| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 10110 |
tcp,udp |
nmea-0183 |
not scanned |
Backdoor.Win32.Prexot.a / Authentication Bypass - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0484]
Backdoor.Win32.Prexot.a / Port Bounce Scan (MITM) - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0485]
NMEA-0183 Navigational Data (IANA official) |
| 31789 |
udp |
hackatack |
not scanned |
Hack 'a' Tack trojan - affects Windows, communicates over TCP ports 31778, 31785, 31787 and UDP ports 31788, 31789, 31790, 31791, 31792 by default. |
| 24 |
tcp |
priv-mail |
not scanned |
Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port |
| 10067 |
udp |
trojans |
not scanned |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 1 |
udp |
tcpmux |
not scanned |
TCP Port Service Multiplexer (IANA registered)
Sockets des Troie remote access trojan uses this port (a.k.a. Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan, TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000. |
| 33434-33523 |
udp |
traceroute |
not scanned |
incoming traceroute - under Unix-like operating systems, the traceroute utility uses User Datagram Protocol (UDP) datagrams with destination port numbers from 33434 to 33534 by default. Under Windows, the tracert command sends ICMP requests.
Cisco Webex Teams services uses these ports:
443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls) |
| 1645 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813.
A vulnerability has been reported in Cisco Secure Access Control Server, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error when parsing EAP-FAST user identities and can be exploited to execute arbitrary commands via specially crafted packets sent to UDP port 1645 or 1812.
References: [CVE-2013-3466], [SECUNIA-54610] |
| 1812 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866 ) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813.
A vulnerability has been reported in Cisco Secure Access Control Server, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error when parsing EAP-FAST user identities and can be exploited to execute arbitrary commands via specially crafted packets sent to UDP port 1645 or 1812.
References: [CVE-2013-3466], [SECUNIA-54610] |
| 5228 |
tcp,udp |
android |
not scanned |
Port 5228 is used by the Google Playstore (Android market). Google talk also uses ports 443, 5222 and 5228. Google Chrome user settings sync (facorites, history, passwords) uses port 5228. |
| 12289 |
udp |
plc |
not scanned |
YOKOGAWA FA-M3 PLC industrical computer uses UDP ports 12289,12291. |
| 10104 |
udp |
trojans |
not scanned |
Backdoor.Lowtaper [Symantec-2004-101411-3637-99] - remote access trojan, affects Windows, uses ports 24681/tcp and 10104/udp |
| 513 |
udp |
applications |
not scanned |
Multiple buffer overflows in the Syslog server in ManageEngine EventLog Analyzer 6.1 allow remote attackers to cause a denial of service (SysEvttCol.exe process crash) or possibly execute arbitrary code via a long Syslog PRI message header to UDP port 513 or 514.
References: [CVE-2010-4840] |
| 1101 |
tcp |
applications |
not scanned |
ZenSysSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (service crash) or possibly execute arbitrary code via a series of connections and disconnections on TCP port 1101, aka Reference Number 25212.
References: [CVE-2011-4534], [BID-51897]
Backdoor.Hatckel [Symantec-2002-120515-0748-99] - a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens 15 ports on the infected computer: 1101 to 1115. Backdoor.Hatckel is written in Visual Basic. |
| 65000 |
udp |
trojans |
not scanned |
Devil trojan horse 1.03
Backdoor.Win32.Whgrx / Remote Host Header Stack Buffer Overflow - the specimen listens on datagram UDP port 65000, by sending a specially crafted HTTP PUT request and specifying a large string of characters for the HOST header we trigger the buffer overflow overwriting stack registers. Upon running the malware it may display a "Cannot load shared library wsocx.dll" message but still runs normally. The exploit payload specifies both 41414141 and 42424242 pattern with 42424242 overwriting SEH and ECX register, the 42424242 pattern was target the HTTP HOST header.
References: [MVID-2021-0030] |
| 32768 |
tcp,udp |
first-os-ports |
not scanned |
first ports typically used for outgoing connections by some Linux distros like Red Hat: see /etc/rc.d/init.d/network and /proc/sys/net/ipv4/ip_local_port_range
Nascar 4 (UDP), Joint Operations Typhoon Rising (UDP) use port 32768.
Hacker's Paradise trojan also uses port 32768 (TCP). |
| 2130 |
udp |
trojans |
not scanned |
Mini Backlash remote access and password stealing trojan. Affects Windows 9x/ME. Uses ports 2130/udp and 3150/udp. |
| 1540 |
tcp,udp |
rds |
not scanned |
1C:Enterprise server agent (ragent)
IANA registered for: rds |
| 4592 |
tcp |
applications |
not scanned |
webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers to execute arbitrary code or obtain a security-code value via a long string in an RPC request to TCP port 4592.
References: [CVE-2011-4041], [BID-47008] |
| 256 |
udp |
trojans |
not scanned |
Trojan.SpBot [Symantec-2005-040512-2941-99] (2005.04.05) - trojan horse that opens a compromised computer to be used as an email relay. Opens a backdoor on port 256/udp.
RAP (TCP/UDP) (IANA official) |
| 8005 |
udp |
applications |
not scanned |
Fuji Electric V-Server before 6.0.33.0 is vulnerable to denial of service via a crafted UDP message sent to port 8005. An unauthenticated, remote attacker can crash vserver.exe due to an integer overflow in the UDP message handling logic.
References: [CVE-2019-3946] |
| 20101 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101.
References: [CVE-2011-5001], [BID-50965] |
| 12401 |
tcp |
applications |
not scanned |
Buffer overflow in 7-Technologies (7T) Interactive Graphical SCADA System (IGSS) 9.0.0.11200 allows remote attackers to cause a denial of service via a crafted packet to TCP port 12401.
References: [CVE-2011-4050] [BID-51146]
PRLicenseMgr.exe in the Proficy Server License Manager in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12401.
References: [CVE-2012-0231]
Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted (1) ListAll, (2) Write File, (3) ReadFile, (4) Delete, (5) RenameFile, and (6) FileInfo commands in an 0xd opcode; (7) the Add, (8) ReadFile, (9) Write File, (10) Rename, (11) Delete, and (12) Add commands in an RMS report templates (0x7) opcode; and (13) 0x4 command in an STDREP request (0x8) opcode to TCP port 12401.
References: [CVE-2011-1567] [BID-46936] [SECUNIA-43849]
WellinTech KingSCADA is vulnerable to a stack-based buffer overflow, caused by an integer overflow in kxNetDispose.dll. By sending a specially-crafted packet to TCP port 12401, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2014-0787], [XFDB-92641] |
| 7555 |
udp |
worm-linux |
not scanned |
Linux.Plupii.B [Symantec-2005-111712-0018-99] (2005.11.16) - a worm with backdoor capabilities. Attempts exploiting Linux vulnerabilities. Opens a backdoor and listens for remote commands on port 7555/udp. |
| 7222 |
udp |
worm-linux |
not scanned |
Linux.Plupii [Symantec-2005-110612-3334-99] (2005.11.06) - a worm with backdoor capabilities. Attempts exploiting several Linux web server related vulnerabilities. Opens a backdoor and listens for remote commands on port 7222/udp. |
| 20192 |
tcp |
trojans |
not scanned |
Backdoor.Ranky.V [Symantec-2005-110215-2104-99] (2005.11.02) - a trojan horse that allows the compromised computer to be used as a covert proxy. Starts a proxy on a random TCP port between 1025 and 65535, uses port 20192/tcp to send notifications of infection. |
| 10167 |
udp |
trojans |
not scanned |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 50777 |
tcp |
applications |
not scanned |
zenAdminSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted packet to TCP port 50777, aka Reference Number 25240.
References: [CVE-2011-4533], [BID-51897] |
| 3689 |
tcp |
itunes |
not scanned |
iTunes Music Sharing (DAAP) |
| 3784 |
tcp,udp |
ventrilo |
not scanned |
Ventrilo
The decryption function in Flagship Industries Ventrilo 3.0.2 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) by sending a type 0 packet with an invalid version followed by another packet to TCP port 3784.
References: [CVE-2008-3680] [BID-30675]
Ventrilo 2.1.2 through 2.3.0 allows remote attackers to cause a denial of service (application crash) via a status packet that contains less data than specified in the packet header sent to UDP port 3784.
References: [CVE-2005-2719] [BID-14644] [SECUNIA-16551]
IANA registered for: BFD Control Protocol [RFC 5881] |
| 749 |
tcp,udp |
kerberos |
not scanned |
Kerberos administration
Related ports: 88,464,543,544,751 |
| 543 |
tcp |
klogin |
not scanned |
Kerberos login
Related ports: 88,464,544,749,751 |
| 544 |
tcp |
kshell |
not scanned |
Kerberos remote shell
Related ports: 88,464,543,749,751
A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785] |
| 520 |
tcp |
efs |
not scanned |
ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover partnerships, allows remote attackers to cause a denial of service (communications-interrupted state and DHCP client service loss) by connecting to a port that is only intended for a failover peer, as demonstrated by a Nagios check_tcp process check to TCP port 520.
References: [CVE-2010-3616], [BID-45360]
Port IANA registered for Extended File Name Server |
| 464 |
tcp,udp |
kpasswd |
not scanned |
Kerberos (v5)
Related ports: 88,543,544,749
A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the kpasswd application not properly handling malformed UDP packets and can be exploited to exhaust CPU and network resources via the UDP "ping-pong" attack on port 464.
References: [CVE-2002-2443], [SECUNIA-53375] |
| 8500 |
tcp |
Macromedia |
not scanned |
Ethersphere Swarm (distributed storage and communication system) uses these ports:
6060, 6831 tcp - pprof debugging http server
8500, 8545 tcp - web access http api
Macromedia ColdFusion MX Server (Edition 6) uses port 8500 to allow remote access as Web server
Rumble Fighter uses this ports 7000-8500 (TCP/UDP) |
| 3632 |
tcp,udp |
distcc |
not scanned |
3632 is default listen port for distcc daemon (distributed C/C++ compiler). It only supports IP based authentication and defaults to allow from all, which means anyone can use it. It does no other harm than letting others to use your hardware (at +5 nice) to speed up their compilation process. |
| 4672 |
udp |
emule |
not scanned |
eMule p2p file sharing software uses ports 4661/tcp, 4662/tcp, 4665/udp, 4672/udp, 4711/tcp (web interface) by default. Some versions of this P2P client are vulnerable to a DecodeBase16 buffer overflow, which would allow an attacker to execute arbitrary code. |
| 125 |
tcp |
misc |
not scanned |
Port is sometimes unofficially used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of an ISP block on port 25.
Locus PC-Interface Net Map Ser (TCP/UDP) (IANA official) |
| 0 |
tcp,udp |
|
not scanned |
Port 0 is reserved by IANA, it is technically invalid to use, but possible. It is sometimes used to fingerprint machines, because different operating systems respond to this port in different ways. Some ISPs may block it because of exploits. Port 0 can be used by applications when calling the bind() command to request the next available dynamically allocated source port number. |
| 17 |
tcp,udp |
qotd |
not scanned |
Responds with Quote of the Day. See [RFC 865]
Skun trojan also uses this port. |
| 18 |
tcp,udp |
msp |
not scanned |
Message Send Protocol
Also: Remote Write Protocol (RWP)
Related RFCs: [RFC 1159] [RFC 1312] [RFC 1756]
Skun trojan also uses this port. |
| 101 |
tcp,udp |
hostname |
not scanned |
Hostnames NIC Host Name Server. [RFC953] [RFC811]
Skun trojan also uses this port (TCP). |
| 105 |
tcp,udp |
ccso |
not scanned |
IANA assigned to CCSO name server protocol (mailbox name nameserver). [RFC2378]
Backdoor.Nerte [Symantec-2001-110909-3147-99] also uses this port (TCP).
Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.
References: [CVE-2005-4411], [BID-16396] |
| 106 |
tcp |
poppassd |
not scanned |
(TCP) poppassd (aka. epass) allows passwords to be changed on POP servers. Traditionally, users would have to have shell (Telnet) accounts on the servers in order to change their passwords. This allows users with just POP access to change their passwords.
The exchange looks something like:
S: 200 Hello
C: user robert
S: 300 Please send current password
C: pass mypassword
S: 200 send New Pass Word
C: newpass newpassword
S: 200 successful
C: quite
Protocol was originally developed for Eudora. Eudora Internet Mail Server vs. 1.2, 2.0, 2.01. DoS If you connect to this server and enter the command "USER xxxxxx" with more than 1000 characters, this service will crash.
Apple Mac OS X Password Server and City of Heroes also use this port.
Mail Management Agent (MAILMA) (a.k.a. Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106.
References: [CVE-2006-0129]
Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.
References: [CVE-1999-1113] [BID-75] |
| 109 |
tcp,udp |
pop2 |
not scanned |
Post Office Protocol 2 (obsolete). While POP2 has largely been replaced by POP3, hackers still scan for this port because many older POP servers have vulnerabilities associated with them. [RFC937]
ADM trojan also uses this port (TCP). |
| 54321 |
udp |
loadavg |
not scanned |
UDP port used by "loadavg" - a service that replies with the load average of a machine. |
| 14690 |
tcp,udp |
applications |
not scanned |
BitKeeper (bitmover.com) source management system
Battlefield 1942 game uses port 14690/udp |
| 18888 |
tcp,udp |
liquidaudio |
not scanned |
Port used by LiquidAudio servers. |
| 21157 |
udp |
games |
not scanned |
Activision gaming protocol [RFC 3027] |
| 700 |
udp |
buddyphone |
not scanned |
Port used by BuddyPhone Internet Telephony software. Also uses TCP range 5000-5111. |
| 1494 |
tcp |
citrix |
not scanned |
Citrix NetScaler gateway XendDesktop/Virtual Desktop uses port 1494 TCP/UDP for access to applications and virtual desktops by ICA/HDX.
Citrix WinFrame, also uses port 1604 UDP. |
| 1604 |
udp |
citrix |
not scanned |
Citrix WinFrame uses port 1604 UDP and port 1494 TCP.
DarkComet RAT (Remote Administration Tool) uses port 1604 (both TCP and UDP) by default.
|
| 22555 |
udp |
vocaltec |
not scanned |
Port used by VocalTec Internet Phone. |
| 22703 |
tcp,udp |
webtv |
not scanned |
WebTV is vulnerable to a DoS exploit on this port that can reboot the machine. |
| 22793 |
tcp |
vocaltec |
not scanned |
VocalTec Internet Phone - tcp connection to VocalTec servers on this port. |
| 26000 |
tcp,udp |
quake |
not scanned |
CCP's EVE Online Online gaming MMORPG
Quake-based games (e.g. Half-Life, Quakeworld, QuakeIII, etc.), Empire Earth 2 (TCP), Star Trek Voyager: Elite Force (UDP)
Multiple buffer overflows in the client and server in Racer 0.5.3 beta 5 allow remote attackers to execute arbitrary code via a long string to UDP port 26000.
References: [CVE-2007-4370], [BID-25297]
The VStr::Resize function in str.cpp in Vavoom 1.24 and earlier allows remote attackers to cause a denial of service (daemon crash) via a string with a negative NewLen value within a certain UDP packet that triggers an assertion error.
References: [CVE-2007-4535], [EDB-30527]
quake (IANA official) |
| 27444 |
udp |
trojans |
not scanned |
Trin00 (DDoS attack tools) a.k.a. Trinoo and tribe flood network (TFN) use these ports: 27665/tcp (master control port), 27444/udp, 34555/udp, 35555/udp. See also CERT: IN-99-07 |
| 31335 |
udp |
trojan |
not scanned |
Trinoo distributed attack tool port. |
| 639 |
tcp,udp |
msdp |
not scanned |
MSDP - Multicast Source Discovery Protocol |
| 641 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (control/listening): A proxy gateway connecting remote control traffic |
| 653 |
tcp,udp |
proxy |
not scanned |
SupportSoft Nexus Remote Command (data): A proxy gateway connecting remote control traffic |
| 4502-4534 |
tcp |
silverlight |
not scanned |
Ports are used by the Microsoft Silverlight plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser.
Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser. |
| 7123 |
tcp |
applications |
not scanned |
Port used by RealAudio.
Also the default port for the "fakewww" web server used with NDT (Network Diagnostic Tool).
End-to-end TLS Relay Control Connection (IANA official) |
| 3 |
tcp,udp |
compressnet |
not scanned |
Delta Force uses port 3 (TCP)
Midnight Commander
SynDrop trojan
Backdoor.Win32.Quux / Weak Hardcoded Credentials - the malware listens on TCP port 3. Authentication is required, however the password "Faraon" translated from Romanian as "Pharaoh" is weak and hardcoded in cleartext within the PE file. Third-party adversaries who can reach an infected host can call commands made available by the backdoor. Commands include uploading files and code execution. Theres a need to code a custom client to communicate with the infected host as nc64.exe and telnet send LF characters and will fail authentication when sending credentials containing "\n" etc. Once connected if we send any files they will be written to Windows\System unless calling the "SetCurrDir" commmand.
References: [MVID-2022-0656]
Compression Process (IANA official) |
| 42042-42051 |
tcp,udp |
voddler |
not scanned |
Voddler uses ports 42042-42051 and 50726. |
| 43 |
tcp,udp |
whois |
not scanned |
WHOIS protocol |
| 1237 |
tcp,udp |
tsdos390 |
not scanned |
Port is IANA assigned to tsdos390. Also used by Command and Conquer, Dune2000. |
| 30120 |
tcp |
fivem |
not scanned |
FiveM Server (modification of GTA V) uses TCP ports 30120 and 30110. |
| 77 |
tcp,udp |
priv-rje |
not scanned |
IANA assigned for any private RJE service, netjrs.
The error message "TK_SPACE undeclared" is common to this port. This occurs when installed ports keep bombing out on sqlite3. |
| 103 |
tcp,udp |
gppitnp |
not scanned |
MS Exchange X.400 mail messaging traffic.
Trojans that use this port: Skun
Genesis Point-to-Point Trans Net (IANA registered) |
| 751 |
tcp,udp |
pump |
not scanned |
Port used by kerberos_master, Kerberos 'kadmin' (v4) authentication.
IANA assigned to: pump |
| 660 |
tcp,udp |
mac-srvr-admin |
not scanned |
Mac OS X Server administration
Zaratustra trojan also uses this port (TCP).
Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660.
References: [CVE-2004-1832], [BID-9914]
Backdoor.Win32.Zaratustra / Unauthenticated Remote File Write (Remote Code Exec) - Zaratustra malware listens on TCP port 660. Third-party attackers who can reach infected systems can use a socket program to write binary data to execute. The malware then writes that data to a file named "x.exe" under c: drive and will execute upon completion of the downloaded code.
References: [MVID-2021-0315] |
| 221 |
tcp,udp |
fln-spx |
not scanned |
Port is IANA registered for Berkeley rlogind with SPX auth
Trojans that use this port: Snape |
| 222 |
tcp,udp |
rsh-spx |
not scanned |
IANA registered for Berkeley rshd with SPX auth
Trojans that use this port: NeuroticKat, Snape
MicroWorld Technologies eScan could allow a remote attacker to execute arbitrary commands on the system, caused by improper access control by the eScan Agent Application (MWAGENT.EXE). By sending a specially-crafted request to TCP port 222, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
References: [CVE-2018-18388], [XFDB-154568]
Backdoor.Win32.Spion4 / Insecure Transit - SPION 4 Server terminal listens on TCP port 222 and passes its messages in unencrypted plaintext across the network.
References: [MVID-2021-0225] |
| 1646 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866 ) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 1813 |
udp |
RADIUS |
not scanned |
RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.
Uses UDP ports 1645 & 1646, or 1812 & 1813. |
| 9200 |
tcp,udp |
wsp |
not scanned |
Elasticsearch listens on ports 9200 and 9300 TCP
Starlink gRPC uses ports 9200 and 9201 TCP
Some Lexmark printers open port 9200 TCP/UDP
WapServ Lite, WapServ Pro and WapServ Enterprise are vulnerable to a denial of service. By sending specific byte values over port 9200 or port 9201, a remote attacker can cause the gateway to consume large amounts of memory resources, prevent the gateway from starting, or cause the gateway to crash.
References: [BID-8472], [XFDB-13011]
File Replication Pro could allow a remote attacker to execute arbitrary commands on the system, caused by an error in the ExecCommand function. By viewing configuration.xml, an attacker could exploit this vulnerability to send specially-crafted packet to port 9200 to execute arbitrary commands on the system.
References: [XFDB-110638]
WAP Connectionless Wireless Session Protocol (TCP/UDP) [WAP Forum] (IANA official) |
| 5672 |
tcp,udp,sctp |
amqp |
not scanned |
MOHAA Reverend
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
Zulip, an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.
References: [CVE-2021-43799]
Advanced Message Queueing Protocol, see http://www.amqp.org (IANA official) |
| 5269 |
tcp |
jabber |
not scanned |
Jabber instant messenging software server-to-server connection, see http://www.jabber.org/protocol/
IANA registered for: Extensible Messaging and Presence Protocol - XMPP Server Connection [RFC 3920]
Apple iChat Server also uses this port. |
| 5066 |
tcp,udp |
stanag-5066 |
not scanned |
Micsosoft Lync Server
GeoVision
RemotePlayBack
IANA registered for: STANAG 5066 (http://s5066.nc3a.nato.int) Communication protocol stack for Long thin pipes with a high bit-error rate specifically, HF radio. |
| 8550 |
tcp,udp |
4psa |
not scanned |
Primary/Master 4PSA DNS Manager server - http://www.4psa.com/
Port is used for master/slave connection between servers, also uses ports 53 and 953 tcp/udp. |
| 953 |
tcp,udp |
rdns |
not scanned |
Domain Name System (DNS) RDNC Service
BIND9 remote name daemon controller (TCP) (IANA registered) |
| 3506 |
udp |
games |
not scanned |
Take2 Bet On Soldier: Blood Sports (may require GameSpy ports to be opened - http://www.gamespyarcade.com/support/firewalls.shtml) |
| 6515 |
udp |
games |
not scanned |
GameSpy Arcade - Dplay UDP game data, Command & Conquer: Red Alert 3, Heroes of Might and Magic IV
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901
IANA registered for: Elipse RPC Protocol (TCP/UDP) |
| 13139 |
udp |
games |
not scanned |
GameSpy Arcade - Custom UDP Pings, Worms 4 Mayhem
Armies of Exigo also uses this port.
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 27900 |
udp |
games |
not scanned |
Battlefield 2142, ToCA Race Driver 3, Worms 4 Mayhem, Nintendo Wi-Fi Connection (TCP/UDP)
GameSpy Arcade - Master Server UDP Heartbeat. Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 1159 |
tcp,udp |
oracle-oms |
not scanned |
Oracle OMS |
| 1521 |
tcp |
oracle |
not scanned |
Oracle database default listener. Oracle Database Management uses the following ports:
1521 TCP - Oracle SQL Net Listener and Data Guard
1832 TCP - Oracle Enterprise Management Agent HTTP (range 1830-1849)
49896 TCP - Oracle Clusterware (CRS daemon)
Transparent Network Substrate (TNS) Listener in Oracle 9i 9.0.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a single malformed TCP packet to port 1521.
References: [CVE-2002-0509], [BID-4391]
Port is also IANA registered for nCube License Manager |
| 1830 |
tcp |
net8-cman |
not scanned |
Oracle Net8 CMan Admin.
Oracle Database Management uses the following ports:
1521 TCP - Oracle SQL Net Listener and Data Guard
1832 TCP - Oracle Enterprise Management Agent HTTP (range 1830-1849)
49896 TCP - Oracle Clusterware (CRS daemon)
|
| 3872 |
tcp |
|
not scanned |
Oracle Management Remote Agent |
| 7778 |
tcp |
Oracle9iAS-OJSP |
not scanned |
AT&T Connect Web Conferencing uses TCP ports 443,80 and 7778
Oracle 9i Application Server Oracle Java Server Pages, Bad Trip MUD
Games:
Fabula Mortis uses ports 7777 and 7778
Tribes Vengeance uses port 7778 tcp/udp
The OHS component 1.0.2 through 10.x, when UseWebcacheIP is disabled, in Oracle Application Server allows remote attackers to bypass HTTP Server mod_access restrictions via a request to the webcache TCP port 7778.
References: [CVE-2005-1383] [BID-13418] [OSVDB-15908] [SECUNIA-15143]
Backdoor.Win32.RmtSvc.l / Remote Denial of Service - the malware listens on TCP port 7778. Third-party attackers who can reach infected systems can send a specially crafted junk HTTP CONNECT request to trigger an access violation and crash.
References: [MVID-2021-0348]
Backdoor.Win32.Tiny.c / Unauthenticated Remote Command Execution - the malware listens on TCP port 7778. Third party attackers who can reach an infected system can run any OS commands hijacking the compromised host.
References: [MVID-2022-0476] |
| 1211 |
tcp,udp |
groove-dpp |
not scanned |
Groove DPP
CoDeSys Gateway Server is vulnerable to a heap-based buffer overflow, caused by the failure to check for a signed value. By sending a specially-crafted packet to TCP port 1211, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-82254], [CVE-2012-4706], [BID-58032] |
| 2492 |
tcp,udp |
groove |
not scanned |
GROOVE |
| 1459 |
tcp,udp |
proshare1 |
not scanned |
Prosahre Notebook Application |
| 1460 |
tcp,udp |
proshare2 |
not scanned |
Proshare Notebook Application |
| 1503 |
tcp |
Netmeeting |
not scanned |
T.120 communication protocols used for teleconferencing, videoconferencing and data sharing. Windows Live Messenger, NetMeeting with H323, CU-SeeMe-CUworld.
Databeam (IANA official) |
| 1513 |
tcp,udp |
fujitsu-dtc |
not scanned |
Garena Gaming Client
IANA registered for: Fujitsu Systems Business of America Inc |
| 1514 |
tcp,udp |
fujitsu-dtcns |
not scanned |
Fujitsu Systems Business of America Inc |
| 1525 |
tcp,udp |
orasrv |
not scanned |
Oracle
Archie, Prospero trojans also use this port (TCP). |
| 1526 |
tcp |
|
not scanned |
Oracle database common alternative for listener |
