-99] (2002.02.27) - a 32-bit Internet worm. It spreads by using MAPI to send email through Microsoft Outlook.
This worm runs in memory at Windows startup and maintains a socket connection across the Internet. The connection is designed to allow a connection from a controlling client application, which can remotely manipulate the infected system . |
1033 |
tcp |
trojans |
Premium scan |
Port used by Netspy2, Dosh, ICQ Trojan, KWM, Little Witch, Net Advance, NetSpy trojans |
1034 |
tcp |
trojans |
Members scan |
Backdoor.Systsec [Symantec-2002-021314-3507-99] (2002.02.13) - remote acess trojan. Affects all current Windows versions.
Backdoor.Zincite.A [Symantec-2004-072615-3305-99] (2004.07.26) - backdoor server program that allows unauthorized access to the compromised computer. It runs and listens for remote commands on port 1034/tcp.
W32.Mydoom.CI@mm [Symantec-2005-092711-1028-99] (2005.09.26) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine.
KWM trojan also uses this port. |
1035 |
tcp |
trojans |
Premium scan |
Backdoor.Sedepex [Symantec-2005-103109-2236-99] (2005.10.31) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
Some other trojans using this port: Dosh, KWM, Multidropper, Truva Atl,
RemoteNC [Symantec-2002-042414-1825-99] |
1036 |
tcp |
trojan |
Premium scan |
KWM |
1037 |
tcp |
trojans |
Premium scan |
Arctic , Dosh, KWM, MoSucker |
1038 |
tcp,udp |
mtqp |
not scanned |
Message Tracking Query Protocol (IANA official) [RFC 3887] |
1039 |
tcp |
trojans |
Members scan |
Backdoor.Gapin [Symantec-2003-022717-3418-99] (2003.02.27) - a backdoor trojan that gives an attacker unauthorized access to your computer. By default this backdoor opens TCP port 1039 to allow access to the hacker. This threat is written in the Microsoft Visual Basic programming language.
Dosh trojan uses this port.
Port is also IANA registered for Streamlined Blackhole |
1040 |
tcp |
trojans |
Members scan |
Backdoor.Sedepex [Symantec-2005-103109-2236-99] (2005.10.31) - a trojan with backdoor capabilities. It ends various security related processes on the comromised computer. Opens a backdoor and listens for remote commands on port 1035/tcp or 1040/tcp.
Backdoor.Medias [Symantec-2004-032713-0001-99] (2004.03.27) - a trojan horse that installs itself as a Browser Helper Object.
WebCam Monitor also uses port 1040 (TCP/UDP). |
1041 |
tcp |
trojans |
Premium scan |
Dosh, RemoteNC [Symantec-2002-042414-1825-99] |
1042 |
tcp |
trojans |
Premium scan |
ASUS Armoury Crate "NodeJS Web Framework" process uses TCP ports 1042 and 1043
Trojans that use this port: Bla1.1, MyDoom.L [Symantec-2004-071915-0829-99] |
1042 |
udp |
games |
not scanned |
Battlestations: Midway |
1043 |
tcp |
trojan |
Premium scan |
ASUS Armoury Crate "NodeJS Web Framework" process uses TCP ports 1042 and 1043
Dosh
Backdoor.Win32.Mhtserv.b / Missing Authentication - Mhtserv.b listens on TCP port 1043, apparently there is no authentication required to access this backdoor. Accessing the backdoor using telnet you are greeted with a "Command" prompt, issuing a lowercase "L" char will get you a dir listing of system32.
References: [MVID-2021-0059] |
1044 |
tcp,udp |
trojan |
not scanned |
Ptakks |
1045 |
tcp |
trojan |
Premium scan |
Rasmin trojan |
1047 |
tcp |
trojans |
Premium scan |
GateCrasher.b, GateCrasher.c, RemoteNC [Symantec-2002-042414-1825-99] |
1049 |
tcp |
trojans |
Premium scan |
[trojan] /sbin/initd - reported on Linux hosts as a hacked backdoor along with tcp port 65534 |
1050 |
tcp |
trojans |
Basic scan |
MiniCommand trojan
MS DNS Server on Windows Server 2003 machines may possibly use this port for DNS if other ports are being blocked by a firewall. See MS KB 198410, registry key "SendOnNonDnsPort" (unconfirmed).
Fortinet FortiNAC could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization of untrusted data vulnerability. By sending a specially crafted request to the tcp/1050 service, an attacker could exploit this vulnerability to execute arbitrary code or commands on the system.
References: [CVE-2023-33299], [XFDB-258701]
CORBA Management Agent (IANA official) |
1052 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm [Symantec-2005-071510-0336-99] (2005.07.15) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability ([MS04-011]) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm [Symantec-2005-071521-3122-99] (2005.07.15) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp.
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
Fire HacKer, Slapper, The Hobbit Daemon trojans also use this port.
Linux.Slapper.Worm [Symantec-2002-091311-5851-99] (2002.09.13) - family of worms that use an "OpenSSL buffer overflow exploit [CVE-2002-0656] to run a shell on a remote computer. Targets vulnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp. Opens backdoors on the following ports: 2002/udp (.A variant), 1978/udp (.B variant), 4156/udp and 1052/tcp periodically (.C variant). |
1053 |
tcp |
trojan |
Premium scan |
The Thief |
1054 |
tcp |
trojans |
Premium scan |
RemoteNC [Symantec-2002-042414-1825-99], AckCmd |
1058 |
tcp,udp |
nim |
not scanned |
nim, IBM AIX Network Installation Manager (NIM) (IANA official) |
1059 |
tcp,udp |
nimreg |
not scanned |
nimreg, IBM AIX Network Installation Manager (NIM) (IANA official) |
1068 |
udp |
games |
not scanned |
Will Rock game (developer: Saber Interactive) |
1069 |
udp |
games |
not scanned |
Will Rock game (developer: Saber Interactive)
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure |
1069 |
tcp |
cognex |
not scanned |
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure |
1070 |
tcp |
cognex |
not scanned |
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure
IANA registered for: GMR Update Service |
1071 |
tcp |
applications |
not scanned |
DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow.
References: [CVE-2005-2305], [BID-14263]
Port is also IANA registered for BSQUARE-VOIP |
1073 |
tcp |
applications |
not scanned |
DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow.
References: [CVE-2005-2305], [BID-14263]
Port is also IANA registered for Bridge Control |
1075 |
tcp |
rdrmshc |
not scanned |
Backdoor.Win32.LanaFTP.k / Heap Corruption - the malware listens on TCP port 1075. Third-party attackers who can reach the server can send a specially crafted sequential payload causing a heap corruption.
References: [MVID-2021-0369]
RDRMSHC (IANA official) |
1080 |
tcp |
socks |
Members scan |
Socks Proxy is an Internet proxy service, potential spam relay point.
Common programs using this port: Wingate
Trojans/worms that use this port as well:
Bugbear.xx [Symantec-2003-060423-5844-99] - wide-spread mass-mailing worm, many variants.
SubSeven - remote access trojan, 03.2001. Afects all current Windows versions.
WinHole - remote access trojan, 01.2000 (a.k.a. WinGate, Backdoor.WLF, BackGate). Affects Windows 9x.
Trojan.Webus.C [Symantec-2004-101212-0903-99] - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080.
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Lixy [Symantec-2003-100816-5051-99] (2003.10.08) - a backdoor trojan horse that opens a proxy server on TCP port 1080.
W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.
WinHole, Wingate, Bagle.AI trojans also use this port.
Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]
Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080.
References: [CVE-2004-0315] [BID-9721]
HEUR.Backdoor.Win32.Generic / Unauthenticated Open Proxy - the backdoor creates a Windows service backed by an executable named "1314.exe", it lives under C:\WINDOWS and listens on TCP ports 1080 and 8080. Third-party adversaries who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. The relay does not
require authentication or any special User-agent check and leverages the HTTP Host header in the request to connect to third-party systems.
References: [MVID-2021-0176]
Backdoor.Win32.Small.gs / Unauthenticated Remote Command Execution - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can execute OS commands and or run arbitrary programs.
References: [MVID-2021-0336]
Backdoor.Win32.Agent.aer / Remote Denial of Service - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can send a specially crafted junk payload for the logon credentials to trigger an exception and crash.
References: [MVID-2021-0346]
Backdoor.Win32.Agent.bxxn / Open Proxy - the malware listens on TCP port 1080. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2022-0522]
Backdoor.Win32.Aphexdoor.LiteSock / Remote Stack Buffer Overflow (SEH) - the malware drops an extensionless PE file named "3" which listens on TCP port 1080. Third-party attackers who can reach an infected host can send a specially crafted packet to port 1080, that will trigger a stack buffer overflow overwriting ECX register and SEH.
References: [MVID-2022-0653] |
1081 |
tcp |
trojans |
Premium scan |
Backdoor.Zagaban [Symantec-2005-110314-5204-99] (2005.11.03) - a trojan that allows the compromised computer to be used as a covert proxy. Allows the attacker to modify the hosts file. Starts a covert proxy and listens on port 1081/tcp.
WinHole trojan also uses port 1081. |
1082 |
tcp |
trojan |
Members scan |
Backdoor.Sincom [Symantec-2003-100909-4135-99] (2003.10.09) - a backdoor trojan horse that gives the trojan's author unauthorized access to an infected computer. It allows the author to control the system through a TCP connection, through an FTP server, or have the backdoor program reconnect to the attacker's computer.
WinHole trojan
Port is IANA registered for: AMT-ESD-PROT |
1083 |
tcp |
trojan |
Premium scan |
WinHole trojan |
1088 |
tcp |
trojans |
Premium scan |
Trojan.Webus.D [Symantec-2004-111216-2213-99] (2004.11.12) - remote access trojan, affects all current Windows versions. Opens a backdoor by connecting via port 1088 to IRC servers serv.gigaset.org or gimp.robobot.org. It then can receive a range of commands, including downloading and executing remote files. It can also open another random tcp port for incoming connections.
Trojan.Webus.E [Symantec-2005-040511-3347-99] (2005.04.05) - trojan that opens a backdoor and connects to IRC servers for remote access on port 1088/tcp.
Trojan.Webus.H [Symantec-2005-070318-0714-99] (2005.07.03) - trojan horse with backdoor capabilities. It attempts to disable anti-virus programs, connects to an IRC server on ports 1021/tcp or 1088/tcp, and listens for remote commands. |
1089 |
tcp |
malware |
not scanned |
Trojan-Proxy.Win32.Delf.ai / Remote SEH Buffer Overflow - the malware listens on TCP port 1089. Attackers who can reach the infected system can send a specially crafted HTTP TRACE request to trigger a classic SEH buffer overflow.
References: [MVID-2021-0115] |
1090 |
tcp |
trojans |
Premium scan |
Port used by Xtreme remote access trojan with keylogger capabilities. It also installs NetBus 2.1 Pro in the background.
Jana Server is vulnerable to a denial of service attack. A remote attacker could send specially-crafted data to the http-server module listening on TCP port 2506 and the pna-proxy module listening on TCP port 1090 to cause the server to enter into an infinite loop.
References: [BID-11780], [XFDB-18308]
Port is also IANA registered for FF Fieldbus Message Specification (TCP/UDP) |
1092 |
tcp |
trojan |
Premium scan |
Hvl RAT |
1095-1099 |
tcp |
trojans |
Members scan |
Some trojans use these ports: Blood Fest Evolution, Hvl RAT (also uses port 2283), Remote Administration Tool - RAT |
1098 |
tcp |
rmiactivation |
not scanned |
Trojans that use this port: Rat (TCP)
HP Business Service Management (BSM) 9.12 does not properly restrict the uploading of .war files, which allows remote attackers to execute arbitrary JSP code within the JBOSS Application Server component via a crafted request to TCP port 1098, 1099, or 4444.
References: [CVE-2012-2561]
The BlackBerry Universal Device Service in BlackBerry Enterprise Service (BES) 10.0 through 10.1.2 does not properly restrict access to the JBoss Remote Method Invocation (RMI) interface, which allows remote attackers to upload and execute arbitrary packages via a request to port 1098.
References: [CVE-2013-3693], [SECUNIA-55187]
RMI Activation (IANA official) |
1099 |
tcp |
rmiregistry |
not scanned |
HP Business Service Management (BSM) 9.12 does not properly restrict the uploading of .war files, which allows remote attackers to execute arbitrary JSP code within the JBOSS Application Server component via a crafted request to TCP port 1098, 1099, or 4444.
References: [CVE-2012-2561]
Siemens SPPA-T3000 Application Server could allow a remote attacker to execute arbitrary code on the system. By sending specifically crafted packets to 1099/tcp, an attacker could exploit this vulnerability to execute arbitrary code on the system.
References: [CVE-2019-18316], [XFDB-173422]
Siemens SPPA-T3000 Application Server could allow a remote attacker to obtain sensitive information. By sending specifically crafted packets to 1099/tcp, a remote attacker could exploit this vulnerability to obtain sensitive information.
References: [CVE-2019-18331], [XFDB-173415]
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.
References: [CVE-2020-11969]
If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case.
References: [CVE-2020-13931]
IANA registered for: RMI Registry (TCP/UDP) |
1100 |
tcp |
trojan |
Premium scan |
CafeIni 0.9 trojan horse
HP StorageWorks Storage Mirroring (SWSM) software is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the DoubleTake.exe process when handling authentication requests. By sending an encoded authentication request to TCP ports 1100, 1106 and UDP port 1105, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-1661]
Port is also IANA registered for MCTP |
1101 |
tcp |
applications |
not scanned |
ZenSysSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (service crash) or possibly execute arbitrary code via a series of connections and disconnections on TCP port 1101, aka Reference Number 25212.
References: [CVE-2011-4534], [BID-51897]
Backdoor.Hatckel [Symantec-2002-120515-0748-99] - a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens 15 ports on the infected computer: 1101 to 1115. Backdoor.Hatckel is written in Visual Basic. |
1104 |
udp |
trojan |
not scanned |
RexxRave trojan |
1105 |
udp |
applications |
not scanned |
HP StorageWorks Storage Mirroring (SWSM) software is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the DoubleTake.exe process when handling authentication requests. By sending an encoded authentication request to TCP ports 1100, 1106 and UDP port 1105, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-1661]
Port is also IANA registered for FTRANHC |
1106 |
tcp |
applications |
not scanned |
HP StorageWorks Storage Mirroring (SWSM) software is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the DoubleTake.exe process when handling authentication requests. By sending an encoded authentication request to TCP ports 1100, 1106 and UDP port 1105, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-1661] |
1109 |
tcp |
kpop |
not scanned |
Kerberos Post Office Protocol (KPOP) |
1110 |
udp |
nfsd |
not scanned |
EasyBits School network discovery protocol (for Intel's CMPC platform)
nfsd-keepalive Client status info (IANA official)
|
1110 |
tcp |
webadmstart |
not scanned |
Cluster status info (nfsd-status)
Start web admin server (IANA official) |
1111 |
tcp |
trojans |
Members scan |
Trojans that use this port:
Backdoor.AIMvision [Symantec-2002-101713-3321-99] (2002.10.17) - remote access trojan. Affects all current Windows versions.
Backdoor.Ultor [Symantec-2002-061316-4604-99] (2002.06.13) - remote access trojan. Affects Windows, listens on port 1111 or 1234.
Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows.
W32.Suclove.A@mm [Symantec-2005-092612-2130-99] (2005.09.25) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.
Daodan, Tport trojans also use this port.
The Administration Service (FMSAdmin.exe) in Macromedia Flash Media Server 2.0 r1145 allows remote attackers to cause a denial of service (application crash) via a malformed request with a single character to port 1111.
References: [CVE-2005-4216], [BID-15822]
Backdoor.Win32.Agent.cy / Weak Hardcoded Credentials - the malware listens on TCP port 1111, drops an executable named "Spoolsw.exe" under SysWOW64 dir that runs with SYSTEM integrity. The password "TrFsB-RuleZ" is stored in plaintext and can be easily found running strings util against the malware executable.
References: [MVID-2021-0207]
Backdoor.Win32.Jokerdoor / Remote Stack Buffer Overflow - The malware listens on TCP port 1111 and drops an randomly named executable E.g. xmutfeb.exe etc. Third party attackers who can reach an infected system can send a junk payload and trigger a classic stack buffer overflow overwriting the EBP, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS" as running commands result in error.
References: [MVID-2021-0390]
Backdoor.Win32.SubSeven.c / Remote Stack Buffer Overflow - the malware listens on TCP port 1111. Third-party attackers who can reach an infected system can send a specially crafted packet prefixed with "DOS". This will trigger a classic stack buffer overflow overwriting ECX, EIP registers and structured exception handler (SEH).
References: [MVID-2022-0448]
LM Social Server (IANA official) |
1112 |
tcp,udp |
icp |
not scanned |
ESET virus update (TCP)
Intelligent Communication Protocol (IANA official) |
1113 |
tcp,udp |
ltp-deepspace |
not scanned |
Licklider Transmission Protocol (IANA official) [RFC 5326] |
1115 |
tcp |
trojans |
Premium scan |
Lurker, Protoss
Backdoor.Hatckel [Symantec-2002-120515-0748-99] - a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens 15 ports on the infected computer: 1101 to 1115. Backdoor.Hatckel is written in Visual Basic. |
1116 |
tcp |
trojan |
Premium scan |
Lurker trojan |
1117 |
tcp |
trojans |
Premium scan |
W32.Zotob.D [Symantec-2005-081609-4733-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp. |
1118 |
tcp,udp |
sacred |
not scanned |
SACRED (IANA official) [RFC 3767] |
1119 |
tcp,udp |
games |
not scanned |
Blizzard Downloader
Starcraft II: Wings of Liberty (Blizzard) |
1120 |
tcp |
games |
not scanned |
Starcraft II: Wings of Liberty, developer: Blizzard |
1122 |
tcp,udp |
trojans |
Premium scan |
Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
Port is also IANA registered for: availant-mgr |
1128 |
tcp |
applications |
not scanned |
The GetComputerSystem method in the HostControl service in SAP Netweaver 7.03 allows remote attackers to obtain sensitive information via a crafted SOAP request to TCP port 1128.
References: [CVE-2013-3319] [SECUNIA-54277]
Privilege Escalation Vulnerabilities (UNIX Insecure File Handling) in SAP Host Agent (saposcol) - multiple vulnerabilities were identified that could allow a local attacker authenticated as adm to escalate privileges on SAP UNIX systems. No additional user authentication is required to exploit these issues. The vulnerabilities are due to the privileged saposcol
process generating files in its default working directory (/usr/sap/tmp; defined by profile parameter DIR_PERF) owned by the adm user (sapsys group), and following symbolic links (symlinks) when trying to open/create these files. Note that in some environments the directory might not be owned by the adm user account but be writable for all users of group sapsys including adm.
References: [CVE-2022-35295] |
1129 |
tcp |
trojans |
Members scan |
Backdoor.Anyserv [Symantec-2004-032516-5704-99] (2004.03.25) - a trojan horse that gives the author unauthorized remote access to an infected computer. Due to bugs in the code of Backdoor.Anyserv, some operations may not complete successfully.
Port is IANA registered for: SAPHostControl over SOAP/HTTPS |
1130 |
tcp |
trojan |
Premium scan |
Noknok trojan |