| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 2103 |
tcp,udp |
applications |
not scanned |
Microsoft Message Queuing (MSMQ) uses the following ports:
1801 TCP/UDP
2101, 2103, 2105 (RPC over TCP)
3527 UDP
Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103.
References: [CVE-2007-3039], [BID-26797]
Port is also IANA registered for Zephyr serv-hm connection. |
| 2104 |
tcp,udp |
games |
not scanned |
City of Heroes, City of Villains
IANA registered for: Zephyr hostmanager |
| 2105 |
tcp |
multiple |
not scanned |
Microsoft Message Queuing (MSMQ) uses the following ports:
1801 TCP/UDP
2101, 2103, 2105 (RPC over TCP)
3527 UDP
Kerberos encrypted remote login (rlogin)
Project Athena Zephyr Notification Service hm-serv connection (should use port 2102)
IBM MiniPay (IANA official) |
| 2106 |
tcp |
games |
not scanned |
Auto Assault, Lineage II, City of Heroes (TCP/UDP), City of Villains (TCP/UDP), Aion
IANA registered for: MZAP |
| 2107 |
tcp |
bintec |
not scanned |
Citrix SmartAuditor Server MSMQ management may use port 2107 TCP.
IANA registered for: BinTec Admin
|
| 2111 |
tcp,udp |
dsatp |
not scanned |
X over kerberos
Backdoor.Win32.Delf.abb / Insecure Transit - the malware listens on TCP ports 1988 and 2111 but message exchange takes place on port 1988. The backdoor uses unencrypted plaintext socket communication allowing anyone who can sniff network traffic to read any communications sent or retrieved. This can disclose information to third-party well positioned attackers.
References: [MVID-2021-0206]
OPNET Dynamic Sampling Agent Transaction Protocol (DSATP) [OPNET Technologies Inc] [Edward Macomber] (IANA official) |
| 2114 |
tcp,udp |
ariascribe |
not scanned |
IANA registered for: Classical Music Meta-Data Access and Enhancement |
| 2115 |
tcp,udp |
kdm |
Premium scan |
MIS Department
Trojan Bugs also uses port 2115 (TCP)
IANA registered for: Key Distribution Manager |
| 2121 |
tcp,udp |
scientia-ssdb |
not scanned |
FTP proxy uses port 2121 (TCP).
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
References: [CVE-2018-11311], [EDB-44656]
Backdoor.Win32.Burbul.b / Anonymous Logon - backdoor Burbul.b listens on TCP port 2121 allowing anonymous logon credentials to access the infected host E.g. USER anonymous PASS anonymous.
References: [MVID-2021-0093]
Worm.Win32.Busan.k / Insecure Communication Protocol - Busan.k launches a windows cmd console on the infected host so that it can send and receive messages back and forth over TCP port 2121. The worm uses unencrypted plaintext socket communication allowing anyone who can sniff network traffic to read any communications sent or retrieved. This can disclose sensitive information to third-party well positioned attackers.
References: [MVID-2021-0185]
Backdoor.Win32.Hupigon.aejq / Port Bounce Scan - the malware listens on TCP port 2121, its FTP component accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are
originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0330]
Backdoor.Win32.Hupigon.aejq / Authentication Bypass RCE - the malware runs an FTP server on TCP port 2121. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0329]
Backdoor.Win32.Prorat.lkt / Weak Hardcoded Password - the ProSpy Server V1.9 malware runs an FTP component that listens on TCP port 2121. The FTP server requires authentication for remote user access. However, the username and password both use the word "special" which is both weak and hardcoded in plaintext within the executable.
References: [MVID-2021-0360]
Backdoor.Win32.Agent.Amt / Authentication Bypass - The malware can run an FTP server which listens on TCP port 2121. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders can then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2024-0673]
SCIENTIA-SSDB (IANA official) |
| 2125 |
tcp,udp |
lockstep |
not scanned |
Lockstep Systems Backup for Workgroups is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the login module when handling login failure. By sending a specially-crafted TCP packet to port 2125, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-81992], [BID-57883]
IANA registered for: LOCKSTEP |
| 2130 |
udp |
trojans |
not scanned |
Mini Backlash remote access and password stealing trojan. Affects Windows 9x/ME. Uses ports 2130/udp and 3150/udp. |
| 2140 |
tcp,udp |
trojans |
Premium scan |
Some trojans use this port: Deep Throat, Foreplay, The Invasor |
| 2142 |
tcp,udp |
tdmoip |
not scanned |
TDM OVER IP (IANA official) [RFC 5087] |
| 2144 |
tcp,udp |
lv-ffx |
not scanned |
Iron Mountain LiveVault Agent uses port 2144 (TCP)
IANA registered for: Live Vault Fast Object Transfer |
| 2145 |
tcp,udp |
lv-pici |
not scanned |
Iron Mountain LiveVault Agent uses port 2145 (TCP)
IANA registered for: Live Vault Remote Diagnostic Console Support |
| 2149 |
tcp |
trojan |
Premium scan |
Deep Throat |
| 2150 |
tcp |
trojan |
Premium scan |
R0xr4t trojan |
| 2155 |
tcp |
brdptc |
Members scan |
[trojan] Illusion Mailer
Port is also IANA registered for Bridge Protocol. |
| 2156 |
tcp |
citrix |
Premium scan |
Citrix SD-WAN Center - reporting communication between SD-WAN Center and SD-WAN SE/EE devices.
Oracle
IANA registered for: Talari Reliable Protocol (TCP/UDP) |
| 2160 |
tcp,udp |
apc-2160 |
not scanned |
APC 2160 |
| 2161 |
tcp,udp |
apc-2161 |
not scanned |
APC 2161 |
| 2170 |
tcp,udp |
applications |
not scanned |
Mystic Island |
| 2171 |
tcp,udp |
msfw-storage |
not scanned |
MS Firewall Storage |
| 2172 |
tcp,udp |
msfw-s-storage |
not scanned |
MS Firewall SecureStorage
Backdoor.Win32.Jokerdoor / Remote Stack Buffer Overflow - the malware listens on TCP port 2172. Third party attackers who can reach an infected system can send a junk payload and trigger a classic stack buffer overflow overwriting the ECX, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS" to successfully compromise the server.
References: [MVID-2021-0426] |
| 2173 |
tcp,udp |
msfw-replica |
not scanned |
MS Firewall Replication |
| 2174 |
tcp,udp |
msfw-array |
not scanned |
MS Firewall Intra Array |
| 2181 |
tcp,udp |
eforward |
not scanned |
Apache ZooKeeper nodes
Games: Mystic Island
IANA registered for: eforward |
| 2182 |
tcp |
aws |
not scanned |
Amazon AWS MSK connection to Apache ZooKeeper using TLS encryption (Apache ZooKeeper nodes use port 2181 by default)
CGN status (IANA official) |
| 2185 |
tcp,udp |
onbase-dds |
not scanned |
Trojan.Win32.Cospet.abg / Insecure Permissions EoP - Cospet.abg, creates an vulnerable dir named "dir" under c:\ drive granting change (C) permissions to the authenticated users group. Sends SYN packet to TCP port 2185.
References: [MVID-2021-0069]
OnBase Distributed Disk Services (IANA official) |
| 2188 |
tcp |
radware-rpm |
not scanned |
IANA registered for: Radware Resource Pool Manager |
| 2189 |
tcp |
trojans |
Premium scan |
Backdoor.Delf [Symantec-2003-050207-0707-99] - remote access and keylogging trojan family of backdoors, affect Windows. Different varians listen to these TCP ports: 23, 2189,2444,27378.
IANA registered for Secure Radware Resource Pool Manager |
| 2190 |
tcp,udp |
tivoconnect |
not scanned |
IANA registered for: TiVoConnect Beacon |
| 2191 |
tcp,udp |
applications |
not scanned |
Mystic Island |
| 2195 |
tcp |
applications |
not scanned |
Apple Push Notification Service (APNS) |
| 2196 |
tcp |
applications |
not scanned |
Apple Push Notification Service (APNS) |
| 2200 |
tcp |
applications |
not scanned |
Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port 1900 or 2200.
References: [CVE-2007-0449]
Port is also IANA registered for ICI |
| 2200 |
udp |
games |
not scanned |
Tuxanci game server |
| 2207 |
tcp |
applications |
not scanned |
The hpssd message parser in hpssd.py in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to cause a denial of service (process stop) via a crafted packet, as demonstrated by sending "msg=0" to TCP port 2207.
References: [CVE-2008-2941], [BID-30683]
Port also IANA registered for HP Status and Services. |
| 2208 |
tcp |
trojan |
Premium scan |
Rux.PSW trojan horse |
| 2210 |
tcp |
applications |
not scanned |
MikroTik Remote management for "The Dude"
IANA registered for: NOAAPORT Broadcast Network (TCP/UDP) |
| 2211 |
tcp |
applications |
not scanned |
MikroTik Secure management for "The Dude"
IANA registered for: EMWIN (TCP/UDP) |
| 2211 |
udp |
malware |
not scanned |
Backdoor.Win32.Singu.a / Remote Stack Buffer Overflow (UDP Datagram) - the malware listens on UDP ports 2211 and 8899. Third-party attackers who can reach an infected host can send a specially crafted UDP packet to port 8899, triggering a classic buffer overflow overwriting ECX and EIP registers.
References: [MVID-2021-0221] |
| 2212 |
tcp,udp |
leecoposserver |
not scanned |
Port-A-Pour Remote WinBatch uses port 2212 (TCP)
IANA registered for: LeeCO POS Server Service |
| 2213 |
tcp,udp |
applications |
not scanned |
KALI |
| 2219 |
tcp,udp |
netiq-ncap |
not scanned |
IANA registered for: NetIQ NCAP Protocol |
| 2220 |
tcp,udp |
netiq |
not scanned |
IANA registered for: NetIQ End2End |
| 2221 |
tcp,udp |
rockwell-csp1 |
not scanned |
Rockwell CSP1
ESET Anti-virus updates also use this port (TCP).
Port is IANA registered for: EtherNet/IP over TLS (TCP); EtherNet/IP over DTLS (UDP) |
| 2222 |
tcp,udp |
rockwell-csp2 |
not scanned |
Rockwell CSP2
ESET Remote Administrator, DirectAdmin default
Microsoft Office OS X anti-piracy network monitor
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure
Some trojans also use this port: BackDoor.Botex [Symantec-2004-062718-3311-99], SweetHeart, Rootshell, Way
The MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies eScan, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222.
References: [CVE-2007-0655], [BID-23759]
Rockwell Automation ControlLogix is vulnerable to a denial of service, caused by the improper validation of input being sent to the buffer. By sending a specially-crafted CIP message to TCP and UDP ports 2222 and 44818, a remote attacker could exploit this vulnerability to cause the CPU to stop logic execution and enter a denial of service.
References: [XFDB-81235]
Backdoor.Win32.Mnets / Remote Stack Buffer Overflow - the backdoor listens for commands on UDP ports 2222 and 4444. Sending a mere 323 bytes we can overwrite the instruction pointer (EIP), potentially giving us program execution flow over the remote Malware.
References: [MVID-2021-0031]
Port is also IANA registered for EtherNet/IP I/O. |
| 2223 |
tcp,udp |
rockwell-csp3 |
not scanned |
Microsoft Office OS X antipiracy network monitor (UDP)
IANA registered for: Rockwell CSP3 |
| 2225 |
tcp,sctp |
rcip-itu |
not scanned |
Resource Connection Initiation Protocol |
| 2233 |
tcp,udp |
applications |
not scanned |
RDT traffic (unicast peer to peer communication) uses port 2233/TCP
Shiva VPN
Infocrypt (IANA official) |
| 2234 |
tcp,udp |
applications |
not scanned |
Janes F-18, developer: Electronic Arts
Operation Flashpoint also uses this port
Soulseek uses ports 2234-2239 |
| 2235 |
tcp,udp |
applications |
not scanned |
Operation Flashpoint |
| 2236 |
tcp |
applications |
not scanned |
Macintosh Manager |
| 2239 |
tcp,udp |
applications |
not scanned |
Soulseek uses ports 2234-2239 |
| 2255 |
tcp |
trojan |
Premium scan |
Nirvana |
| 2259 |
tcp,udp |
bid-serv |
not scanned |
BIF identifiers resolution service (IANA official) |
| 2261 |
tcp,udp |
comotionmaster |
not scanned |
IANA registered for: CoMotion Master Server |
| 2262 |
tcp,udp |
comotionback |
not scanned |
IANA registered for: CoMotion Backup Server |
| 2266 |
tcp |
trojans |
Members scan |
Backdoor.Dawcun [Symantec-2010-040116-0914-99] (2010.04.01) - a trojan horse that steals confidential information and opens a back door on the compromised computer. It opens a back door by connecting to a remote server on TCP ports 2266 and 3390 to send the confidential information and to download, decrypt and then start the updated rootkit driver.
Port is also IANA registered for M-Files Server |
| 2268 |
tcp,udp |
amt |
not scanned |
AMT (IANA official) [RFC 7450] |
| 2281 |
tcp |
trojan |
Premium scan |
Nautical |
| 2283 |
tcp |
trojans |
Members scan |
Dumaru.Y [Symantec-2004-012316-2557-99] (2004.01.23) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Hvl RAT - remote access trojan, coded in VB5, uses TCP ports 1095-1099 and 2283.
Port registered for Lotus Notes LNVSTATUS |
| 2287 |
tcp |
dna |
Premium scan |
Rig Exploit Kit communicates over port 2287 TCP, same signature as Pitou.B Trojan [Symantec-2016-011823-3733-99]
Port is IANA registered for: DNA |
| 2290 |
udp |
games |
not scanned |
Virtual Tennis, developer: Strangelite |
| 2291 |
udp |
games |
not scanned |
Virtual Tennis, developer: Strangelite |
| 2293 |
udp |
games |
not scanned |
Virtual Tennis, developer: Strangelite |
| 2294 |
udp |
games |
not scanned |
Virtual Tennis, developer: Strangelite |
| 2299 |
tcp,udp |
applications |
not scanned |
Monopoly Tycoon, developer: Deep Red |
| 2300 |
tcp,udp |
applications |
not scanned |
Combat Flight Simulator 3: Battle For Europe (UDP), Battlecom, Age of Empires III (ports 2300-2310), eJamming Station, Heroes of Might and Magic III (TCP), Realflight G3 (UDP)
Aliens vs Predator uses ports 2300-2400 (UDP)
Storm, Xplorer trojans also use port 2300 (TCP). |
| 2301 |
tcp,udp |
cpq-wbem |
not scanned |
Warrior Kings, HP System Management Redirect to port 2381
Compaq Web-based Management Software is vulnerable to a buffer overflow in the authentication page "cpqlogin.htm." By default, Compaq Web-based Management Software is installed on TCP port 2301 and could allow a remote attacker to send a username containing exactly 460 bytes to overflow a buffer and execute arbitrary code on the system with administrator privileges.
References: [CVE-2001-0134] [BID-2200]
Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301.
References: [CVE-1999-0772]
IANA registered for: Compaq HTTP |
| 2302 |
udp |
games |
not scanned |
Halo - Combat Evolved, Freelancer, Battlestations: Midway, Civilization III, Dungeon Siege (TCP/UDP), Virtual Tennis, Homeworld 2 (TCP/UDP), ArmA multiplayer (default for game) |
| 2303 |
udp |
games |
not scanned |
Halo - Combat Evolved, Freelancer, ArmA II |
| 2304 |
udp |
games |
not scanned |
Freelancer |
| 2305 |
udp |
games |
not scanned |
ArmA II, developer: Bohemia Int.
Integer underflow in Armed Assault (aka ArmA) 1.14 and earlier, and 1.16 beta, and Armed Assault II 1.02 and earlier allows remote attackers to cause a denial of service (crash) via a VoIP over Network (VON) packet to port 2305 with a negative packet_size value, which triggers a buffer over-read.
References: [CVE-2009-2547]
Vulnerability in Halocon can cause a DoS (Denial of Service). The vulnerability is caused due to an error in the communication handling. This can be exploited to terminate the server socket by sending an empty UDP datagram to port 2305.
References: [SECUNIA-13868]
Port also IANA registered for MT ScaleServer (TCP/UDP) |
| 2308 |
tcp |
applications |
not scanned |
Heap-based buffer overflow in the Siemens WinCC Runtime Advanced Loader, as used in SIMATIC WinCC flexible Runtime and SIMATIC WinCC (TIA Portal) Runtime Advanced, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted packet to TCP port 2308.
References: [CVE-2011-3321]
Port also IANA registered for sdhelp (TCP/UDP) |
| 2311 |
tcp |
trojan |
Premium scan |
Studio 54 |
| 2315 |
tcp |
applications |
not scanned |
IBM solidDB is vulnerable to a denial of service, caused by an error in the solid.exe database server. By sending specially-crafted TCP packets to TCP port 2315, a remote attacker could exploit this vulnerability to cause the service to crash.
References: [BID-37053] |
| 2322 |
tcp |
trojan |
Premium scan |
Backdoor.Shellbot [Symantec-2005-060316-4212-99] |
| 2323 |
tcp,udp |
3d-nfsd |
not scanned |
Often used as alternate telnet port instead of 23 TCP
Philips TVs based on jointSPACE use port 2323 TCP
Hardcoded credentials in the Akuvox R50P VoIP phone 50.0.6.156 allow an attacker to get access to the device via telnet. The telnet service is running on port 2323; it cannot be turned off and the credentials cannot be changed.
References: [CVE-2019-12327], [XFDB-164224]
IANA registered for: 3d-nfsd |
| 2327 |
tcp,udp |
applications |
not scanned |
Netscape Conference H.323 HostCall |
| 2330 |
tcp |
trojan |
not scanned |
IRC Contact |
| 2331 |
tcp |
trojan |
not scanned |
IRC Contact |
| 2332 |
tcp |
trojans |
not scanned |
IRC Contact, Silent Spy |
| 2333 |
tcp |
trojans |
not scanned |
IRC Contact, backdoor.shellbot |
| 2334 |
tcp |
trojans |
Premium scan |
IRC Contact, Eyeveg.worm.c, Power |
| 2335 |
tcp |
trojans |
Premium scan |
IRC Contact, backdoor.shellbot |
| 2336 |
tcp |
trojan |
not scanned |
IRC Contact
OS X Portable Home Directories also uses this port. |
| 2337 |
tcp |
trojans |
not scanned |
IRC Contact, The Hobbit Daemon |
| 2338 |
tcp |
trojan |
not scanned |
IRC Contact |
| 2339 |
tcp,udp |
trojans |
not scanned |
IRC Contact, Voice Spy, VoiceSpy - OBS!!! |
| 2343 |
tcp |
trojans |
Premium scan |
Backdoor.Asylum (05.2000) - remote access trojan, uses ports 81, 2343, 23432 by default.
IANA registered for: nati logos |
| 2345 |
tcp |
worms |
Premium scan |
W32.Netsky.AE@mm [Symantec-2004-102522-4640-99] (2004.10.25) - a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it finds in the Windows address book on the infected computer. It also spreads by copying itself to the shared folders of various file-sharing and instant messaging programs.
W32.Yimfoca [Symantec-2010-050209-1610-99] (2010.05.02) - a worm that spreads by sending links through Yahoo! Messenger and displays surveys when popular websites are visited.
Buffer overflow in HP Openview Network Node Manager 6.1 allows remote attackers to execute arbitrary commands via the Alarm service (OVALARMSRV) on port 2345.
References: [CVE-2000-0558] [BID-1317]
By default, the port is used by Symon Communications - Symon2KpipeServer -can be changed by administrator to anything.
Doly trojan also uses this port |
| 2346 |
tcp |
games |
not scanned |
Rainbow Six (Client and Server), Rogue Spear, Ghost Recon (TCP/UDP) |
| 2347 |
tcp,udp |
games |
not scanned |
Ghost Recon |
| 2348 |
tcp,udp |
games |
not scanned |
Ghost Recon |
| 2350 |
udp |
games |
not scanned |
Commandos 3: Destination Berlin, Take No Prisoners, TrackMania (TCP/UDP), Virtual Skipper 3 and 4 (TCP/UDP) |
| 2350 |
tcp |
applications |
not scanned |
Nadeo Game Engine for Nadeo TrackMania and Nadeo Virtual Skipper 3 allows remote attackers to cause a denial of service (server crash) via malformed data to TCP port 2350, possibly due to long values or incorrect size fields.
References: [CVE-2004-2077], [BID-9604] |
| 2368 |
tcp,udp |
opentable |
not scanned |
Ghost Blogging Platform (TCP)
IANA registered for: OpenTable. |
| 2369 |
tcp,udp |
bif-p2p |
not scanned |
Blockchain Identifier InFrastructure P2P |
