Port(s) |
Protocol |
Service |
Scan level |
Description |
51000 |
tcp |
systracer |
not scanned |
SysTracer software (Blue Project Software) default listening port for remote scan server/client connections.
Honeywell Experion PKS Safety Manager through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0051, there is a Honeywell Experion PKS Safety Manager multiple proprietary protocols with unauthenticated functionality issue. The affected components are characterized as: Honeywell Experion TCP (51000/TCP), Safety Builder (51010/TCP). The potential impact is: Manipulate controller state, Manipulate controller configuration, Manipulate controller logic, Manipulate controller files, Manipulate IO. The Honeywell Experion PKS Distributed Control System (DCS) Safety Manager utilizes several proprietary protocols for a wide variety of functionality, including process data acquisition, controller steering and configuration management. These protocols include: Experion TCP (51000/TCP) and Safety Builder (51010/TCP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocols in question. An attacker capable of invoking the protocols' functionalities could achieve a wide range of adverse impacts, including (but not limited to), the following: for Experion TCP (51000/TCP): Issue IO manipulation commands, Issue file read/write commands; and for Safety Builder (51010/TCP): Issue controller start/stop commands, Issue logic download/upload commands, Issue file read commands, Issue system time change commands. A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position.
References: [CVE-2022-30313] |
51003 |
tcp |
applications |
not scanned |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allow remote attackers to perform actions as administrators via unspecified POST requests, as demonstrated by enabling an inbound remote-assistance HTTPS session on TCP port 51003.
NOTE: an authentication bypass can be leveraged to exploit this in the absence of an existing administrative session.
References: [CVE-2007-5384], [BID-25972] |
51010 |
tcp |
applications |
not scanned |
Honeywell Experion PKS Safety Manager through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0051, there is a Honeywell Experion PKS Safety Manager multiple proprietary protocols with unauthenticated functionality issue. The affected components are characterized as: Honeywell Experion TCP (51000/TCP), Safety Builder (51010/TCP). The potential impact is: Manipulate controller state, Manipulate controller configuration, Manipulate controller logic, Manipulate controller files, Manipulate IO. The Honeywell Experion PKS Distributed Control System (DCS) Safety Manager utilizes several proprietary protocols for a wide variety of functionality, including process data acquisition, controller steering and configuration management. These protocols include: Experion TCP (51000/TCP) and Safety Builder (51010/TCP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocols in question. An attacker capable of invoking the protocols' functionalities could achieve a wide range of adverse impacts, including (but not limited to), the following: for Experion TCP (51000/TCP): Issue IO manipulation commands, Issue file read/write commands; and for Safety Builder (51010/TCP): Issue controller start/stop commands, Issue logic download/upload commands, Issue file read commands, Issue system time change commands. A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position.
References: [CVE-2022-30313] |
51069 |
tcp |
cognex |
not scanned |
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure |
51100 |
tcp |
applications |
not scanned |
The web GUI for Novell iChain 2.2 and 2.3 SP2 and SP3 allows attackers to hijack sessions and gain administrator privileges by sniffing the connection on TCP port 51100 and replaying the authentication information or obtaining and replaying the PCZQX02 authentication cookie from the browser.
References: [CVE-2005-0744] |
51201 |
tcp,udp |
applications |
not scanned |
Dialpad |
51210 |
tcp |
applications |
not scanned |
Dialpad |
51234 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234.
Backdoor.Fearles [Symantec-2003-111910-1404-99] (2003.11.18) - a trojan horse that gives an attacker remote access to your computer. By default, the trojan listens on TCP port 51234.
Port also used by TeamSpeak server to telnet remotely. |
51410 |
tcp |
|
not scanned |
VDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when a user logs in, which allows remote authenticated users to obtain usernames and password hashes by logging in to TCP port 51410 and reading the response.
References: [CVE-2014-9577] |
51413 |
tcp,udp |
p2p |
Premium scan |
Commonly used by Transmission BitTorrent Client. |
51435 |
tcp |
trojans |
Members scan |
W32.Kalel.A@mm 2005-052419-5348-99 (2005.05.24) - mass-mailing worm that uses its own SMTP engine, also spreads through file-sharing networks. Opens a backdoor for remote access on port 51435/tcp. |
51820 |
udp |
wireguard |
not scanned |
Wireguard VPN default listening port |
51915 |
tcp |
vmware |
not scanned |
VMWare vSphere Authentication Proxy web service used to add host to Active Directory domain. |
51966 |
tcp |
trojans |
Premium scan |
Trojan Cafeini
Backdoor.Win32.Cafeini.b / Denial of Service - the malware listens on TCP port 51966 and is packed by a modified UPX implementation. Third-party adversaries who can reach an infected system can terminate the malware by issuing the cmd DIEDIEDIE, without being required to authenticate.
References: [MVID-2022-0525]
Backdoor.Win32.Cafeini.b / Weak Hardcoded Credentials - the malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.
References: [MVID-2022-0617] |
51996 |
tcp |
trojan |
Premium scan |
CafeIni trojan |
52001 |
tcp,udp |
applications |
not scanned |
Xlockmore, which is the maintained edition of Xlock, makes use of port 52001 to administer an X server network. Xlock prevents illegal access to the X server while the user is still keying in his or her password.
Jabber Session Manager (JSM) also employs port 52001 for administering instant messaging activities. |
52013 |
tcp |
trojans |
Premium scan |
Backdoor.Graybird.C [Symantec-2003-041516-5125-99] (2003.04.15) - a backdoor trojan and a variant of Backdoor.Graybird. It gives a hacker unauthorized access to your computer. It opens port 52013 to listen for commands. The existence of the file, HGZSERVER.EXE, is an indication of a possible infection. |
52028 |
tcp,udp |
applications |
not scanned |
Altiris Agent for Linux, Mac and Unix
BibleTime for Linux |
52179 |
tcp |
trojans |
Premium scan |
Backdoor.Tjserv.D [Symantec-2005-100415-4002-99] (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp. |
52217 |
udp |
fudjitsu |
not scanned |
Fudjitsu default Scan-to-Mobile port |
52303 |
udp |
applications |
not scanned |
Yokogawa CENTUM CS 3000 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the BKCLogSvr.exe service. By sending specially-crafted packets to UDP port 52303, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [BID-66130], [CVE-2014-0781], [XFDB-91783] |
52311 |
tcp |
IBM |
not scanned |
IBM License Metric Tool ports
1433 TCP - SQL server connection
9081 TCP - HTTPS web browser connections to server
50000 TCP - DB2 server connection
52311 TCP - BigFix clients and console connect to the server |
52317 |
tcp |
trojans |
Premium scan |
Port used by: Acid Battery 2000 trojan |
52365 |
tcp |
trojan |
Premium scan |
Way trojan |
52559 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam.20.Q [Symantec-2003-082907-5935-99] (2003.08.29) - a backdoor trojan horse that gives its creator access to a computer. By default this trojan listens on ports 20226 and 52559. The existence of the file nas.exe is in indication of a possible infection. This threat is written in the Delphi programming language. |
52805 |
tcp |
applications |
not scanned |
A security issue has been reported in NEC Universal RAID Utility, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application improperly restricting access permissions, which can be exploited to conduct arbitrary operations on a hard disk being managed by the application via TCP port 52805.
References: [CVE-2013-0706], [SECUNIA-52241] |
52810 |
udp |
malware |
not scanned |
HackTool.Win32.Hidd.b / Remote Stack Buffer Overflow (UDP Datagram) - the malware listens on UDP ports 52810 and 65423. Third-party attackers who can reach an infected system can send a 479 byte payload to port 65423 and trigger a classic stack buffer overflow overwriting the EIP, ECX registers.
References: [MVID-2021-0318] |
52901 |
udp |
trojan |
Premium scan |
Possibly the Omega DDoS tool. |
52978 |
tcp |
trojans |
Members scan |
Gspot, also known as Backdoor.Optix.Downloader, G-Spot, Trojan.Win32.GoBind, TrojanDownloader.Win32.G-Spot.10 and TrojanDownloader.Win32.G-Spot.15, is a backdoor Trojan written in Delphi affecting Microsoft Windows operating systems.
The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 52978, to allow the client system to connect. Gspot could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15165] |
52999 |
tcp |
applications |
not scanned |
The GetMagicNumberString function in Massive Entertainment World in Conflict 1.000 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a string to the VoIP port (52999/tcp) with an invalid value in the third byte.
References: [CVE-2007-5369], [BID-25985] |
53001 |
tcp |
trojans |
Premium scan |
Remote Windows Shutdown trojan |
53184 |
|
malware |
not scanned |
Backdoor.Win32.Delf.aez / Unauthenticated Remote Command Execution - the malware listens on several TCP ports and accepts unauthenticated commands on port 53187 and 53184. Commands are in Polish e.g. Wylogowuj translated is "Log out" and we get response "#Zmiany Profilu w│aczone" ("#Profile change enabled."). Sending a single characters "d" or "f" to port 53187 also returns system information.
References: [MVID-2021-0217] |
53187 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.aez / Unauthenticated Remote Command Execution - the malware listens on several TCP ports and accepts unauthenticated commands on port 53187 and 53184. Commands are in Polish e.g. Wylogowuj translated is "Log out" and we get response "#Zmiany Profilu w│aczone" ("#Profile change enabled."). Sending a single characters "d" or "f" to port 53187 also returns system information.
References: [MVID-2021-0217] |
53211 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ju (PSYRAT) / Authentication Bypass RCE - the PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet.
References: [MVID-2024-0677] |
53217 |
tcp |
trojan |
Premium scan |
Acid Battery 2000 trojan horse (TCP) |
53297 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ju (PSYRAT) / Authentication Bypass RCE - the PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet.
References: [MVID-2024-0677] |
53357 |
tcp,udp |
virus |
not scanned |
W95.Sma [Symantec-2002-060510-2532-99] (2002.05.29) - an oligomorphic stealth virus which affects Windows 9x environments. It is network-aware and has a payload that runs arbitrary code that originates from a specific IP address. |
53484 |
tcp |
linksys |
Premium scan |
Sony VLP Network Projectors use port 53484 by default.
Reportedly, some newer Linksys "Smart WiFi" routers like EA6300 can open port 53484 by default. To close the port on such routers, disable any "Remote Access", and "Smart Phone access". |
53535,53540,53541 |
tcp,udp |
activepdf |
not scanned |
ESET Live Grid, Antispam and Web Control
ActivePDF software - automates PDF generation process from different sources, such as a website
ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541 |
54045 |
udp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
54099 |
udp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
54112 |
tcp |
trojans |
Premium scan |
Backdoor.Ranky.F [Symantec-2004-040119-5250-99] (2004.04.01) - a trojan horse that runs as a proxy server. By default, the trojan opens TCP port 54112. |
54138 |
tcp |
applications |
not scanned |
Toshiba 4690 operating system could allow a remote attacker to obtain sensitive information. By sending a specially crafted string to TCP port 54138, an attacker could return environment variables to an unauthenticated client. An attacker could exploit this vulnerability to restricted data.
References: [CVE-2014-8476], [XFDB-103666] |
54188 |
tcp |
applications |
not scanned |
An issue was discovered on Askey AP4000W TDC_V1.01.003 devices. An attacker can perform Remote Code Execution (RCE) by sending a specially crafted network packer to the bd_svr service listening on TCP port 54188.
References: [CVE-2020-8614], [XFDB-176230] |
54236 |
tcp,udp |
applications |
not scanned |
Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created under "%PROGRAMDATA%\Razer Chroma\SDK\Apps" can be replaced before it is executed by the server. The attacker must have access to port 54236 for a registration step.
References: [CVE-2020-16602] |
54283 |
tcp |
trojan |
Premium scan |
Trojans using this port:
BackDoor-G, SubSeven, Sub7(*) (TCP) |
54312 |
tcp,udp |
trojans |
not scanned |
Backdoor.Niovadoor [Symantec-2002-103118-2307-99] (2002.10.31) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 54312 on the infected computer. The trojan attempts to disable some antivirus and firewall programs by terminating their active processes. |
54320 |
udp |
trojan |
not scanned |
Back Orifice 2000, BO2K(*) trojan horse (UDP) |
54321 |
tcp |
various |
Premium scan |
Citrix admin workstation connects to provisioning server over ports 54321-54323 TCP for SOAP service, used by console and APIs (MCLI, PowerShell, etc.)
opendkim default port (may also use ports 8891,12345)
Trojans using this port:
Schoolbus .69-1.11, 1.6, 2.0 (TCP)
Back Orifice 2000, BO2K(*) (TCP/UDP)
Backdoor.Robofo [Symantec-2007-053013-4425-99]
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
References: [CVE-2010-4741]
The Terminal Upgrade Tool in the Pilot Below Deck Equipment (BDE) and OpenPort implementations on Iridium satellite terminals allows remote attackers to execute arbitrary code by uploading new firmware to TCP port 54321.
References: [CVE-2014-0327]
|
54321 |
udp |
loadavg |
not scanned |
UDP port used by "loadavg" - a service that replies with the load average of a machine. |
54322 |
tcp |
citrix |
not scanned |
Citrix admin workstation connects to provisioning server over ports 54321-54323 TCP for SOAP service, used by console and APIs (MCLI, PowerShell, etc.) |
54323 |
tcp |
citrix |
not scanned |
Citrix admin workstation connects to provisioning server over ports 54321-54323 TCP for SOAP service, used by console and APIs (MCLI, PowerShell, etc.) |
54340 |
tcp,udp |
vlc |
not scanned |
VLC Streamer default port |
54345 |
tcp |
loadrunner |
not scanned |
Port used by HP LoadRunner for checking performance and behavior of a system when under load.
Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Mercury LoadRunner Agent, Performance Center Agent, and Monitor over Firewall allows remote attackers to execute arbitrary code via a packet with a long server_ip_name field to TCP port 54345, which triggers the overflow in mchan.dll.
References: [CVE-2007-0446], [BID-22487] |
54444 |
tcp |
applications |
not scanned |
NMMediaServer.exe in Nero MediaHome 3.3.3.0 and earlier, as used in Nero 8.3.2.1 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a long HTTP request to TCP port 54444.
References: [CVE-2008-1905]
Multiple off-by-one errors in NMMediaServerService.dll in Nero MediaHome 4.5.8.0 and earlier allow remote attackers to cause a denial of service (crash) via a long string in the (1) request line or (2) HTTP Referer header to TCP port 54444, which triggers a heap-based buffer overflow.
References: [CVE-2012-5876] |
54533 |
udp |
applications |
not scanned |
Really Simple IM is vulnerable to a denial of service, caused by the improper handling of packets. By sending a specially-crafted packet to UDP port 54533, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-60454], [OSVDB-66447], [EDB-14408] |
54593 |
tcp |
citrix |
not scanned |
Citrix AppDNA Server uses port 54593 TCP for connections with the AppDNA Remote Admin Agent. |
54915 |
tcp,udp |
logitech |
not scanned |
Logitech Gaming Software - LCore.exe uses port 54915/udp. Disabling Arx control may stop the broadcasts. |
54925 |
udp |
brother |
not scanned |
Brother MFC printers use ports 137 UDP and 161 UDP (network printing and remote setup), 54925/udp (network scanning), 54926 UDP (PC fax receiving). Some may also open port 21 TCP (scan to FTP feature). |
54926 |
udp |
brother |
not scanned |
Brother MFC printers use ports 137 UDP and 161 UDP (network printing and remote setup), 54925/udp (network scanning), 54926 UDP (PC fax receiving). Some may also open port 21 TCP (scan to FTP feature). |
55000 |
tcp,udp |
trojans |
Premium scan |
Backdoor.Roxe [Symantec-2004-092814-2335-99] - remote access trojan, affects Windows. Exploits the MS GDI+ Library vulnerability: MS Seciruty Bulletin [MS04-028]. Listens on port 55000/tcp.
Port also used by Windows Home Server for managing the various components of the home network.
Some uTorrent versions use port 55000 by default. |
55023 |
tcp,udp |
applications |
not scanned |
Lupus Electronics XT2 Plus Alarm System could allow a remote attacker to obtain sensitive information, caused by the running of a telnet server on port 55023 by the panel. An attacker could exploit this vulnerability using a hard coded secret to obtain the root password from MAC address.
References: [XFDB-159044] |
55123 |
udp |
applications |
not scanned |
Default VoIP client port, Battlefield 2 |
55124 |
udp |
applications |
not scanned |
Default VoIP server port |
55125 |
udp |
applications |
not scanned |
Standard VoIP port |
55165 |
tcp |
trojans |
Premium scan |
Some trojans use this port: File Manager trojan, WM Trojan Generator |
55166 |
tcp |
trojan |
Premium scan |
WM Trojan Generator |
55502 |
tcp,udp |
applications |
not scanned |
B&R APROL versions < R 4.2-07 doesn't process correctly specially formatted data packages sent to port 55502/tcp, which may allow a network based attacker to cause an application Denial-of-Service.
References: [CVE-2022-43765] |
55553 |
tcp |
metasploit |
not scanned |
Metasploit RPC daemon default port, also used by Armitage team server. |
55554 |
tcp |
applications |
not scanned |
Share KM application for Android is vulnerable to a denial of service, caused by an error in the Share KM PC Server. By sending a specially-crafted request containing an overly long string argument to TCP port 55554, a remote attacker could exploit this vulnerability to cause the server to crash.
References: [BID-62586], [XFDB-87386], [EDB-28451] |
55555 |
tcp |
trojan |
Premium scan |
Shadow Phyre trojan
JUNG Smart Visu Server contains two undocumented operating system user backdoor accounts. By connecting to the device over SSH on Port 55555, a remote attacker could exploit this vulnerability to gain administrative access to the device.
References: [XFDB-121625]
Backdoor.Win32.Wollf.m / Weak Hardcoded Password - the malware listens on TCP port 55555 and runs with SYSTEM integrity. Authentication is required for remote user access. However, the password "alfaromeo" is weak and hardcoded within the executable and appears many times in a database of leaked passwords.
References: [MVID-2021-0435]
Backdoor.Win32.Wollf.m / Authentication Bypass - the malware listens on TCP port 55555 and runs with SYSTEM integrity. The malware has an FTP component that can be enabled using the FTPD command. Third-party attackers who can reach the server can logon using any username password combination.
References: [MVID-2021-0436] |
55565 |
tcp |
applications |
not scanned |
Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. The affected components are characterized as: Honeywell Control Data Access (CDA) EpicMo (55565/TCP). The potential impact is: Firmware manipulation, Denial of service. The Honeywell Experion LX Distributed Control System (DCS) utilizes the Control Data Access (CDA) EpicMo protocol (55565/TCP) for device diagnostics and maintenance purposes. This protocol does not have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocol in question. An attacker capable of invoking the protocols' functionalities could issue firmware download commands potentially allowing for firmware manipulation and reboot devices causing denial of service.
References: [CVE-2022-30317] |
55665 |
tcp |
trojans |
Premium scan |
Backdoor.Latinus [Symantec-2002-060710-5206-99]
Pinochet [trojan] |
55666 |
tcp |
trojans |
Premium scan |
Backdoor.Latinus [Symantec-2002-060710-5206-99]
Pinochet [trojan] |
55901 |
tcp,udp |
applications |
not scanned |
Mu Online |
56010 |
tcp |
applications |
not scanned |
Unspecified vulnerability in NEC WebSAM DeploymentManager 5.13 and earlier, allows remote attackers to cause a denial of service (OS shutdown or restart) via unknown vectors related to Client Service for DPM and crafted packets to port 56010.
References: [CVE-2010-1941], [BID-40196] |
56015 |
tcp |
applications |
not scanned |
Unspecified vulnerability in NEC CapsSuite Small Edition PatchMeister 2.0 Update2 and earlier allows remote attackers to cause a denial of service (OS shutdown or restart) via vectors related to Client Service for PTM and crafted packets to port 56015.
References: [CVE-2010-1943], [BID-40190] |
56123 |
tcp,udp |
applications |
not scanned |
Monsoon Vulkano |
56185 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.cu / Authentication Bypass RCE - the malware listens on TCP ports 10426, 56185. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0303] |
56565 |
tcp |
trojans |
Premium scan |
Backdoor.Osirdoor [Symantec-2002-081217-3251-99] - remote access trojan, affects Windows |
56574 |
tcp,udp |
pando networks |
not scanned |
port used by Pando Media Booster (pmb.exe) - streaming software used by several online games using cloud relivery technology, developed by Pando Networks (pandonetworks.com) |
56700 |
tcp |
lifx |
not scanned |
LIFX smart lighting listens and broadcasts message responses on port 56700 TCP by default. https://lan.developer.lifx.com/docs/device-messages |
56768 |
tcp,udp |
applications |
not scanned |
iVisit |
56789 |
tcp |
webobjects |
Members scan |
Commonly used default port when configuring programs, and possibly malware, because of the sequential numbers "5 6 7 8 9"
Apple WebObjects Monitor (WO-Monitor) application, also JavaMonitor use port 56789 TCP
Cyber Intel Classification Banner - service agent uses port 56789 by default
Malware: Win32/Autorun.OA worm - it may change the computer system date, delete other programs, or connect to a remote site and await commands from a remote attacker. Opens a backdoor and attempts to connect to 'rj.rufang2005.cn' using TCP port 56789. |
56790 |
tcp |
malware |
not scanned |
Port sometimes used as default/consecutive port when configuring programs/malware/botnets, because it follows a very common default high port "5 6 7 8 9". As such, programs/malware that need multiple open ports often use sequential ports 56790, 56791, etc. |
56791 |
tcp |
botnets |
not scanned |
Port sometimes used as default/consecutive port when configuring programs/malware/botnets, because it follows a very common default high port "5 6 7 8 9". As such, programs/malware that need multiple open ports often use sequential ports 56790, 56791, etc. |
57005 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Cirebot [Symantec-2003-080214-3019-99] (2003.08.02). Trojan that exploits the MS DCOM vulnerability and installs a backdoor. Uses ports 445 & 69, opens port 57005. |
57123 |
tcp |
trojans |
Premium scan |
Backdoor.Mprox [Symantec-2003-092417-2624-99] (2003.09.24) - a backdoor trojan horse that opens a proxy server on TCP port 57123. |
57163 |
tcp |
trojan |
Premium scan |
BlackRat |
57331 |
tcp,udp |
applications |
not scanned |
PlayOn |
57341 |
tcp |
trojans |
Premium scan |
Port used by NetRaider trojan. |
57588 |
tcp,udp |
gtk |
not scanned |
Gtk#
The Gtk# GUI toolkit from Novell employs port 57588 to connect with its host site. It contains a collection of .NET bindings and an assortment of GNOME libraries. |
57612 |
udp |
applications |
not scanned |
The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement.
References: [CVE-2022-30312] |
57621 |
udp |
spotify |
not scanned |
Port 57621 UDP is used by Spotify client for P2P communication |
57621 |
udp |
spotify |
not scanned |
Spotify client uses port 57621 UDP for P2P communication |
57785 |
tcp |
trojan |
Premium scan |
G.R.O.B. |
57851-57943 |
tcp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
58008 |
tcp |
trojans |
Premium scan |
Backdoor.Tron [Symantec-2002-060414-2700-99] (2002.06.04) - remote access trojan, affects Windows, has the ability to kill software firewall processes. |
58009 |
tcp |
trojan |
Premium scan |
Backdoor.Tron [Symantec-2002-060414-2700-99] (2002.06.04) - remote access trojan, affects Windows, has the ability to kill software firewall processes. |
58134 |
tcp |
trojan |
Premium scan |
Charge trojan |