| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 64101 |
tcp |
trojans |
Premium scan |
Taskman trojan |
| 64320 |
tcp,udp |
activepdf |
not scanned |
Port used by ActivePDF software - automates PDF generation process from different sources, such as a website
ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541 |
| 64429 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 64444 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AM [Symantec-2005-012716-1902-99] (2005.01.27) - worm with backdoor and denial of service capabilities. Spreads via network shares. Connects via IRC and listens on port 64444/tcp. |
| 64554 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.wr / Authentication Bypass RCE - the CrazyInvadres Group⌐ bY SMURF_NS malware runs an FTP server on TCP port 64554. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0326]
Backdoor.Win32.Delf.wr / Port Bounce Scan - the CrazyInvadres Group⌐ bY SMURF_NS malware runs an FTP server on TCP port 64554 and accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0327] |
| 64738 |
tcp,udp |
voip |
not scanned |
Mumble VoIP server uses port 64738 TCP and UDP by default. 64738 UDP is the default connection port to Mumble servers (VoIP software for PC gamers).
|
| 64969 |
tcp |
trojan |
not scanned |
Lithium.100 trojan |
| 64999 |
udp |
applications |
not scanned |
Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash".
References: [CVE-2006-6011]
Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999.
References: [CVE-2006-5785] [SECUNIA-22677] [BID-20873] |
| 65000 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Devil 13, Sockets des Troie, Stacheldraht (DDoS)
|
| 65000 |
udp |
trojans |
not scanned |
Devil trojan horse 1.03
Backdoor.Win32.Whgrx / Remote Host Header Stack Buffer Overflow - the specimen listens on datagram UDP port 65000, by sending a specially crafted HTTP PUT request and specifying a large string of characters for the HOST header we trigger the buffer overflow overwriting stack registers. Upon running the malware it may display a "Cannot load shared library wsocx.dll" message but still runs normally. The exploit payload specifies both 41414141 and 42424242 pattern with 42424242 overwriting SEH and ECX register, the 42424242 pattern was target the HTTP HOST header.
References: [MVID-2021-0030] |
| 65001 |
tcp,udp |
hdhomerun |
not scanned |
HDHomeRun DVR from SiliconDust uses this port. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.
List of all used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000 |
| 65002 |
tcp,udp |
applications |
not scanned |
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials.
References: [CVE-2020-9275] |
| 65100 |
tcp,udp |
applications |
not scanned |
Port used by the Sage Act! customer and contact manager. Port 65100 serves Act! as a link that offers remote access to information in the enterprise network. Act! can also be integrated into business programs such as accounting tools and MS Office. |
| 65111 |
tcp |
trojans |
Premium scan |
Backdoor.Microkos [Symantec-2005-081015-0341-99] (2005.08.10) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp. |
| 65112 |
tcp,udp |
tv-multicast |
not scanned |
Port used by One-to-One TV over IP Multicast. Used for IP-based multimedia "chunk streaming", extending the capability of multimedia streaming to provide every client with individual content over the Internet. |
| 65289 |
tcp |
trojan |
Premium scan |
yoyo trojan horse |
| 65301 |
tcp |
pcanywhere |
Premium scan |
Port used by PC Anywhere |
| 65390 |
tcp |
trojans |
Premium scan |
Xylo Eclypse trojan |
| 65421 |
tcp |
trojans |
Premium scan |
Alicia trojan, Jade trojan packed with neolite |
| 65422 |
tcp |
trojan |
Premium scan |
Alicia trojan horse |
| 65423 |
udp |
malware |
not scanned |
HackTool.Win32.Hidd.b / Remote Stack Buffer Overflow (UDP Datagram) - the malware listens on UDP ports 52810 and 65423. Third-party attackers who can reach an infected system can send a 479 byte payload to port 65423 and trigger a classic stack buffer overflow overwriting the EIP, ECX registers.
References: [MVID-2021-0318] |
| 65432 |
tcp |
trojans |
Premium scan |
The Traitor (th3tr41t0r) trojan uses ports 65432/tcp and 65532/udp |
| 65506 |
tcp |
trojans |
Premium scan |
Port 65506 is used by some trojans for a spam email relay.
PhatBot (a.k.a. Agobot, Gaobot) - most variants exploit the MS DCOM RPC vilnerability (MS Security Billetin [MS03-026]) and the RPC locator vulnerability (MS Security Bulletin [MS03-001]) to spread. Some variants scan port 65506 for a possible backdoor. |
| 65511 |
tcp |
applications |
not scanned |
A certain HTC update for Android 2.3.4 build GRJ22, when the Sense interface is used on the HTC EVO 3D, EVO 4G, ThunderBolt, and unspecified other devices, provides the HtcLoggers.apk application, which allows user-assisted remote attackers to obtain a list of telephone numbers from a log, and other sensitive information, by leveraging the android.permission.INTERNET application permission and establishing TCP sessions to 127.0.0.1 on port 65511 and a second port.
References: [CVE-2011-3975] [BID-49916] |
| 65520 |
tcp |
virus |
not scanned |
W32.Virut.B [Symantec-2007-030116-3455-99] (2007.03.01) - a virus that infects executable files and opens a back door on the compromised computer |
| 65530 |
tcp |
trojan |
Members scan |
Backdoor.Mite [Symantec-2002-090309-2255-99] - remote access trojan with password-stealing capabilities, affects Windows. Opens a backdoor on port 61000/tcp. BD Windows Mite 1.0 variant listens on port 65530/tcp. |
| 65532 |
udp |
trojans |
Premium scan |
The Traitor (th3tr41t0r) trojan uses ports 65432/tcp and 65532/udp |
| 65534 |
tcp |
trojans |
Premium scan |
[trojan] /sbin/initd - reported on Linux hosts as a hacked backdoor along with tcp port 1049
Port also used by NetMeeting with H323 |
| 65535 |
tcp |
trojans |
Premium scan |
Trojans using this port: Adore, Sins, ShitHeep, RC trojan
Apple Xsan Filesystem Access uses the dynamic/private range 49152-65535 (TCP/UDP) as well. |
| 65535 |
udp |
games |
not scanned |
Lord of the Rings: Battle for Middle Earth 2, Dark Ages of Camelot, Final Fantasy XI (TCP/UDP)
Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.
References: [CVE-2007-1674], [BID-23483] |
