Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 41005 |
|
games |
not scanned |
Far Cry |
| 31435 |
|
games |
not scanned |
Arcanum, Arcanum Won.net |
| 20080 |
|
games |
not scanned |
Blazing Angels Squadrons of WWII, developer: Ubisoft Romania |
| 2093 |
|
applications |
not scanned |
IRLP - Internet Radio Linking Project uses ports 2074-2093 |
| 25793 |
|
vocaltec-hos |
not scanned |
Vocaltec Address Server |
| 2066 |
|
applications |
not scanned |
DLSw
IANA registered for: AVM USB Remote Architecture |
| 5674 |
|
hyperscsi-port |
not scanned |
HyperSCSI Port [Data Storage Institut] (IANA official) |
| 10777 |
|
applications |
not scanned |
Unreal Tournament 2003 (ut2003) clients and servers allow remote attackers to cause a denial of service via malformed messages containing a small number of characters to UDP ports 7778 or 10777.
References: [CVE-2002-1507] |
| 24727 |
|
flipshare |
not scanned |
FlipShare Server uses ports 24726 and 24727 TCP. |
| 30888 |
|
applications |
not scanned |
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.
References: [CVE-2012-5451] |
| 5034 |
|
jtnetd-status |
not scanned |
Janstor Status (IANA official) |
| 3962 |
|
applications |
not scanned |
Warframe online interaction |
| 12005 |
|
dbisamserver1 |
not scanned |
A reflected cross-site scripting vulnerability exists in Geutebrueck re_porter 16 before 7.8.974.20 by appending a query string to /modifychannel/exec or /images/*.png on TCP port 12005.
References: [CVE-2018-15533], [EDB-45242]
IANA registered for: DBISAM Database Server |
| 542 |
|
commerce |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Commerce Applications (IANA official)
|
| 53184 |
|
malware |
not scanned |
Backdoor.Win32.Delf.aez / Unauthenticated Remote Command Execution - the malware listens on several TCP ports and accepts unauthenticated commands on port 53187 and 53184. Commands are in Polish e.g. Wylogowuj translated is "Log out" and we get response "#Zmiany Profilu w│aczone" ("#Profile change enabled."). Sending a single characters "d" or "f" to port 53187 also returns system information.
References: [MVID-2021-0217] |
| 8080 |
tcp |
http |
Basic scan |
Common alternative HTTP port used for web traffic. See also TCP ports 80,81,8443. It can also be used for HTTP Web Proxies. Some broadband routers run a web server on port 8080 for remote management. WAN Administration can (and should, in most cases) be disabled using routers web-based administration interface.
Ubiquiti UniFi Controller uses these ports:
8080 tcp - http port for UAP to inform controller
8443 tcp - https port for controller GUI/API
8880 tcp - http portal redirect port (may also use ports 8881, 8882)
8843 tcp - https portal redirect port
3478 udp - STUN port (should be open at firewall)
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Rainmachine smart sprinkler controllers use ports 80, 8080 and 18080.
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
If you're not running web services, keep in mind that some trojans also use these ports:
Reverse WWW Tunnel Backdoor - remote access/tunneling software coded in Perl, uses ports 80, 3128, 8080. Works on Unix, Linux, Solaris, AIX and OpenBSD.
RingZero (a.k.a. Ring0, Trojan.PSW.Ring, RingZero.gen, Ring) - uses ports 80, 3128, 8080. Affects Windows 9x.
Screen Cutter (a.k.a. Backdoor.Screencut) - uses ports 80, 8080.
W32.Mydoom.B@mm [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
W32.Spybot.OFN [Symantec-2005-042917-1039-99] (2005.04.29) - network-aware worm with DDoS and backdoor capabilities. Spreads through network shares and exploiting multiple vulnerabilities. It ay be downloaded by W32.Kelvir [Symantec-2005-041414-2221-99] variants. Opens a backdoor on port 8080/tcp. Also exploits vulnerabilities on ports 445 and 1433.
W32.Zotob.C@mm [Symantec-2005-081516-4417-99] (2005.08.16) - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp.
Note: Same ports are used by the W32.Zotob.A [Symantec-2005-081415-0646-99] and W32.Zotob.B [Symantec-2005-081415-0741-99]variants of the worm as well.
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
Backdoor.Naninf.D [Symantec-2006-020115-0317-99] (2006.02.01)
Backdoor.Naninf.C [Symantec-2006-013111-4821-99] (2006.01.31)
W32.Rinbot.A [Symantec-2007-021615-1555-99] (2007.03.02) - a worm that opens a back door, copies itself to IPC shares, connects to an IRC server, and awaits commands on port 8080/tcp. See Also [CVE-2002-1123], [CVE-2006-2630], [CVE-2006-3439]
Android.Acnetdoor [Symantec-2012-051611-4258-99] (2012.05.16) - opens a backdoor on Android devices
Feodo/Geodo (a.k.a. Cridex or Bugat) trojan used to commit e-banking fraud uses ports 8080 tcp and 7779/tcp to run a nginx proxy and communicate with the botnet C&C server.
A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions.
References: [CVE-2017-2683], [BID-96455]
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
References: [CVE-2017-2682], [BID-96458]
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
References: [CVE-2018-19911]
HEUR.Backdoor.Win32.Generic / Unauthenticated Open Proxy - the backdoor creates a Windows service backed by an executable named "1314.exe", it lives under C:\WINDOWS and listens on TCP ports 1080 and 8080. Third-party adversaries who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. The relay does not require authentication or any special User-agent check and leverages the HTTP Host header in the request to connect to third-party systems.
References: [MVID-2021-0176] |
| 2343 |
tcp |
trojans |
Premium scan |
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2343, 23432 by default.
IANA registered for: nati logos |
| 23432 |
tcp |
trojans |
Premium scan |
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2343, 23432 by default. |
| 21 |
tcp |
FTP |
Basic scan |
File Transfer Protocol [RFC 959] - some network devices may be listening on this port, such as NAT routers for remote access/private cloud storage and network attached multi-function printers (scan to ftp feature).
Asus RT routers may open an internet accessible FTP server for USB-attached storage, configurable in administration panel under "USB Application > Servers Center > FTP Share"
Trojan horses/backdoors that also use this port: 7tp trojan, MBT, Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte 7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm [Symantec-2005-040915-5504-99], W32.Sober.N@mm [Symantec-2005-041910-4132-99], W32.Bobax.AF@mm [Symantec-2005-081611-4121-99] - a mass-mailing worm that opens a backdoor and lowers security settings on the compromised computer. It exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to gathered email addresses. Also opens a backdoor on a random tcp port and/or port 80/udp.
W32.Loxbot.C [Symantec-2006-010515-3159-99] (2006-01-05)
FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service (network connectivity loss) via a connection to port 21 with a large amount of random data.
References: [CVE-2002-0779]
TURCK BL20 / BL67 could allow a remote attacker to bypass security restrictions, caused by the use of hardcoded credentials for the FTP service. An attacker could exploit this vulnerability using TCP port 21 to gain administrative access to the device.
References: [CVE-2012-4697], [XFDB-84351]
The FTP service in QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, has hardcoded credentials, which makes it easier for remote attackers to obtain access via a session on TCP port 21.
References: [CVE-2015-7261]
The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices has a default password, which makes it easier for remote attackers to read or write to files via a session on TCP port 21.
References: [CVE-2015-3968]
A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker with access to port 21/tcp to access or alter historical measurement data stored on the device.
References: [CVE-2017-6872], [BID-99473]
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The two FTP services (default ports 21/tcp and 5411/tcp) of the SiNVR 3 Video Server contain a path traversal vulnerability that could allow an authenticated remote attacker to access and download arbitrary files from the server, if the FTP services are enabled.
References: [CVE-2019-19296]
Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]
ReverseTrojan by satan_addict listens on TCP ports, 12000 and 21. The malware accepts empty credentials for authentication as the default settings are set to blank. Third-party attackers who can reach an infected host can potentially gain access to the machine before or if no password is set.
References: [MVID-2021-0256]
Backdoor.Win32.Wollf.16 / Authentication Bypass - the malware listens on TCP port 1015 and has an FTPD feature that when enabled listens on TCP port 21. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0462]
Backdoor.Win32.Hellza.120 / Unauthorized Remote Command Execution - the malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can issue commands made available by the backdoor.
References: [MVID-2022-0641] |
| 445 |
tcp |
microsoft-ds |
Basic scan |
TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. The SMB (Server Message Block) protocol is used for file sharing in Windows NT/2K/XP and later. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP and later, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra NetBT layer, for this they use TCP port 445.
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.
Leaving port 445 open leaves Windows machines vulnerable to a number of trojans and worms:
W32.HLLW.Deloder [Symantec-2003-030812-5056-99]
IraqiWorm (aka Iraq_oil.exe )
W32.HLLW.Moega [Symantec-2003-080813-3234-99]
W32.Korgo.AB [Symantec-2004-092415-4853-99] (2004.09.24)
Backdoor.Rtkit.B [Symantec-2004-100115-0426-99] (2004.10.01)
W32.Sasser.Worm [Symantec-2004-050116-1831-99] - exploits port 445 vulnerabilities, opens TCP ports 5554,9996.
Trojan.Netdepix.B [Symantec-2005-011715-5404-99] (2005.01.16.) - trojan uses port 445, opens port 15118/tcp.
Backdoor.IRC.Cirebot [Symantec-2003-080214-3019-99] (2003.08.02) - trojan that exploits the MS DCOM vulnerability, uses ports 445 & 69, opens backdoor on port 57005.
Windows Null Session Exploit.
MS Security Bulletin [MS03-026] outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
See also: Microsoft Security Bulletin [MS03-049] and Microsoft Security Bulletin [MS03-043]
W32.Zotob.C@mm [Symantec-2005-081516-4417-99] (2005.08.16) - mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp. Same ports are used by the W32.Zotob.A [Symantec-2005-081415-0646-99] and W32.Zotob.B [Symantec-2005-081415-0741-99] variants of the worm as well.
W32.Zotob.D [Symantec-2005-081609-4733-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Connects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.
The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99]
W32.Conficker.worm - a worm with multiple variants. It exploits a buffer overflow vulnerability in the Server Service on Windows computers. McAfee has named the most recently discovered variant of this worm as W32/Conficker.worm.gen.d. The original W32.Conficker.worm attacks port 445, the port that Microsoft Directory Service uses, and exploits Microsoft Windows vulnerability [MS08-067].
Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port (1) 139 or (2) 445.
References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]
LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.
References: [CVE-2002-0597] [BID-4532] [OSVDB-5179] |
| 3372 |
tcp |
msdtc |
Members scan |
MS DTC (Microsoft Distributed Transaction Coordinator) is a Microsoft transaction processing technology. The service is installed by default in Windows 2000 and can be used by MS SQL Server and Microsoft Message Queue Server (MSMQ).
The port is vulnerable to potential DDoS attacks. A remote user may be able to crash the MS DTC service by sending 1024 bytes of random data on TCP port 3372.
If you do not need MS DTC you can set your firewall to block access to port 3372. It is possible for MS DTS to use other ports so you might need to also set your firewall to block any activity by the MS DTS service. |
| 389 |
tcp |
LDAP |
Basic scan |
LDAP (Lightweight Directory Access Protocol) - an Internet protocol, used my MS Active Directory,as well as some email programs to look up contact information from a server.
Both Microsoft Exchange and NetMeeting install a LDAP server on this port.
Siemens Openstage and Gigaset phones use the following ports:
389/tcp LDAP
636/tcp LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
IBM Lotus Domino Server 7.0 allows remote attackers to cause a denial of service (segmentation fault) via a crafted packet to the LDAP port (389/TCP).
References: [CVE-2006-0580], [BID-16523]
Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a denial of service by sending crafted LDAP packets to port 389/TCP, as demonstrated by the ProtoVer LDAP testsuite.
References: [CVE-2006-0790] [BID-16675] [SECUNIA-18888]
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow.
References: [CVE-2019-3936], [XFDB-160475]
An issue was discovered on Alcatel-Lucent OmniVista 8770 devices before 4.1.2. An authenticated remote attacker, with elevated privileges in the Web Directory component on port 389, may upload a PHP file to achieve Remote Code Execution as SYSTEM.
References: [CVE-2019-20048], [EDB-47761] |
| 1002 |
tcp |
ms-ils |
Basic scan |
Opsware agent (aka cogbot)
Windows Internet Locator Server service, used by MS NetMeeting. ILS is a MS NetMeeting service that is now preferred by MS over the Internet standard LDAP service (port 389). This port does not appear in "netstat" command listings. |
| 25 |
tcp |
SMTP |
Basic scan |
SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected.
Integer overflow in Apple Safari [CVE-2010-1099], Arora [CVE-2010-1100], Alexander Clauss iCab [CVE-2010-1101], OmniWeb [CVE-2010-1102], Stainless [CVE-2010-1103] allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25.
List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy, Aji, Email Worms, Haebu Coceda, Loveletter, Neabi, Shtrilitz.
W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
Trojan.Mitglieder.R [Symantec-2005-070117-2559-99] (2005.07.01) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.15) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E [Symantec-2005-110111-3344-99]. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer.
Backdoor.Rustock [Symantec-2006-060111-5747-99] (2006.06.01) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries.
NJStar Communicator is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MiniSMTP server when processing packets. By sending a specially-crafted request to TCP port 25, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-4040], [XFDB-71086], [BID-50452]
Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.
References: [CVE-2021-43270]
Trojan.Win32.Barjac / Remote Stack Buffer Overflow - Trojan.Win32.Barjac makes SMTP connection to Port 25, upon processing the server response we control, we overwrite instruction pointer (EIP), undermining the integrity of the trojan.
References: [MVID-2021-0011] |
| 23 |
tcp |
telnet |
Basic scan |
Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities [RFC 854]
Trojans that also use this port: Prosiak, Wingate, ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants [Symantec-2003-050207-0707-99], Backdoor.Dagonit [Symantec-2005-092616-0858-99] (2005.09.26)
Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23.
References: [CVE-2012-1222], [BID-52061]
The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]
Buffer overflow in the Remote command server (Rcmd.bat) in IpTools (aka Tiny TCP/IP server) 0.1.4 allows remote attackers to cause a denial of service (crash) via a long string to TCP port 23.
References: [CVE-2012-5345]
Hospira Lifecare PCA infusion pump running "SW ver 412" does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.
References: [CVE-2015-3459]
Zhuhai RaySharp firmware has a hardcoded root password, which makes it easier for remote attackers to obtain access via a session on TCP port 23 or 9000.
References [CVE-2015-8286]
Hughes satellite modems contains default telnet service (port 23) account credentials. A remote attacker could exploit this vulnerability to gain administrative access on affected devices.
References: [CVE-2016-9495], [XFDB-122123]
An issue was discovered in Cloud Media Popcorn A-200 03-05-130708-21-POP-411-000 firmware. It is configured to provide TELNET remote access (without a password) that pops a shell as root. If an attacker can connect to port 23 on the device, he can completely compromise it.
References: [CVE-2018-12072]
Telestar Digital GmbH Imperial and Dabman Series I and D could allow a remote attacker to gain elevated privileges on the system, caused by the use of weak passwords with hardcoded credentials in an undocumented Telnet service (Telnetd) that connects to Port 23. A remote attacker could exploit this vulnerability to gain root access to the gadgets' embedded Linux BusyBox operating system.
References: [CVE-2019-13473], [XFDB-166724]
Multiple C-Data OLT devices are vulnerable to a denial of service, caused by a shawarma attack. By sending random bytes to the telnet server on port 23, a remote attacker could exploit this vulnerability to cause the device to reboot.
References: [CVE-2020-29057], [XFDB-192290]
An issue was discovered on FiberHome HG6245D devices through RP2613. The telnet daemon on port 23/tcp can be abused with the gpon/gpon credentials.
References: [CVE-2021-27165]
TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The user can then download the filesystem through preinstalled BusyBox utilities (e.g., tar and nc).
References: [CVE-2021-37555]
Backdoor.Win32.Agent.oj / Unauthenticated Remote Command Execution - unauthenticated Remote Command Execution Description: The malware listens on TCP port 23, upon connection to an infected host third-party attackers get handed a remote shell.
References: [MVID-2021-0197]
Backdoor.Win32.Cafeini.b / Weak Hardcoded Credentials - the malware listens on TCP port 23. Authentication is required, however the credentials test:test are weak and hardcoded within the PE file.
References: [MVID-2022-0568] |
| 70 |
tcp |
trojans |
Members scan |
W32.Evala.Worm [Symantec-2002-071017-5735-99] (2002.07.10) - backdoor trojan. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69 and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda, Pasana, Storm, Theef
Note: port 69/udp is used by TFTP. |
| 110 |
tcp |
POP3 |
Basic scan |
POP3 (Post Office Protocol - Version 3)
Security Concerns: Re-usable cleartext password, no auditing of connections & attempts thus subject to grinding. Some POP3 server versions have had buffer overflow problems. CERT Advisories: CA-97.09
ADM, ProMail trojans also use port 110 (TCP).
Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, 6, and 6 SP1; Windows Live Mail on Windows XP SP2 and SP3, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; and Windows Mail on Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote e-mail servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) POP3 or (2) IMAP response, as demonstrated by a certain +OK response on TCP port 110, aka "Outlook Express and Windows Mail Integer Overflow Vulnerability."
References: [CVE-2010-0816] [BID-40052]
Integer overflow in eXtremail 2.1.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long USER command containing "%s" sequences to the pop3 port (110/tcp), which are expanded to "%%s" before being used in the memmove function, possibly due to an incomplete fix for [CVE-2001-1078].
References: [CVE-2007-5467] [BID-26074] [SECUNIA-27220]
The POP3 service in YahooPOPs (aka YPOPs!) 1.6 allows a remote denial of service (reboot) via a long string to TCP port 110, a related issue to CVE-2004-1558.
References: [CVE-2024-24736] |
| 443 |
tcp |
HTTPS |
Basic scan |
HTTPS / SSL - encrypted web traffic, also used for VPN tunnels over HTTPS.
Apple applications that use this port: Secured websites, iTunes Store, FaceTime, MobileMe (authentication) and MobileMe Sync.
ASUS AiCloud routers file sharing service uses ports 443 and 8082. There is a vulnerability in AiCloud with firmwares prior to 3.0.4.372 , see [CVE-2013-4937]
Ubiquiti UniFi Cloud Access uses ports 443 TCP/UDP, 3478 UDP, 8883 TCP.
SoftEther VPN (Ethernet over HTTPS) uses TCP Ports 443, 992 and 5555
Ooma VoIP - uses UDP port 1194 (VPN tunnel to the Ooma servers for call/setup control), ports 49000-50000 for actual VoIP data, and ports TCP 443, UDP 514, UDP 3480
Open Mobile Alliance (OMA) Device Management uses port 443/TCP.
Cisco Webex Teams services uses these ports:
443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls)
Syncthing listens on TCP ports 443, 22067, 22070
AnyDesk remote desktop software uses TCP ports 80, 443, 6568, 7070 (direct line connection)
Call of Duty World at War uses this port.
Trojans that use this port:
W32.Kelvir.M [Symantec-2005-040417-3944-99] (2005.04.04) - worm that spreads through MSN Messanger and drops a variant of the W32.Spybot.Worm [Symantec-2003-053013-5943-99]. Connects to IRC servers on the s.defonic2.net and s.majesticwin.com domains, and listens for commands on port 443/tcp.
Directory traversal vulnerability in Cisco Network Admission Control (NAC) Manager 4.8.x allows remote attackers to read arbitrary files via crafted traffic to TCP port 443, aka Bug ID CSCtq10755.
References: [CVE-2011-3305] [BID-49954]
Multiple buffer overflows in the authentication functionality in the web-server module in Cisco CiscoWorks Common Services before 4.0 allow remote attackers to execute arbitrary code via a session on TCP port (1) 443 or (2) 1741, aka Bug ID CSCti41352.
References: [CVE-2010-3036] [BID-44468] [SECUNIA-42011] [OSVDB-68927]
Buffer overflow in the logging functionality of the HTTP server in IBM Tivoli Provisioning Manager for OS Deployment (TPMfOSD) before 5.1.0.3 Interim Fix 3 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an HTTP request with a long method string to port 443/tcp.
References: [CVE-2008-0401] [BID-27387] [SECUNIA-28604]
The administrative web interface on Cisco TelePresence Immersive Endpoint Devices before 1.7.4 allows remote authenticated users to execute arbitrary commands via a malformed request on TCP port 443, aka Bug ID CSCtn99724.
References: [CVE-2012-3075]
Cisco Identity Services Engine (ISE) 1.x before 1.1.1 allows remote attackers to bypass authentication, and read support-bundle configuration and credentials data, via a crafted session on TCP port 443, aka Bug ID CSCty20405.
References: [CVE-2013-5531]
The web framework in Cisco Identity Services Engine (ISE) 1.0 and 1.1.0 before 1.1.0.665-5, 1.1.1 before 1.1.1.268-7, 1.1.2 before 1.1.2.145-10, 1.1.3 before 1.1.3.124-7, 1.1.4 before 1.1.4.218-7, and 1.2 before 1.2.0.899-2 allows remote authenticated users to execute arbitrary commands via a crafted session on TCP port 443, aka Bug ID CSCuh81511.
References: [CVE-2013-5530]
Siemens SCALANCE S613 allows remote attackers to cause a denial of service (web-server outage) via traffic to TCP port 443.
References: [CVE-2016-3963]
Siemens SIMATIC S7-1200 is vulnerable to a denial of service, caused by an error when handling specially-crafted HTTPS traffic passed to TCP port 443. By sending specially-crafted packets to TCP port 443, a remote attacker could exploit this vulnerability to cause the device to go into defect mode.
References: [CVE-2014-2258] [XFDB-92059]
A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker to read and manipulate data in TLS sessions while performing a man-in-the-middle (MITM) attack on the integrated web server on port 443/tcp.
References: [CVE-2017-6873], [BID-99473]
A vulnerability was discovered in Siemens ViewPort for Web Office Portal before revision number 1453 that could allow an unauthenticated remote user to upload arbitrary code and execute it with the permissions of the operating-system user running the web server by sending specially crafted network packets to port 443/TCP or port 80/TCP.
References: [CVE-2017-6869], [BID-99343]
A vulnerability has been identified in SCALANCE X300 (All versions < V4.0.0), SCALANCE X408 (All versions < V4.0.0), SCALANCE X414 (All versions). The web interface on port 443/tcp could allow an attacker to cause a Denial-of-Service condition by sending specially crafted packets to the web server. The device will automatically reboot, impacting network availability for other devices. An attacker must have network access to port 443/tcp to exploit the vulnerability. Neither valid credentials nor interaction by a legitimate user is required to exploit the vulnerability. There is no confidentiality or integrity impact, only availability is temporarily impacted. This vulnerability could be triggered by publicly available tools.
References: [CVE-2018-13807], [BID-105331]
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.
References: [CVE-2023-22897]
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
References: [CVE-2023-22620] |
| 7 |
tcp |
Echo |
Members scan |
Echo Service, somewhat outdated by ICMP echo. Port just echoes whatever is sent to it. This feature can be used in many attacks, such as Smurf/Fraggle.
See also: [RFC862]
ICP - Internet Caching Protocol - This protocol is used by HTTP caching proxies in order to coordinate working together in a cluster. Part of this implementation includes bouncing packets off the echo port in order to test if the peers are alive.
Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288] |
| 995 |
tcp |
POP3-SSL |
Basic scan |
Incoming POP3 mail over SSL
used by Gmail
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443 |
| 1080 |
tcp |
socks |
Members scan |
Socks Proxy is an Internet proxy service, potential spam relay point.
Common programs using this port: Wingate
Trojans/worms that use this port as well:
Bugbear.xx [Symantec-2003-060423-5844-99] - wide-spread mass-mailing worm, many variants.
SubSeven - remote access trojan, 03.2001. Afects all current Windows versions.
WinHole - remote access trojan, 01.2000 (a.k.a. WinGate, Backdoor.WLF, BackGate). Affects Windows 9x.
Trojan.Webus.C [Symantec-2004-101212-0903-99] - remote access trojan, 10.12.2004. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080.
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Lixy [Symantec-2003-100816-5051-99] (2003.10.08) - a backdoor trojan horse that opens a proxy server on TCP port 1080.
W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.
WinHole, Wingate, Bagle.AI trojans also use this port.
Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]
Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080.
References: [CVE-2004-0315] [BID-9721]
HEUR.Backdoor.Win32.Generic / Unauthenticated Open Proxy - the backdoor creates a Windows service backed by an executable named "1314.exe", it lives under C:\WINDOWS and listens on TCP ports 1080 and 8080. Third-party adversaries who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. The relay does not
require authentication or any special User-agent check and leverages the HTTP Host header in the request to connect to third-party systems.
References: [MVID-2021-0176]
Backdoor.Win32.Small.gs / Unauthenticated Remote Command Execution - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can execute OS commands and or run arbitrary programs.
References: [MVID-2021-0336]
Backdoor.Win32.Agent.aer / Remote Denial of Service - the malware listens on TCP port 1080. Third-party attackers who can reach infected systems can send a specially crafted junk payload for the logon credentials to trigger an exception and crash.
References: [MVID-2021-0346]
Backdoor.Win32.Agent.bxxn / Open Proxy - the malware listens on TCP port 1080. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2022-0522]
Backdoor.Win32.Aphexdoor.LiteSock / Remote Stack Buffer Overflow (SEH) - the malware drops an extensionless PE file named "3" which listens on TCP port 1080. Third-party attackers who can reach an infected host can send a specially crafted packet to port 1080, that will trigger a stack buffer overflow overwriting ECX register and SEH.
References: [MVID-2022-0653] |
| 1214 |
tcp |
Kazaa |
Members scan |
Kazaa - peer-to-peer file sharing, some known vulnerabilities, and at least one worm (Benjamin) targeting it.
FastTrack, Apple iMesh also uses port 1214 (TCP/UDP).
iMesh is vulnerable to a buffer overflow. By connecting to the TCP port 1214 that iMesh listens on and sending a long string of data, a remote attacker can overflow a buffer and execute arbitrary code on the vulnerable system.
References: [BID-1576], [CVE-2000-0706], [OSVDB-1513], [XFDB-4829]
File-sharing application Morpheus contains a security vulnerability that allows remote users to obtain the Morpheus username of other users by establishing a telnet connection to port 1214 of a machine running Morpheus. |
| 12345 |
tcp |
NetBus |
Members scan |
Because of the common sequence of numbers "1 2 3 4 5" this port is commonly chosen when configuring programs, or as default port number.
Cubeworld Server uses port 12345 (TCP/UDP)
opendkim default port (may also use ports 8891,54321)
Tailscale (WireGuard-based open source app for secure private networks) uses port 12345
Some trojan horses/backdoors use this port: Ashley, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus Trojan, Pie Bill Gates, Whack Job, X-bill, ValvNet, TMListen, cron/crontab, Adoresshd.
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551.
The Trend Micro OfficeScan uses port 12345. Client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%.
References: [CVE-2000-0204] [BID-1013]
iSmartAlarm cube devices allow Denial of Service. Sending a SYN flood on port 12345 will freeze the "cube" and it will stop responding.
References: [CVE-2017-7730]
Incorrect access control for the diagnostic files of the iSmartAlarm Cube One through 2.2.4.10 allows an attacker to retrieve them via a specifically crafted TCP request to port 12345 and 22306, and access sensitive information from the device.
References: [CVE-2018-16224]
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
References: [CVE-2022-29957] |
| 87 |
tcp |
terminal link |
Members scan |
terminal link - a talk/chat style protocol. Port commonly used by intruders
Backdoor.Win32.Agent.ad / Insecure Credential Storage - the malware listens on TCP port 87, its default password "hoanggia" is stored in the Windows registry in cleartext under "clrprv.oo" in "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\System\NPP". The password is also set as cookie value "Cookie: pass=hoanggia; day=14; month=11; year=2021", which also gets sent over the network in plaintext. Third party attackers who can access the system or sniff traffic can grab the password, then execute any programs and or run commands made available by the backdoor.
References: [MVID-2021-0406] |
| 540 |
tcp |
uucp |
Members scan |
a famous file transfer service, potential vulnerability. |
| 674 |
tcp |
ACAP |
Premium scan |
ACAP -- Application Configuration Access Protocol
References: RFC2244, RFC2595, RFC2636 |
| 993 |
tcp |
IMAP-SSL |
Basic scan |
IMAP over SSL |
| 2000 |
tcp |
callbook |
Members scan |
"RemoteAnywhere" installs a webserver on this port. NeWS/OpenWin (Sun's older variation of X-Windows) uses this port.
Lineage also uses this port.
A number of trojan horses/backdoors use this port: TransScout, Der Spaeher, Fear, Force, GOTHIC Intruder, Insane Network, Last 2000, Real 2000, Remote Explorer 2000, Senna Spy Trojan Generator, Singularity
Backdoor.Fearic [Symantec-2002-080710-2744-99] (2002.08.07) - remote access trojan, affects all current Windows versions, opens ports 2000, 3456, 8811.
Trojan.Esteems.D [Symantec-2005-051615-2304-99] (2005.05.16) - trojan with keylogger capabilities. Uses port 2000/tcp to communicate with a remote host and send logged information.
Dark Colony game also uses port 2000 (TCP/UDP).
Unspecified vulnerability in the Session Border Controller (SBC) before 3.0(2) for Cisco 7600 series routers allows remote attackers to cause a denial of service (SBC card reload) via crafted packets to TCP port 2000.
References: [CVE-2009-0619], [BID-33975]
Port is also IANA registered for Cisco SCCP |
| 7000 |
tcp |
afs-fileserver |
Members scan |
AFS fileserver, Command and Conquer Renegade, Avira Server Management Console, Rumble Fighter (TCP/UDP)
Default for Vuze's built in HTTPS Bittorrent Tracker.
The game Aliens vs Predator 2 uses ports 7000-10000 (TCP).
W32.Gaobot.BQJ [Symantec-2004-110816-5549-99] (2004.11.08) - network-aware worm taht opens a backdoor and can be controlled via IRC. It can affect all current Windows versions. Connects to an IRC server on port 7000/tcp.
W32.Mydoom.BQ@mm [Symantec-2005-050910-1159-99] (2005.05.09) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 7000/tcp.
W32.Mytob.GC@mm [Symantec-2005-062415-4022-99] (2005.06.24) - mass-mailing worm that opens a backdoor on port 7000/tcp.
Some older trojan horses/backdoors that also use this port: Exploit Translation Server, Kazimas, Remote Grab, SubSeven, BackDoor-G
The control-plane access-list implementation in Cisco IPS Software before 7.1(8p2)E4 and 7.2 before 7.2(2)E4 allows remote attackers to cause a denial of service (MainApp process outage) via crafted packets to TCP port 7000, aka Bug ID CSCui67394.
References: [CVE-2014-0719], [BID-65667], [XFDB-91195] |
| 23456 |
tcp |
trojans |
Members scan |
Common sequence of numbers "2 3 4 5 6" often used as default port by some programs and trojans.
Cisco SD-WAN edge devices use these ports to establish connections with peers in the overlay network:
UDP ports 12346, 12446, 12546, 12646 (UDP if DTLS)
TCP ports: 23456, 23556, 23656, 23756 (TCP if DTLS)
Trojans/backdoors that use this port: Evil FTP, Ugly FTP, WhackJob
An issue was discovered on AVStar PE204 3.10.70 IP camera devices. A denial of service can occur on open TCP port 23456. After a TELNET connection, no TCP ports are open.
References: [CVE-2019-18382], [XFDB-170155]
Backdoor.Win32.NetBull.11.b / Remote Buffer Overflow - NetBull.11.b listens on both TCP ports 23456 and 23457, sending a large junk packet results in buffer overflow overwriting stack registers.
References: [MVID-2021-0066] |
| 31 |
tcp |
msg-auth |
Members scan |
MSG Authentication
Delta Force also uses this port.
The following trojand/backdoors also use this port: Agent 31, Agent 40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun |
| 555 |
tcp |
dsf |
Members scan |
Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy
Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
References: [CVE-2012-1830]
Siklu EtherHaul could allow a remote attacker to execute arbitrary commands on the system. By connecting to port 555 via telnet, an attacker could exploit this vulnerability to execute arbitrary commands on the system and obtain sensitive information.
References: [CVE-2017-7318], [XFDB-122267]
Backdoor.Win32.Phase.11 / Unauthenticated Remote Command Execution - the phAse zero server v1.1 by njord of kr0me corp listens on TCP port 555. Third-party attackers who can reach an infected system can run commands made available by the malware and execute arbitrary programs further compromising the host. Using telnet to connect worked best, to start programs you need to pass an "S" argument preceding the program name like... EXEC S PROGRAM_NAME. Other commands are CURDIR, SHOWMSG etc. The ftpd command can also be initiated to third-party FTP servers to download tools to the infected host.
References: [MVID-2021-0428] |
| 777 |
tcp |
multiling-http |
Members scan |
Trojans that use this port: AimSpy (AIM trojan), Un-Detected ( a.k.a. Backdoor.TDS, 4Fuk, Trojan.Win32.TrojanRunner.Levil, U4 ).
Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.
References: [CVE-2011-0406], [BID-45727]
Port also IANA registered for Multiling HTTP |
| 999 |
tcp |
garcon |
Members scan |
Garcon, ScimoreDB Database System, Puprouter (TCP/UDP)
Trojans that run on this port: DeepThroat (a.k.a. DTV2, DTV3, BackDoor-J), F0replay (a.k.a. WiNNUke eXtreame), WinSatan
Delta Force game also uses port 999 (TCP/UDP) |
| 1001 |
tcp |
trojans |
Members scan |
Trojans using this port: Der Spaeher, Le Guardien, Silencer, WebEx, GOTHIC Intruder, Lula, One Windows Trojan, Theef
The Sabserv client component in Sabre Desktop Reservation Software 4.2 through 4.4 allows remote attackers to cause a denial of service via malformed input to TCP port 1001.
References: [CVE-2002-1191], [BID-5974]
Stack-based buffer overflow in Ubisoft Rayman Legends before 1.3.140380 allows remote attackers to execute arbitrary code via a long string in the "second connection" to TCP port 1001.
References: [CVE-2014-4334]
IANA registered for: HTTP Web Push
|
| 1000 |
tcp |
trojans |
Members scan |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Cadlock / Cadlock2
Trojans using this port: Der Spaeher, Direct Connection, GOTHIC Intruder, Theef
Veritas Backup Exec Agents could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free vulnerability in multiple agents. By sending specially crafted NDMP data over SSL to TCP port 1000, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
References: [CVE-2017-8895], [XFDB-125969], [BID-98386], [EDB-42282] |
| 1024 |
tcp |
kdm |
Basic scan |
K Display Manager (KDE version of xdm)
Trojans taht use this port: Jade, Latinus, Lithium, NetSpy, Ptakks, RAT, YAI
Backdoor.Lingosky [Symantec-2005-032311-2503-99] (2005.03.23) - trojan with backdoor capabilities. Opens a backdoor on port 1024/tcp.
Applications using this port: AIM Video IM, ICUII, NetMeeting with H323, Lingo VoIP, Battlefield 2142, Everquest
The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.
References: [CVE-1999-0816] |
| 1170 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
Psyber Streaming Server (PSS) - remote access trojan, uses ports 1170, 1509, 4000.
Streaming Audio Trojan, Voice (TCP) |
| 24 |
tcp |
priv-mail |
not scanned |
Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port |
| 1243 |
tcp |
trojans |
Members scan |
Trojans that use this port: BackDoor-G, SubSeven, Sub7(*), SubSeven Apocalypse, Tiles
Backdoor.Win32.Cabrotor.10.d / Unauthenticated Remote Command Execution - the malware listens on TCP port 1243. Attackers who can reach infected systems can issue commands made up of single characters E.g. sending 'Q' will terminate the backdoor. Executing wrong or unknown commands will result in the following server response "Comando desconocido".
References: [MVID-2022-0612]
SerialGateway (IANA official) |
| 1999 |
tcp |
tcp-id-port |
Members scan |
Cisco identification port.
Citrix Command Center Server uses ports 1099 and 2014 TCP to communicate with High Availability (HA) servers. May also use port 6011 TCP when there is a firewall between the primary and secondary servers.
Some trojans also use this port: Back Door, SubSeven, TransScout
Backdoor.Bifrose.C [Symantec-2005-051912-0450-99] (2005.05.19) - trojan that opens a backdoor on port 1999/tcp, and sends information to a remote server.
An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).
References: [CVE-1999-0453]
RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that launches a .EXE file located at an arbitrary external URL, or a "SETFIREWALL Off" command.
References: [CVE-2018-7756], [EDB-44275] |
| 6670 |
tcp |
vocaltec |
Members scan |
Vocaltec global online directory.
Some trojans also use this port: BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame. |
| 6711 |
tcp |
trojans |
Premium scan |
SubSeven/BackDoor-G trojan
VP Killer trojan
Backdoor.KiLo [Symantec-2003-021319-1815-99] - Windows remote access trojan, listens on ports 6711, 6718. May be related to KiLo trojan (ports 50829,61746,61747,61748).
Backdoor.Win32.MiniBlackLash / Remote DoS - MiniBlackLash listens on both TCP port 6711 and UDP port 60000. Sending a large HTTP request string of junk chars to UDP port 60000 will crash this backdoor.
References: [MVID-2021-0060] |
| 6776 |
tcp |
trojans |
Members scan |
RAT (remote administration tool)
Trojans that use this port: 2000 Cracks, SubSeven/BackDoor-G, VP Killer |
| 6969 |
tcp |
acmsoda |
Members scan |
BitTorrent tracker
Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker.
Other trojans that use this port: GateCrasher, IRC 3/IRC Hack, Net Controller, Priority, Danton, 2000Cracks.
Backdoor.Win32.BlueAdept.02.a / Remote Buffer Overflow - the malware listens on TCP port 6969, after connecting to the infected host TCP ports 6970, 6971 are then opened. The newly opened port 6970 is vulnerable allowing third party attackers who can reach an infected host ability to trigger a buffer overflow overwriting EAX, ECX and EDX registers.
References: [MVID-2021-0408]
Backdoor.Win32.Destrukor.20 / Authentication Bypass - the malware listens on TCP port 6969. However, after sending a specific cmd "rozmiar" the backdoor returns "moznasciagac" in Polish "you can download" and port 21 opens. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2022-0626]
Backdoor.Win32.Destrukor.20 / Unauthenticated Remote Command Execution - the malware listens on TCP port 6969. Third-party adversaries who can reach infected hosts can run commands made available by the backdoor. Remote attackers can read anything the victim types by starting the remote key log command "key_on". Some commands in Polish include "podglad", "dyski", "procesy", "wywiad", "rej_klucze1", "offserver" and many others.
References: [MVID-2022-0627]
acmsoda (IANA official) (TCP/UDP) |
| 20034 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: NetBus, NetRex, Whack Job |
| 21554 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Exploiter, Kid Terror, Winsp00fer, GirlFriend
Scwhindler remote access trojan - ports 21554, 50766
Backdoor.Win32.GF.j / Unauthenticated Remote Command Execution - the malware listens on TCP port 21554. Third-party adversaries who can reach infected hosts can run commands made available by the backdoor.
References: [MVID-2022-0566]
|
| 22222 |
tcp |
multiple |
Members scan |
Fortnight to AWS
Redgate licensing client, Davis Instruments, WeatherLink IP
SolarEdge solar plant uses this port to upload data into their cloud.
Viasat (Swedish TV provider) routes traffic to digital boxes for digital TV through this port.
Hola VPN
Some trojans/backdoors use this port: Donald D1ck, G.R.O.B, Prosiak, Ruler, RUX The TIc.K
EasyEngine - CLI tool to manage WordPress Sites on Nginx server [rtCamp_Solutions_Private_Limited] (IANA official) |
| 32100 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Peanut Brittle, Project nEXT |
| 33333 |
tcp |
trojans |
Members scan |
W32.Zotob.C@mm [Symantec-2005-081516-4417-99] - a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port 33333/tcp. Same ports are used by the W32.Zotob.A and W32.Zotob.B variants of the worm as well.
Backdoor.Selka [Symantec-2004-111222-0435-99] - backdoor program, affects Windows, listens on port 33333.
Other trojans/backdoors that also use this port: Blakharaz, Prosiak
Port is IANA registered for Digital Gaslight Service. |
| 55165 |
tcp |
trojans |
Premium scan |
Some trojans use this port: File Manager trojan, WM Trojan Generator |
| 60000 |
tcp |
trojans |
Premium scan |
Trojans/backdoors that use this port: DeepThroat/BackDoor-J, F0replay/WiNNUke eXtreame, Sockets des Troie, MiniBacklash |
| 65000 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Devil 13, Sockets des Troie, Stacheldraht (DDoS)
|
| 3389 |
tcp |
rdp |
Basic scan |
Port is IANA registered for Microsoft WBT Server, used for Windows Remote Desktop and Remote Assistance connections (RDP - Remote Desktop Protocol). Also used by Windows Terminal Server.
See also: MS Security Bulletin [MS02-051] and [MS01-040].
Trojans using this port: Backdoor.Win32.Agent.cdm [Symantec-2005-050114-4234-99], TSPY_AGENT.ADDQ
This port is vulnerable to Denial of Service Attack Against Windows NT Terminal Server. A remote attacker can quickly cause a server to reach full memory utilization by creating a large number of normal TCP connections to port 3389. Individual connections will timeout, but a low bandwidth
continuous attack will maintain a terminal server at maximum memory utilization and prevent new connections from a legitimate source from taking place. Legitimate new connections will fail at this point with an error of either a connection timeout, or the terminal server has ended the connection.
References: [CVE-1999-0680]
A vulnerability exists in the Remote Desktop Protocol (RDP), where an attacker could send a specially crafted sequence of packets to TCP port 3389 which can result in RDP to accessing an object in memory after it has been deleted.
References: [CVE-2012-2526]
Zmodo Geovision also uses port 3389 (TCP/UDP) |
| 12348 |
tcp |
BioNet |
Members scan |
GCI BioNet trojan
Backdoor.Win32.Bionet.10 / Authentication Bypass RCE - the malware listens on TCP port 12348. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0414] |
| 3128 |
tcp |
ndl-aas |
Members scan |
Port used by some proxy servers (3proxy). Common web proxy server ports: 8080, 80, 3128, 6588
Tatsoft default client connection also uses port 3128.
Trojans and backdoors that use this port: Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero
W32.Mydoom.B@mm [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.
Multiple buffer overflows in Thomas Hauck Jana Server allow remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request with a long major version number, an HTTP GET request to the HTTP proxy on port 3128 with a long major version number, a long OK reply from a POP3 server, and a long SMTP server response.
References: [CVE-2002-1061], [BID-5320]
Trojan.Win32.SkynetRef.x / Unauthenticated Open Proxy - the malware listens on TCP port 3128. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
Active API Server Port (IANA official) |
| 1433 |
tcp |
ms-sql-s |
Members scan |
Microsoft SQL Server.
Vulnerabilities: Check CERT advisories CA-2002-22 - multiple vulnerabilities, CA-2003-04 MS SQL Server Worm. See also Microsoft Security Bulletin [MS02-061].
The Gaobot family of worms also exploit this port.
IBM License Metric Tool ports
1433 TCP - SQL server connection
9081 TCP - HTTPS web browser connections to server
50000 TCP - DB2 server connection
52311 TCP - BigFix clients and console connect to the server
Digispid.B.Worm [Symantec-2002-052108-5430-99] (2002.05.21) - worm that spreads to computers running MS SQL server and have blank SQL admin password. Uses port 1433/tcp.
W32.Kelvir.R [Symantec-2005-041214-1218-99] (2005.04.12) - worm that spreads through MSN messenger and drops a variant of W32.Spybot.Worm. It spreads using several known MS vulnerabilities, including MS security Bulletin [MS02-061] Microsoft SQL Server 2000 or MSDE 2000 audit using port 1434/udp.
Buffer overflow in the authentication function for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 allows remote attackers to execute arbitrary code via a long request to TCP port 1433, a.k.a. the "Hello" overflow.
References: [CVE-2002-1123], [BID-5411]
The database server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a request to TCP port 1433.
References: [CVE-2014-4684]
|
| 9876 |
tcp |
session director |
Premium scan |
Session Director, True Image Remote Agent, Wireshark, nmap use this port.
Trojans that also use this port:
Cyber Attacker, Rux, Backdoor.Lolok
Backdoor.Lolok [Symantec-2002-120514-5802-99] is a backdoor Trojan that uses the mIRC client to give a hacker access to the computer. By default, it establishes an IRC connection to irc.tu-pac.net on port 9876. Usualy spreads through email attachments or disguised as a video file. Discovered on 12.05.2002.
Acronis True Image Windows Agent 1.0.0.54, allows remote attackers to cause a denial of service (crash) via a malformed packet to port 9876, which triggers a NULL pointer dereference
References: [CVE-2008-1280], [BID-28169] |
| 9872-9874 |
tcp |
trojans |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 3700 |
tcp |
LRS NetPage |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
3700/tcp is also registered with IANA for: LRS NetPage |
| 2 |
tcp |
compressnet |
Premium scan |
trojans that use this port: Death remote access trojan (coded in VB, afects Windows 9x), port can be changed. Files: death.exe, config.cfg
America's Army, Operation Flashpoint also use this port.
Port 2 is also registered with IANA for compressnet management utility. |
| 121 |
tcp |
erpc |
Premium scan |
trojans/backdoors that use this port:
Attack Bot (files: Sysadmin.exe-181KB, Mpeg.exe, affects Windows 9x/ME)
God Message (ports 80,121,7777, a.k.a. BackDoor.AB.gen, JS.Trojan.WindowBomb, affects Windows 9x/ME/NT/2k)
JammerKillah (files: Jammerkillah.zip, Jammerkillah.exe, Mswin32.drv, affects Windows 9x/ME)
BO jammerkilla
Encore Expedited Remote Pro.Call (IANA official) |
| 10001 |
tcp |
scp |
Premium scan |
Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming
Lantronix UDS-10/UDS100 RS-485 to Ethernet Converter default port
Seafile Windows Server uses these TCP ports: 8000 (seahub web interface), 8082 (seafile server), 10001 (ccnet), 12001 (seaf-server).
Tonido NAS remote access software uses port 10001
Veeam too for Veeam Agent Computer uses port 10001/TCP
Games that use 10001 (TCP/UDP):
Dungeon Fighter Online, MVP BAseball, Tera
IPFS (InterPlanetary File System) - FiveM and RedM game mods use this port
Backdoor.Zdemon.126 [Symantec-2003-050512-3204-99] (2003.05.05) - remote access trojan, affects all current Windows versions.
Lula trojan
The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116.
References: [CVE-2014-2609]
A missing error check exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 could allow an attacker to reset the user accounts to factory defaults, without authentication.
References: [CVE-2017-2877]
SCP Configuration Port (IANA official) |
| 11831 |
tcp |
trojans |
Premium scan |
Backdoor.Latinus [Symantec-2002-060710-5206-99] - remote access trojan, afects Windows 9x/ME/NT/2k/XP, opens TCP port 11831/tcp for direct control, 29559/tcp for file transfer, may also use ports 24289/tcp, 29559/tcp.
Backdoor.Pestdoor [Symantec-2002-100314-3144-99] (2002.10.03) - remote access trojan, affects Windows 9x/ME/NT/2k/XP
DarkFace - remote access trojan, affects Windows
Vagr Nocker (2001.02) - remote access trojan, affects Windows
Backdoor.Win32.Backlash.101 / Missing Authentication - BackLash Server 1.0 Alpha drops an executable named "d3d8thk.exe" under Windows dir and listens on TCP ports 11831 and 29559. Telnet to port 11831 allows anyone to retrieve basic system information and run some of the malwares built-in commands on the infected host.
References: [MVID-2021-0085]
Backdoor.Win32.Antilam.11 / Unauthenticated Remote Code Execution - the Win32.Antilam.11 malware aka "Backdoor.Win32.Latinus.b" (MVID-2021-0029), listens on TCP ports 11831, 29559. Third-party attackers who can reach infected systems can execute commands made available by the backdoor.
References: [MVID-2021-0324] |
| 12000 |
tcp |
trojans |
Members scan |
Applications that use this port: Phantasy Star Universe, ClearCommerce Engine 4.x (www.clearcommerce.com), CubeForm, Multiplayer SandBox Game.
Wizard 101 uses ports 12000-12999 (TCP/UDP).
SatanCrew [Symantec-2002-082915-3335-99] - remote access trojan, 08.2002. Affects Windows 9x/Me,NT,2K,XP.
W32.Mytob.GN@mm [Symantec-2005-062916-0911-99] (2005.06.29) - mass-mailing worm with its own SMTP engine and backdoor capabilities. Sends itself to email addresses it finds on the compromised computer. Opens and IRC backdoor on port 12000/tcp.
eosfailoverservice.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service by sending a large amount of data to TCP port 12000.
References: [CVE-2012-1813]
Backdoor.Win32.ReverseTrojan.200 / Authentication Bypass Empty Password - ReverseTrojan by satan_addict listens on TCP ports, 12000 and 21. The malware accepts empty credentials for authentication as the default settings are set to blank. Third-party attackers who can reach an infected host can potentially gain access to the machine before or if no password is set.
References: [MVID-2021-0256]
IANA registered for: entextxid - IBM Enterprise Extender SNA XID Exchange |
| 901 |
tcp |
trojans |
Members scan |
NetDevil [Symantec-2002-021310-3452-99] (2002.02.13) - remote access trojan. Affects Windows 9x/Me/NT/2k/XP
Port IANA registered for SMPNAMERES
Also used by VMware Virtual Infrastructure Client, Samba SWAT tool, ISS RealSecure Sensor |
| 5588 |
tcp |
trojans |
Premium scan |
Easyserv.11 [Symantec-2002-080619-3837-99] (2002.08.06)- remote access trojan. Affects all current Windows versions. |
| 9696 |
tcp |
trojans |
Premium scan |
Backdoor.Gholame [Symantec-2002-081414-0139-99] - remote access trojan, affects Windows, opens TCP ports 9696 and 9697 by default. |
| 1034 |
tcp |
trojans |
Members scan |
Backdoor.Systsec [Symantec-2002-021314-3507-99] (2002.02.13) - remote acess trojan. Affects all current Windows versions.
Backdoor.Zincite.A [Symantec-2004-072615-3305-99] (2004.07.26) - backdoor server program that allows unauthorized access to the compromised computer. It runs and listens for remote commands on port 1034/tcp.
W32.Mydoom.CI@mm [Symantec-2005-092711-1028-99] (2005.09.26) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine.
KWM trojan also uses this port. |
| 1111 |
tcp |
trojans |
Members scan |
Trojans that use this port:
Backdoor.AIMvision [Symantec-2002-101713-3321-99] (2002.10.17) - remote access trojan. Affects all current Windows versions.
Backdoor.Ultor [Symantec-2002-061316-4604-99] (2002.06.13) - remote access trojan. Affects Windows, listens on port 1111 or 1234.
Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows.
W32.Suclove.A@mm [Symantec-2005-092612-2130-99] (2005.09.25) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.
Daodan, Tport trojans also use this port.
The Administration Service (FMSAdmin.exe) in Macromedia Flash Media Server 2.0 r1145 allows remote attackers to cause a denial of service (application crash) via a malformed request with a single character to port 1111.
References: [CVE-2005-4216], [BID-15822]
Backdoor.Win32.Agent.cy / Weak Hardcoded Credentials - the malware listens on TCP port 1111, drops an executable named "Spoolsw.exe" under SysWOW64 dir that runs with SYSTEM integrity. The password "TrFsB-RuleZ" is stored in plaintext and can be easily found running strings util against the malware executable.
References: [MVID-2021-0207]
Backdoor.Win32.Jokerdoor / Remote Stack Buffer Overflow - The malware listens on TCP port 1111 and drops an randomly named executable E.g. xmutfeb.exe etc. Third party attackers who can reach an infected system can send a junk payload and trigger a classic stack buffer overflow overwriting the EBP, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS" as running commands result in error.
References: [MVID-2021-0390]
Backdoor.Win32.SubSeven.c / Remote Stack Buffer Overflow - the malware listens on TCP port 1111. Third-party attackers who can reach an infected system can send a specially crafted packet prefixed with "DOS". This will trigger a classic stack buffer overflow overwriting ECX, EIP registers and structured exception handler (SEH).
References: [MVID-2022-0448]
LM Social Server (IANA official) |
| 1218 |
tcp |
trojans |
Premium scan |
Trojans that use this port:
Backdoor.Sazo [Symantec-2002-061716-5029-99] - remote access trojan, 06.2002. Affects Windows
Force/Feardoor - VB6 remote access trojan, 07.2002. Affects Windows.
Port is also IANA registered for: aeroflight-ads |
| 1234 |
tcp |
trojans |
Premium scan |
Backdoor.Ultor [Symantec-2002-061316-4604-99] (2002.06.13) - remote access trojan. Affects Windows, listens on port 1111 or 1234.
Some other trojans using this port: SubSeven 2.0, Bagle.AF.
Port is also IANA registered for: Infoseek Search Agent |
| 6718 |
tcp |
trojans |
Premium scan |
Backdoor.KiLo [Symantec-2003-021319-1815-99] - Windows remote access trojan, listens on ports 6711, 6718. May be related to KiLo trojan (ports 50829,61746,61747,61748). |
| 58343 |
tcp |
trojans |
Premium scan |
Backdoor.Prorat [Symantec-2003-061315-4216-99] (2003.06.13) - remote access trojan, affects Windows, opens port 58343 by default. |
| 31332 |
tcp |
trojans |
Premium scan |
Backdoor.Grobodor [Symantec-2003-060916-4848-99] - backdoor trojan coded in Delphi, affects Windows, listens on port 31332/tcp. |
| 10168 |
tcp |
trojans |
Premium scan |
W32.HLLW.Lovgate [Symantec-2003-021916-4352-99] - a worm with backdoor trojan capabilities. Affects all current Windows versions. |
| 3456 |
tcp |
trojans |
Premium scan |
Backdoor.Fearic [Symantec-2002-080710-2744-99] (2002.08.07) - remote access trojan. Affects all current Windows versions, opens ports 2000, 3456, 8811.
Some other trojans using this port: Teror Trojan, Fear, Force.
IANA registered for: VAT default data |
| 8811 |
tcp |
trojans |
Premium scan |
Backdoor.Fearic [Symantec-2002-080710-2744-99] (2002.08.07) - remote access trojan, affects all current Windows versions, opens ports 2000, 3456, 8811.
Backdoor.Monator [Symantec-2003-041712-0735-99] (2003.04.17) - a backdoor trojan that gives a hacker full access to your computer. By default it opens port 8811 for listening. |
| 3457 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis [Symantec-2003-010717-1940-99] - remote access trojan, 05.2003. Affects all current Windows versions, listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429
IANA registered for: VAT default control |
| 7823 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 13173 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 44390 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 47387 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 64429 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 3410 |
tcp |
trojans |
Members scan |
W32.mockbot.a.worm [Symantec-2004-022608-5242-99], Backdoor.Optixpro [Symantec-2004-012117-4011-99] - remote access trojan.
This port is also registered for NetworkLens SSL Event |
| 3737 |
tcp |
trojans |
Premium scan |
Backdoor.Helios [Symantec-2002-091211-5823-99] - remote access trojan. Affects all current Windows versions.
XPanel Daemon also uses this port. |
| 3332 |
tcp |
trojans |
Premium scan |
Port is registered with IANA for: MCS Mail Server
Some trojans that use this port:
Q0 BackDoor trojan
W32.Cycle [Symantec-2004-051015-4731-99] (2004.05.10). Exploits a MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp. |
| 40421-40426 |
tcp |
trojans |
Premium scan |
Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426.
Port 40421/tcp also used by Agent 40421 trojan. Check port 30/tcp as well. |
| 3129 |
tcp |
trojans |
Premium scan |
Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426
MyDoom.B@mm trojan also uses this port.
Port 3129 is also registered with IANA for: NetPort Discovery Port |
| 3256 |
tcp |
trojans |
Premium scan |
W32.HLLW.Dax [Symantec-2002-091813-5520-99] (2002.09.18) - worm with remote access capabilities. Affects all current Windows versions.
port is also registered with IANA for: Compaq RPM Agent Port |
Vulnerabilities listed: 100 (some use multiple ports)
|
