Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 2984 |
tcp,udp |
hpidsadmin |
not scanned |
HPIDSADMIN |
| 2985 |
tcp,udp |
hpidsagent |
not scanned |
HPIDSAGENT |
| 2989 |
tcp,udp |
trojan |
not scanned |
Rat 1.2, Backdoor.Brador.A [Symantec-2004-080516-3455-99] |
| 2992 |
tcp,udp |
applications |
not scanned |
VideoReQuest |
| 2993 |
tcp,udp |
veritas-vis1 |
not scanned |
VERITAS VIS1 |
| 2994 |
tcp,udp |
veritas-vis2 |
not scanned |
VERITAS VIS2 |
| 3000 |
tcp |
various |
Members scan |
AdGuard Home Web Interface
Ruby on Rails applications default port
NodeJS
MDaemon WorldClient
Rocket Chat
NodeJS
Calista IP Phone (TCP/UDP)
Viewgate Classic DVR
Grafana (default http port)
GOGS (self-hosted GIT service)
Homeworld, Destroyer Command (TCP/UDP), Theef, Silent Hunter II (TCP/UDP), Active Worlds File Transfer (TCP/UDP), Miralix License server
Malware that uses this port: Remote Shutdown, InetSpy,
Alt-N Technologies MDaemon 3.5.4 allows a remote attacker to create a denial of service via the URL request of a MS-DOS device (such as GET /aux) to the Worldclient service at port 3000, or the Webconfig service at port 3001.
References: [CVE-2001-0583] [BID-2478]
WDaemon 9.5.4 allows remote attackers to access the /WorldClient.dll URI on TCP port 3000, which has unknown impact. NOTE: The researcher reports that the vendor response was "this is not a security bug."
References: [CVE-2007-0383] [OSVDB-34661]
Multiple stack-based buffer overflows in pdmwService.exe in SolidWorks Workgroup PDM 2014 SP2 allow remote attackers to execute arbitrary code via a long string in a opcode to port 3000.
References: [CVE-2014-100014]
Backdoor.Win32.Buterat.cxq / Insecure Permissions EoP - this malware creates an insecure dir under c:\ drive named "process", where it drops a random named executable and later moves it to C:\Users\[VICTIM]\AppData\Local\Temp where it sends SYN packets to TCP port 3000. The process dir grants change (C) permissions to the authenticated users group.
References: [MVID-2021-0063]
Cloud9 Integrated Development Environment server (IANA official) |
| 3000 |
udp |
btsync |
not scanned |
BitTorrent Sync (BTsync) uses port 3000 UDP to connect to torrent trackers. It also uses another configurable random UDP listen port (and/or UPnP).
Distributed Interactive Simulation (DIS) default port (unofficial)
Calista IP Phone, VidPhone
Trend Micro Antivirus products may use port 3000 UDP to communicate with their servers.
Some games use this port: Homeworld, Destroyer Command (TCP/UDP), Theef, Silent Hunter II (TCP/UDP), Active Worlds File Transfer (TCP/UDP) |
| 3001 |
tcp |
applications |
Premium scan |
Nessus Security Scanner
Galaxy Control Systems Access Control Systems
Redwood Broker
VidPhone
Miralix Phone Monitor
Opsware server (Satellite)
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp.
Alt-N Technologies MDaemon 3.5.4 allows a remote attacker to create a denial of service via the URL request of a MS-DOS device (such as GET /aux) to the Worldclient service at port 3000, or the Webconfig service at port 3001.
References: [CVE-2001-0583], [BID-2478]
DenyAll WAF before 6.4.1 allows unauthenticated remote command execution via TCP port 3001 because shell metacharacters can be inserted into the type parameter to the tailDateFile function in /webservices/stream/tail.php. An iToken authentication parameter is required but can be obtained by exploiting CVE-2017-14706. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
References: [CVE-2017-14705]
Tiandy IP cameras 5.56.17.120 do not properly restrict a certain proprietary protocol, which allows remote attackers to read settings via a crafted request to TCP port 3001, as demonstrated by config* files and extendword.txt.
References: [CVE-2017-15236]
IANA registered for: OrigoDB Server Native |
| 3002 |
tcp |
applications |
not scanned |
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp.
Miralix CSTA
IANA registered for: EXLM Agent (TCP/UDP) |
| 3003 |
tcp |
applications |
not scanned |
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp.
Miralix GreenBox API
Viewgate Classic DVR also uses port 3003 (TCP/UDP)
IANA registered for: CGMS (TCP/UDP) |
| 3003 |
udp |
citrix |
not scanned |
Citrix NetScaler appliance uses port 3003 UDP for exchange of hello packets for hearbeat (up/down) status. |
| 3004 |
tcp |
isync |
not scanned |
Apple iSync, World In Conflict, Miralix InfoLink
IANA registered for: Csoft Agent (TCP/UDP) |
| 3005 |
tcp |
plex |
not scanned |
Plex Media Server uses port 3005 TCP for locally controlling Plex Home Theater via Plex Companion.
Miralix TimeOut
The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations.
References: [CVE-2022-24396]
Genius License Manager (TCP/UDP) (IANA official) |
| 3006 |
tcp |
trojan |
Premium scan |
Clandestine, Miralix SMS Client Connector
IANA registered for: Instant Internet Admin (TCP/UDP) |
| 3007 |
tcp |
applications |
not scanned |
Viewgate Classic DVR, Miralix OM Server
IANA registered for: Lotus Mail Tracking Agent Protocol |
| 3008 |
tcp |
midnight-tech |
not scanned |
Citrix NetScaler appliance uses port 3008 TCP for Secure High Availability configuration synchronization
Citrix NetScaler and Citrix NetScaler VPX are vulnerable to a denial of service, caused by an error in the nsconfigd daemon. By sending a specially-crafted message to TCP port 3008 and 3010, a remote attacker could exploit this vulnerability to cause the system to crash.
References: [BID-62788], [XFDB-87618]
Miralix Proxy also uses this port.
IANA registered for: Midnight Technologies |
| 3009 |
tcp |
citrix |
not scanned |
Citrix NetScaler appliance uses port 3009 TCP for secure MEP |
| 3010 |
tcp |
applications |
not scanned |
Citrix NetScaler appliance uses port 3010 TCP for non-secure high availability configuration synchronization.
Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and FSFDT FSD 3.000 d9 and earlier, allow (1) remote attackers to execute arbitrary code via a long HELP command on TCP port 3010 to the sysuser::exechelp function in sysuser.cc and (2) remote authenticated users to execute arbitrary code via long commands on TCP port 6809 to the servinterface::sendmulticast function in servinterface.cc, as demonstrated by a PIcallsign command.
References: [CVE-2007-5256] [BID-25883] [SECUNIA-27008]
Citrix NetScaler and Citrix NetScaler VPX are vulnerable to a denial of service, caused by an error in the nsconfigd daemon. By sending a specially-crafted message to TCP port 3008 and 3010, a remote attacker could exploit this vulnerability to cause the system to crash.
References: [BID-62788], [XFDB-87618]
Telerate Workstation (IANA official) |
| 3011 |
tcp,udp |
trusted-web |
not scanned |
Citrix NetScaler appliance uses port 3011 TCP for non-secure MEP.
Trusted Web |
| 3012 |
tcp,udp |
twsdss |
not scanned |
Trusted Web Client |
| 3017 |
tcp,udp |
event-listener |
not scanned |
Miralix IVR and Voicemail (TCP)
IANA registered for: event_listener |
| 3020 |
tcp,udp |
applications |
not scanned |
managers/socketManager.ts in PreMiD through 2.1.3 has a locally hosted socketio web server (port 3020) open to all origins, which allows attackers to obtain sensitive Discord user information.
References: [CVE-2020-24928], [XFDB-187537] |
| 3023 |
udp |
trojans |
not scanned |
W32.Trojan.Ranky.FV is a HTTP proxy trojan that once installed, allows an attacker to utilize the affected system to connect to other systems. This malcode has been reported to be downloaded and executed by W32.Worm.Mocbot variants which exploit the Windows Server Service Buffer Overflow vulnerability [MS06-040]. |
| 3024 |
tcp |
trojan |
Premium scan |
WinCrash [Symantec-2000-121909-3241-99] trojan
The ClientTrust program in Novell BorderManager does not properly verify the origin of authentication requests, which could allow remote attackers to impersonate another user by replaying the authentication requests and responses from port 3024 of the victim's machine.
References: [CVE-2000-0651], [BID-1440]
Port is also IANA registered for NDS_SSO |
| 3025 |
tcp,udp |
arepa-raft |
not scanned |
netpd.org (TCP)
IANA registered for: Arepa Raft |
| 3027 |
tcp,udp |
liebdevmgmt_c |
not scanned |
LiebDevMgmt_C |
| 3028 |
tcp,udp |
liebdevmgmt_dm |
not scanned |
LiebDevMgmt_DM
Backdoor.Wortbot [Symantec-2005-021611-0236-99] also uses this port (TCP). |
| 3029 |
tcp,udp |
liebdevmgmt_a |
not scanned |
LiebDevMgmt_A |
| 3030 |
tcp |
trojans |
Premium scan |
NetPanzer uses port 3030 (TCP/UDP).
W32.Mytob.ET@mm [Symantec-2005-061516-3312-99] (2005.06.15) - mass-mailing worm with backdoor capabilities. Uses its own SMTP engine to spread. Connects to an IRC server and listens for remote commands on port 3030/tcp.
Backdoor.Slao [Symantec-2003-052610-2111-99] (2003.05.26) - a backdoor trojan horse that allows unauthorized access to an infected computer.
Port also used by the W32.Mytob.EQ, W32.Mytob.cz@mm [Symantec-2005-060214-2034-99] variants of the worm.
IANA registered for: Arepa Cas (TCP/UDP) |
| 3031 |
tcp |
trojan |
Premium scan |
MicroSpy
Program Linking, Remote Apple Events also use port 3031 (TCP/UDP). |
| 3037 |
tcp,udp |
hp-san-mgmt |
not scanned |
Novell File Reporter could allow a remote attacker to upload arbitrary files, caused by the improper handling of handling /FSF/CMD requests for records with NAME "FSFUI" and UICMD "130" by the NFRAgent.exe binary. By sending a specially-crafted HTTP request over port 3037 (TCP), a remote attacker could exploit this vulnerability using the FILE tag to upload a malicious PHP script, which could allow the attacker to execute arbitrary code with SYSTEM privileges.
References: [XFDB-80131]
IANA registered for HP SAN Mgmt |
| 3040 |
tcp,udp |
tomato-springs |
not scanned |
Games: Star Trek Armada II (TCP)
PandaROM Update Service Port
IANA registered for: Tomato Springs |
| 3049 |
udp |
virus |
not scanned |
Linux.Jac.8759 [Symantec-2002-031117-1250-99] (2002.03.10) - an ELF file infector virus. It will infect up to 201 ELF files in the same directory from which it was executed. Additionally, if an infected executable is run as root, it will also switch to the /bin directory and infect another 201 ELF files there.
Port is also IANA registered for NSWS. |
| 3050 |
tcp,udp |
gds_db |
not scanned |
Borland Interbase database
Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 SP2 allows remote attackers to execute arbitrary code via a malformed opcode 0x52 request to TCP port 3050.
References: [CVE-2008-1910], [BID-28730]
Integer overflow in Borland Interbase 2007 SP2 (8.1.0.256) allows remote attackers to execute arbitrary code via a malformed packet to TCP port 3050, which triggers a stack-based buffer overflow. NOTE: this issue might be related to [CVE-2008-0467].
References: [CVE-2008-2559] [BID-29302] [SECUNIA-30299]
Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.
References: [CVE-2007-5243] [BID-25917] [OSVDB-38609] [SECUNIA-27058]
A vulnerability has been discovered in Firebird, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error when processing requests and can be exploited to cause a buffer overflow via a specially crafted request sent to TCP port 3050.
References: [CVE-2013-2492], [SECUNIA-52506]
gds_db (IANA official) |
| 3051 |
tcp,udp |
galaxy-server |
not scanned |
IANA registered for: Galaxy Server |
| 3052 |
tcp,udp |
apc-3052 |
not scanned |
IANA registered for APC 3052
APC PowerChute Network also uses this port |
| 3056 |
udp |
games |
not scanned |
Star Trek Armada II |
| 3057 |
udp |
games |
not scanned |
Star Trek Armada II |
| 3057 |
tcp |
applications |
not scanned |
Borland CaliberRM StarTeam is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the PGMWebHandler::parse_request() function in STMulticastService. If MPX Events and the StarTeam Message Broker option is enabled during installation, a remote attacker from within the local network could send an overly long HTTP request to TCP port 3057 to overflow a buffer and execute arbitrary code on the system with SYSTEM privileges.
References: [CVE-2008-0311], [XFDB-41647], [BID-28602], [OSVDB-44039] |
| 3067 |
tcp |
trojans |
Premium scan |
W32.Korgo.F [Symantec-2004-060111-5322-99] (2004.06.01) - worm that propagates using Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin [MS04-011]) on TCP port 445. It also listens on TCP ports 113, 3067, and may use other random ports.
IANA registered for: FJHPJP |
| 3071 |
tcp,udp |
games |
not scanned |
Call of Duty Black ops |
| 3072 |
tcp |
csd-monitor |
Premium scan |
Trojans using this port: IRC Bot [Symantec-2002-070818-0630-99]
IANA registered for: ContinuStor Monitor Port |
| 3074 |
tcp,udp |
xbox |
Premium scan |
Xbox 360 (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP
Blazing Angels Squadrons of WWII, Call of Duty World at War use this port (TCP), Grand Theft Auto IV, James Bond: Quantum of Solace, Tom Clancy's Splinter Cell: Double Agent, Enemy Territory: Quake Wars. |
| 3075 |
tcp,udp |
orbix-locator |
not scanned |
Lost Planet - Extreme Condition, Call of Duty - World at War, Blazing Angels Online
IANA registered for: Orbix 2000 Locator |
| 3076 |
tcp,udp |
orbix-config |
not scanned |
Orbix 2000 Config |
| 3077 |
tcp,udp |
orbix-loc-ssl |
not scanned |
Orbix 2000 Locator SSL |
| 3078 |
tcp,udp |
orbix-cfg-ssl |
not scanned |
Orbix 2000 Locator SSL |
| 3080 |
tcp |
malware |
not scanned |
Trojan-Dropper.Win32.Delf.p / Remote Buffer Overflow - Delf.p accepts connections on various TCP/UDP ports. Attackers who can reach TCP port 3080 can send a specially crafted packet to trigger a buffer overflow corrupting the stack overwriting ECX register.
References: [MVID-2021-0133] |
| 3081 |
tcp,udp |
tl1-lv |
not scanned |
Tom Clancy's Splinter Cell: Conviction uses port 3081 (TCP), developer: Ubisoft Montreal
Rainbow Six Vegas also uses port 3081 (UDP)
Port is IANA assigned for TL1-LV |
| 3082 |
tcp,udp |
tl1-raw |
not scanned |
TL1-RAW |
| 3083 |
tcp,udp |
tl1-telnet |
not scanned |
TL1-TELNET |
| 3087 |
tcp |
asoki-sma |
not scanned |
Backdoor.Win32.Mazben.es / Unauthenticated Open Proxy - the malware listens on random TCP ports, known 2608, 6751, 3087, 5947. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0377]
Asoki SMA (IANA official) |
| 3097 |
tcp,udp |
applications |
Premium scan |
A service which is hosted on port 3097 in HiNet GPON firmware < I040GWR190731 allows an attacker to execute a specific command to read arbitrary files. CVSS 3.0 Base score 9.3. CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).
References: [CVE-2019-13412], [XFDB-169696]
An "invalid command" handler issue was discovered in HiNet GPON firmware < I040GWR190731. It allows an attacker to execute arbitrary command through port 3097. CVSS 3.0 Base score 10.0. CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
References: [CVE-2019-13411], [XFDB-169698] |
| 3100 |
tcp,udp |
games |
not scanned |
Delta Force
IANA registered for: OpCon/xps |
| 3101 |
tcp |
bes |
Premium scan |
Port used by Blackberry Enterprise Server (BES). Also uses port 3500/tcp.
The Research in Motion (RIM) BlackBerry Router contains a vulnerability in the way the router handles Server Routing Protocol (SRP) packets. By sending specially crafted SRP packets to the router (port 3101 TCP), an attacker could cause a denial of service.
References: [CVE-2005-2342], [BID-16100]
IANA registered for: HP PolicyXpert PIB Server |
| 3103 |
tcp,udp |
autocuesmi |
not scanned |
Pigeon Server 3.02.0143 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a long login name sent to port 3103.
References: [CVE-2004-1688] [BID-11203] [SECUNIA-12585]
Autocue SMI Protocol (IANA official) |
| 3104 |
tcp |
applications |
not scanned |
Rainbow Six Vegas game
IANA registered for: Autocue Logger Protocol
CA Message Queuing (CAM/CAFT) software - buffer overflow vulnerability that can allow a remote attacker to execute arbitrary code by sending a specially crafted message to TCP port 3104 (CVE-2007-0060). |
| 3105 |
tcp,udp |
cardbox |
not scanned |
Cardbox, Settlers 4, Rainbow Six Vegas
Tom Clancy's Splinter Cell: Conviction also uses port 3105 (TCP), developer: Ubisoft Montreal |
| 3106 |
tcp,udp |
cardbox-http |
not scanned |
Cardbox HTTP |
| 3108 |
udp |
citrix |
not scanned |
Citrix NetScaler Gateway Plugin for VPN/XenApp/XenDesktop uses ports 3108, 3168, 3188 UDP for VPN tunnel with secure ICA connections. |
| 3110 |
tcp,udp |
sim-control |
not scanned |
YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH)
References: [EDB-50471]
Kingdia CD Extractor 3.0.2 - Buffer Overflow (SEH)
References: [EDB-50470]
Simulator control port (IANA official) |
| 3114 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in NPSpcSVR.exe in Larson Network Print Server (LstNPS) 9.4.2 allows remote attackers to execute arbitrary code via a long argument in a LICENSE command on TCP port 3114.
References: [CVE-2008-0763], [BID-27732]
Format string vulnerability in the logging function in Larson Network Print Server (LstNPS) 9.4.2 build 105 and earlier for Windows might allow remote attackers to execute arbitrary code via format string specifiers in a USEP command on TCP port 3114.
References: [CVE-2008-0764] [BID-27732] [SECUNIA-28890]
CCM AutoDiscover (TCP/UDP) (IANA official) |
| 3115 |
tcp,udp |
mctet-master |
not scanned |
MCTET Master |
| 3116 |
tcp,udp |
mctet-gateway |
not scanned |
MCTET Gateway |
| 3117 |
tcp,udp |
mctet-jserv |
not scanned |
Rainbow Six Vegas
IANA registered for: MCTET Jserv |
| 3119 |
tcp,udp |
d2000kernel |
Premium scan |
Trojans using this port: Delta Remote Access
Backdoor.Win32.DRA.c / Weak Hardcoded Password - the malware listens on TCP port 3119 and authentication is required. However, the password "go" is weak and hardcoded in the PE file. The malware uses "lstrcmpa" Win32 API to check the password, when sending the password we need to be careful that there is no line feed "\n" E.g. "go\n", as what happens when sent using ncat or telnet causing authentication to fail.
References: [MVID-2022-0470]
IANA registered for: D2000 Kernel Port |
| 3120 |
tcp,udp |
d2000webserver |
not scanned |
D2000 Webserver Port |
| 3127 |
tcp |
worm |
Premium scan |
W32.Novarg.A@mm [Symantec-2004-012612-5422-99] (2004.01.26) - mass-mailing worm with remote access trojan. Affects all current Windows versions. A.K.A W32/Mydoom@MM.
When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, compromissing the entire system.
W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.
Some other trojans using this port: W32.HLLW.DoomJuice [Symantec-2004-020909-2916-99], W32.MockBot.A [Symantec-2004-022608-5242-99], Moody.Worm, W32.DoomHunter, W32.SoLame.A, W32.Welchia.D |
| 3128 |
tcp |
ndl-aas |
Members scan |
Port used by some proxy servers (3proxy). Common web proxy server ports: 8080, 80, 3128, 6588
Tatsoft default client connection also uses port 3128.
Trojans and backdoors that use this port: Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero
W32.Mydoom.B@mm [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.
Multiple buffer overflows in Thomas Hauck Jana Server allow remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request with a long major version number, an HTTP GET request to the HTTP proxy on port 3128 with a long major version number, a long OK reply from a POP3 server, and a long SMTP server response.
References: [CVE-2002-1061], [BID-5320]
Trojan.Win32.SkynetRef.x / Unauthenticated Open Proxy - the malware listens on TCP port 3128. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
Active API Server Port (IANA official) |
| 3129 |
tcp |
trojans |
Premium scan |
Master's Paradise - remote access trojan, 03.1998. Affects Windows, uses ports 31, 3129, 40421-40426
MyDoom.B@mm trojan also uses this port.
Port 3129 is also registered with IANA for: NetPort Discovery Port |
| 3130 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm
IANA registered for: ICPv2 (TCP/UDP) |
| 3131 |
tcp,udp |
netbookmark |
Premium scan |
Oracle Application Server, LDAP SSL, Squid (HTTP Proxy)
Trojans using this port: SubSARI [Symantec-2003-030315-2821-99], MyDoom.B@mm.
Backdoor.Slao [Symantec-2003-052610-2111-99] (2003.05.26) - a backdoor trojan horse that allows unauthorized access to an infected computer.
IANA registered for: Net Book Mark. |
| 3132 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3133 |
tcp |
prism-deploy |
Members scan |
Malicious services using this port: Back Orifice, Back Orifice 2000, MyDoom.B@mm
IANA registered for: Prism Deploy User Port |
| 3134 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3135 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3136 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3137 |
tcp,udp |
rtnt-1 |
not scanned |
rtnt-1 data packets
MyDoom.B@mm trojan also uses this port (TCP). |
| 3138 |
tcp,udp |
rtnt-2 |
not scanned |
rtnt-2 data packets
MyDoom.B@mm trojan also uses this port (TCP). |
| 3139 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3140 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3141 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm
Finjan SurfinGate 6.0 and 7.0, when running in proxy mode, does not authenticate FHTTP commands on TCP port 3141, which allows remote attackers to use the finjan-parameter-type header to restart the service, use the getlastmsg command to view log information, or use the online command to force a policy update from the database server.
References: [CVE-2004-2107], [BID-9478]
Port is also IANA registered for VMODE |
| 3142 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm
apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool program attempts to connect to apt-cacher-ng via TCP on localhost port 3142, even if the explicit SocketPath=/var/run/apt-cacher-ng/socket command-line option is passed. The cron job /etc/cron.daily/apt-cacher-ng (which is active by default) attempts this periodically. Because 3142 is an unprivileged port, any local user can try to bind to this port and will receive requests from acngtool. There can be sensitive data in these requests, e.g., if AdminAuth is enabled in /etc/apt-cacher-ng/security.conf. This sensitive data can leak to unprivileged local users that manage to bind to this port before the apt-cacher-ng daemon can.
References: [CVE-2020-5202], [XFDB-174813] |
| 3143 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3144 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3145 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm (worm)
CSI-LFAP (IANA official)
zftpserver (unofficial use) |
| 3146 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3147 |
tcp |
trojan |
Premium scan |
MyDoom.B@mm |
| 3148 |
tcp,udp |
nm-game-admin |
not scanned |
NetMike Game Administrator
MyDoom.B@mm trojan also uses this port (TCP). |
| 3149 |
tcp,udp |
nm-game-server |
not scanned |
NetMike Game Server
MyDoom.B@mm trojan also uses this port (TCP). |
| 3150 |
tcp,udp |
nm-asses-admin |
Members scan |
Netmike assessor administrator port.
Some trojans that also use this port: The Invasor (TCP), Deep Throat, Foreplay (UDP), Mini Backlash (uses ports 2130/udp and 3150/udp). |
| 3151 |
tcp,udp |
nm-assessor |
not scanned |
NetMike Assessor |
| 3154 |
udp |
applications |
not scanned |
Monopoly Tycoon, developer: Deep Red |
| 3155 |
tcp |
games |
not scanned |
Tom Clancy's H.A.W.X., developer: Ubisoft Romania |
| 3157 |
tcp,udp |
lsa-comm |
not scanned |
LSA Communicator (IANA official) |
| 3160 |
tcp,udp |
tip-app-server |
not scanned |
TIP Application Server (IANA official) |
| 3162 |
tcp,udp |
sflm |
not scanned |
IANA registered for: SFLM |
| 3163 |
tcp |
games |
not scanned |
Tom Clancy's H.A.W.X., developer: Ubisoft Romania |
| 3168 |
udp |
netscaler |
not scanned |
Citrix NetScaler Gateway Plugin for VPN/XenApp/XenDesktop uses ports 3108, 3168, 3188 UDP for VPN tunnel with secure ICA connections. |
Vulnerabilities listed: 100 (some use multiple ports)
|
