![](/images/bg.gif)
Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
Port(s) |
Protocol |
Service |
Scan level |
Description |
5146 |
tcp |
social-alarm |
not scanned |
Social Alarm Service |
5150 |
tcp |
trojan |
Premium scan |
D-Link D-ViewCam network camera software and mobile app uses port 5160 TCP (remote playback server), and port 5150 TCP (live streaming) by default.
Pizza
Netflow
NUUO NVRmini, Tony Hawks Pro Skater 3, Malware Cerberus RAT also use port 5150 (TCP/UDP)
IANA registered for: Ascend Tunnel Management Protocol (TCP/UDP) |
5151 |
tcp |
trojans |
Premium scan |
Backdoor.Optix.04.c [Symantec-2002-102319-1255-99] (2002.10.23) - remote access troan. Affects all current Windows versions, listens to port 5151 by default.
Tony Hawks Pro Skater 3 also uses port 5151 (TCP/UDP).
Email-Worm.Win32.Sidex / Unauthenticated Remote Command Execution - the malware listens on TCP port 5151 and creates a dir named "vortex" with several PE files. Third-party adversaries who can reach an infected host can run commands made available by the backdoor.
References: [MVID-2022-0564]
esri_sde - ESRI SDE Instance (IANA official) |
5151 |
udp |
applications |
not scanned |
The Logging Server (ftplogsrv.exe) 7.9.14.0 and earlier in IPSwitch WS_FTP 6.1 allows remote attackers to cause a denial of service (loss of responsiveness) via a large number of large packets to port 5151/udp, which causes the listening socket to terminate and prevents log commands from being recorded.
References: [CVE-2008-0608] [BID-27612] [SECUNIA-28761]
The Logging Server (Logsrv.exe) in IPSwitch WS_FTP 7.5.29.0 allows remote attackers to cause a denial of service (daemon crash) by sending a crafted packet containing a long string to port 5151/udp.
References: [CVE-2007-3823] [SECUNIA-26040] [OSVDB-36218] |
5152 |
tcp |
trojan |
Premium scan |
Backdoor.laphex.client [Symantec-2002-082812-3154-99] |
5153 |
tcp |
toruxserver |
not scanned |
ToruX Game Server |
5154 |
tcp,udp |
bzflag |
not scanned |
IANA registered for: BZFlag game server |
5155 |
tcp |
trojan |
Premium scan |
Oracle trojan |
5156 |
tcp |
rugameonline |
not scanned |
Russian Online Game |
5157 |
tcp |
mediat |
not scanned |
Mediat Remote Object Exchange |
5160 |
tcp |
applications |
not scanned |
D-Link D-ViewCam network camera software and mobile app uses port 5160 TCP (remote playback server), and port 5150 TCP (live streaming) by default.
Netflow
NUUO NVRmini also uses port 5160 (TCP/UDP) |
5161 |
tcp |
snmpssh |
not scanned |
SNMP over SSH Transport Model [RFC 5592] (IANA official) |
5162 |
tcp |
snmpssh-trap |
not scanned |
SNMP Notification over SSH Transport Model [RFC 5592] (IANA official) |
5163 |
tcp |
sbackup |
not scanned |
Shadow Backup |
5164 |
tcp,udp |
vpa-disc |
not scanned |
Virtual Protocol Adapter Discovery |
5166 |
tcp,udp |
winpcs |
not scanned |
WinPCS Service Connection [Complan_Network_AS] (IANA official) |
5167 |
tcp,udp |
scte104 |
not scanned |
SCTE104 Connection |
5168 |
tcp,udp |
scte30 |
not scanned |
Integer overflow in the RPCFN_SYNC_TASK function in StRpcSrv.dll, as used by the ServerProtect service (SpntSvc.exe), in Trend Micro ServerProtect for Windows allows remote attackers to execute arbitrary code via a certain integer field in a request packet to TCP port 5168, which triggers a heap-based buffer overflow.
References: [CVE-2007-4219], [BID-25396]
Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2 Build 1174 allow remote attackers to execute arbitrary code via crafted data to (1) TCP port 5168, which triggers an overflow in the CAgRpcClient::CreateBinding function in the AgRpcCln.dll library in SpntSvc.exe; or (2) TCP port 3628, which triggers an overflow in EarthAgent.exe. NOTE: both issues are reachable via TmRpcSrv.dll.
References: [CVE-2007-2508] [SECUNIA-25186] [BID-23868] [OSVDB-35790]
Port is also IANA registered for SCTE30 Connection |
5172 |
tcp |
pcoip-mgmt |
not scanned |
PC over IP Endpoint Management (IANA official) |
5173 |
tcp |
applications |
not scanned |
Vite |
5176 |
tcp |
applications |
not scanned |
ConsoleWorks default UI interface |
5179 |
tcp |
applications |
not scanned |
The IM Server 2.0.5.30 and probably earlier in Ipswitch Collaboration Suite (ICS) allows remote attackers to cause a denial of service (daemon crash) via certain data to TCP port 5179 that overwrites a destructor, as reachable by the DoAttachVideoSender, DoAttachVideoReceiver, DoAttachAudioSender, and DoAttachAudioReceiver functions.
References: [CVE-2007-3959], [BID-25031] |
5180 |
tcp |
applications |
Premium scan |
Backdoor.Peeper [Symantec-2003-091918-3229-99] (2003.09.19) - a trojan horse that allows its creator to control an infected computer. By default, it listens on TCP port 5180
Applications that use this port: Netscape, Neverwinter Nights 2
Note: Netscape 7 opens this port on localhost only (could be related to the built-in AIM) |
5188 |
tcp,udp |
applications |
not scanned |
Hongdian H8922 3.0.5 devices have an undocumented feature that allows access to a shell as a superuser. To connect, the telnet service is used on port 5188 with the default credentials of root:superzxmn.
References: [CVE-2021-28152] |
5190 |
tcp,udp |
aim |
Members scan |
ICQ, AIM (AOL Instant Messenger), Apple iChat
Malicious services using this port: MBomber, W32.hllw.anig
AOL Instant Messenger (AIM) allows remote attackers to steal files that are being transferred to other clients by connecting to port 4443 (Direct Connection) or port 5190 (file transfer) before the intended user.
References: [CVE-2002-0592], [BID-4574]
Trojan.Kalshi [Symantec-2003-100916-2311-99] (2003.10.10) - a trojan program that is designed to allow spammers to anonymously send email spam via a compromised system. The trojan may install a rootkit (MCID 1300) to obscure its activities.
W32.HLLW.Anig [Symantec-2004-012912-1745-99] (2004.01.28) - a worm that propagates over network shares. The worm also contains a keylogger and backdoor component. |
5191 |
tcp,udp |
aim |
not scanned |
ICQ, AIM (AOL Instant Messenger) |
5192 |
tcp,udp |
aim |
not scanned |
ICQ, AIM (AOL Instant Messenger) |
5193 |
tcp,udp |
aim |
not scanned |
ICQ, AIM (AOL Instant Messenger) |
5194 |
tcp |
cpscomm |
not scanned |
CipherPoint Config Service |
5195 |
tcp |
ampl-lic |
not scanned |
The protocol is used by a license server and client programs to control use of program licenses that float to networked machines [AMPL Optimization] (IANA official) |
5196 |
tcp |
ampl-tableproxy |
not scanned |
The protocol is used by two programs that exchange "table" data used in the AMPL modeling language [AMPL Optimization] (IANA official) |
5198 |
tcp,udp |
applications |
not scanned |
Echolink |
5199 |
tcp,udp |
applications |
not scanned |
Echolink |
5200 |
tcp,udp |
targus-getdata |
not scanned |
TARGUS GetData, Echolink, EchoMac (TCP)
Siemens SpeedStream 5200 with NetPort Software 1.1 allows remote attackers to bypass authentication via an invalid Host header, possibly involving a trailing dot in the hostname.
References: [CVE-2008-6916], [BID-32203] |
5201 |
tcp,udp |
targus-getdata1 |
not scanned |
TARGUS GetData 1
Iperf3 (tool for measuring TCP and UDP bandwidth performance) also uses this port. |
5202 |
tcp |
trojans |
Premium scan |
Backdoor.Wualess.C [Symantec-2007-082706-4210-99] (2007.08.27) - a trojan horse that opens a back door and connects to an IRC server on TCP port 5202.
Port is also IANA registered for TARGUS GetData 2 |
5203 |
tcp,udp |
targus-getdata3 |
not scanned |
TARGUS GetData 3 |
5209 |
tcp |
nomad |
not scanned |
Nomad Device Video Transfer [Morega_System] (IANA official) |
5220 |
tcp,udp |
applications |
not scanned |
Apple iChat |
5221 |
tcp |
trojan |
Premium scan |
NOSecure trojan
The port is IANA registered for 3eTI Extensible Management Protocol for OAMP. |
5222 |
tcp |
chat |
Members scan |
Google Talk
Jabber instant messaging software client-to-server connection
CU-SeeMe-CUworld
Apple iChat (TCP/UDP)
WhatsApp uses these ports:
80, 443, 4244, 5222, 5223, 5228, 5242 TCP
50318, 59234 TCP/UDP
3478, 45395 UDP
X-Sense smoke detectors
Warface game ports: 5222 TCP, 64100-64299 UDP
League of Legends game uses these ports:
5000 - 5500 UDP - Game Client
8393 - 8400 TCP - Patcher and Maestro
2099, 5222, 5223 TCP - PVP.Net
80, 443 TCP - HTTP Connections
Extensible Messaging and Presence Protocol (XMPP, Jabber) client connection [RFC 6120] (IANA official) |
5223 |
tcp |
applications |
Members scan |
Port used by Apple to maintain a persistent connection to APNs and receive push notifications. Some Apple applications that use this port: MobileMe, FaceTime, Game Center, APNs.
WhatsApp uses these ports:
80, 443, 4244, 5222, 5223, 5228, 5242 TCP
50318, 59234 TCP/UDP
3478, 45395 UDP
Tizen Operating System on Samsung smart TVs uses port 5223.
DirectTV uses port 5223
Playstation 3 uses these ports:
TCP 5223
UDP 5223, 3478, 3479, 3658
Call of Duty: World at War [game] uses this port.
League of Legends game uses the following ports:
5000 - 5500 UDP - League of Legends Game Client
8393 - 8400 TCP - Patcher and Maestro
2099 TCP - PVP.Net
5222 TCP - PVP.Net
5223 TCP - PVP.Net
80 TCP - HTTP Connections
443 TCP - HTTPS Connections |
5224 |
tcp |
plesk |
not scanned |
Plesk license updates (outgoing connections only)
Apple iOS connections to Apple servers |
5225 |
tcp,udp |
hp-server |
not scanned |
Directory traversal vulnerability in the HP Color LaserJet 2500 Toolbox and Color LaserJet 4600 Toolbox on Microsoft Windows before 20060402 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request to TCP port 5225.
References: [CVE-2006-1654], [BID-17367]
Port is IANA registered for HP Server |
5226 |
tcp,udp |
hp-status |
not scanned |
IANA registered for: HP Status
Trojans that may be using this port: FakeAlert-C |
5228 |
tcp,udp |
android |
not scanned |
Port 5228 is used by the Google Playstore (Android market). Google talk also uses ports 443, 5222 and 5228. Google Chrome user settings sync (facorites, history, passwords) uses port 5228. |
5228 |
tcp |
hpvroom |
not scanned |
HP Virtual Room Service
WhatsApp uses these ports:
80, 443, 4244, 5222, 5223, 5228, 5242 TCP
50318, 59234 TCP/UDP
3478, 45395 UDP
Ring Doorbell uses TCP ports 80, 443, 5228, 15064. In addition, it may use a random UDP port, and outbound TCP ports 7078, 9078, 9998, 9999, 15063 |
5232 |
tcp |
trojans |
Members scan |
Backdoor.Lateda.C [Symantec-2005-033112-4545-99] (2005.03.31) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
W32.Mytob.EP@mm [Symantec-2005-061413-5518-99] (2005.06.14) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on this port.
W32.Spybot.UBH [Symantec-2005-081412-4342-99] (2005.08.14) - a worm with backdoor and distributed denial of service (DDoS) capabilities. Spreads by exploiting the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]).
Opens a backdoor and listens for remote commands via IRC on this port.
The presence of the Distributed GL Daemon (dgld) service on port 5232 on SGI IRIX systems allows remote attackers to identify the target host as an SGI system.
References: [CVE-2000-0893]
Silicon Graphics Distributed Graphics Library daemon
Cruse Scanning System Service (IANA official) |
5233 |
tcp |
enfs |
not scanned |
IANA registered for: Etinnae Network File Service |
5235 |
tcp,udp |
applications |
not scanned |
Qnext |
5236 |
tcp,udp |
applications |
not scanned |
Qnext |
5237 |
tcp,udp |
applications |
not scanned |
Qnext |
5238 |
tcp |
applications |
not scanned |
Memory leak in Netscape Collabra Server 3.5.4 and earlier allows a remote attacker to cause a denial of service (memory exhaustion) by repeatedly sending approximately 5K of data to TCP port 5238.
References: [CVE-2001-0683] |
5239 |
tcp |
applications |
not scanned |
Netscape Collabra Server 3.5.4 and earlier allows a remote attacker to cause a denial of service by sending seven or more characters to TCP port 5239.
References: [CVE-2001-0684] |
5240 |
tcp,udp |
malware |
not scanned |
Backdoor.Win32.Wollf.16 / Weak Hardcoded Password - Wollf.16 creates and runs a service named contime.exe with SYSTEM integrity and listens on port 5240. The malware uses a weak hardcoded password "12345678" which can easily be viewed in the binary using strings utility.
References: [MVID-2021-0051] |
5241 |
tcp |
applications |
not scanned |
An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. The attacker can specify long fields in the log entry, which can cause an unhandled exception in wcscpy_s() if a local user opens FactoryTalk Diagnostics Viewer (FTDiagViewer.exe) to view the log entry. Observed in FactoryTalk Diagnostics 6.11. All versions of FactoryTalk Diagnostics are affected.
References: [CVE-2020-5807] |
5242 |
tcp |
attune |
Premium scan |
Viber uses the following ports: 80, 443, 4244, 5242, 5243, 7985 TCP/UDP
WhatsApp uses these ports:
80, 443, 4244, 5222, 5223, 5228, 5242 TCP
50318, 59234 TCP/UDP
3478, 45395 UDP
ATTUne API (IANA official) |
5243 |
tcp |
xycstatus |
Premium scan |
Viber uses the following ports: 80, 443, 4244, 5242, 5243, 7985 TCP/UDP
xyClient Status API and rendevous point (IANA official) |
5245 |
tcp,udp |
downtools-disc |
not scanned |
DownTools Control Protocol/ DownTools Discovery Protocol |
5246 |
udp |
capwap-control |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
CAPWAP Control Protocol [RFC 5415] (IANA official) |
5247 |
udp |
capwap-data |
not scanned |
CAPWAP Data Protocol [RFC 5415] (IANA official) |
5250 |
tcp |
trojan |
Premium scan |
Pizza trojan |
5253 |
tcp |
kpdp |
not scanned |
IANA registered for: Kohler Power Device Protocol |
5254 |
tcp |
logcabin |
not scanned |
LogCabin storage service (IANA official) |
5258 |
tcp |
applications |
not scanned |
Papenmeier WiFi Baby Monitor Free & Lite before 2.02.2 allows remote attackers to obtain audio data via certain requests to TCP ports 8258 and 8257.
References: [CVE-2018-7661], [EDB-442322] |
5262 |
tcp |
worm |
not scanned |
W32.Fanbot.A@mm [Symantec-2005-101715-5745-99] (2005.10.17) - a mass-mailing worm that lowers security settings on the compromised computer. It also spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin [MS05-039]) and through peer-to-peer networks. |
5269 |
tcp |
jabber |
not scanned |
Jabber instant messenging software server-to-server connection, see http://www.jabber.org/protocol/
IANA registered for: Extensible Messaging and Presence Protocol - XMPP Server Connection [RFC 3920]
Apple iChat Server also uses this port. |
5270 |
tcp,udp |
cartographerxmp |
not scanned |
IANA registered for: Cartographer XMP |
5271 |
tcp |
cuelink |
not scanned |
StageSoft CueLink messaging |
5271 |
udp |
cuelink-disc |
not scanned |
StageSoft CueLink discovery |
5277 |
tcp |
trojan |
Members scan |
WinJank [Symantec-2003-071117-5539-99] (2003.07.11) - a backdoor trojan horse that allows unauthorized access to your computer, listens to port 5277 TCP by default.
WinShell trojan also uses this port.
Backdoor.Win32.WinShell.30 / Remote Stack Buffer Overflow / Missing Authentication - WinShell.30 listens on TCP port 5277 for commands. Attackers or responders who can reach the infected host can trigger a buffer overflow by sending a large string of junk characters in place of an expected command. This will overwrite EIP and potentially allow control of the malwares execution flow. Moreover, WinShell.30 also lacks any type of authentication for inbound connections, which can allow anyone to take over the infected system.
References: [MVID-2021-0040]
Backdoor.Win32.Wisell / Unauthenticated Remote Command Execution - the malware listens on TCP port 5277, third-party attackers who can reach the system can execute OS commands further compromising the already infected system. Sending the exclaimation point character "!" will not only quit the shell, but also effectively terminate the backdoor.
References: [MVID-2021-0234]
Backdoor.Win32.Winshell.5_0 / Weak Hardcoded Credentials - the malware is UPX packed, listens on TCP port 5277 and requires authentication for remote access. However, the password "123456789" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.
References: [MVID-2022-0633] |
5280 |
tcp,udp |
applications |
not scanned |
Xvnc, Bidirectional-streams Over Synchronous HTTP (BOSH) (TCP)
Extensible Messaging and Presence Protocol (XMPP) also uses this port |
5281 |
tcp |
undo-lm |
not scanned |
Undo License Manager
Extensible Messaging and Presence Protocol (XMPP) also uses this port |
5287 |
tcp |
apps |
Members scan |
IP Camera viewer apps (FOSCAM web camera viewer, Sony Myxperia app, Baidu Android app) all make periodic connections to port 5287 tcp with some Chinese servers. |
5295 |
tcp |
malware |
not scanned |
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560] |
5296 |
tcp |
malware |
not scanned |
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560] |
5297 |
tcp |
applications |
not scanned |
Apple iChat (local traffic), Bonjour
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560] |
5298 |
tcp,udp |
applications |
not scanned |
Apple iChat (local traffic), Bonjour, Extensible Messaging and Presence Protocol (XMPP)
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560] |
5299 |
tcp,udp |
nlg-data |
not scanned |
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560]
NLG Data Service (IANA official) |
5300 |
tcp,udp |
hacl-hb |
not scanned |
Neverwinter Nights
Worms that may use this port: W32.Kibuv.Worm (TCP)
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560]
HA cluster heartbeat (IANA official) |
5301 |
tcp,udp |
hacl-gs |
not scanned |
HA cluster general services
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - тhe malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560] |
5307 |
tcp,udp |
sco-aip |
Premium scan |
IANA registered for: SCO AIP
Trojans using this port: PWS-WOW.gen |
5310 |
tcp,udp |
applications |
not scanned |
Outlaws |
5316 |
tcp |
hpbladems |
not scanned |
HPBladeSystem Monitor Service [Alan_Minchew] (IANA official) |
5317 |
tcp |
hpdevms |
not scanned |
HP Device Monitor Service [Alan_Minchew] (IANA official) |
5318 |
tcp |
pkix-cmc |
not scanned |
PKIX Certificate Management using CMS (CMC) [IESG] [RFC 6402] (IANA official) |
5321 |
tcp |
trojans |
Premium scan |
Port used by Firehotcker remote access trojan (uses ports 79, 5321). |
5326 |
tcp |
trojan |
Premium scan |
Snowdoor [Symantec-2003-022018-5040-99] (2003.02.20) - a backdoor trojan horse that allows unauthorized access to an infected computer. It creates an open C drive share and llistens on port 5328 by default. May also use port 5326. |
5328 |
tcp |
trojan |
Members scan |
Snowdoor [Symantec-2003-022018-5040-99] (2003.02.20) - a backdoor trojan horse that allows unauthorized access to an infected computer. It creates an open C drive share and llistens on port 5328 by default. |
5330 |
tcp |
games |
not scanned |
WarRock, developer: Dream Execution Technologies |
5333 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Backage, NetDemon |
5340 |
tcp |
games |
not scanned |
WarRock, developer: Dream Execution Technologies |
5343 |
tcp |
trojan |
Premium scan |
WCrat trojan |
5349 |
tcp |
stuns |
not scanned |
STUN over TLS (IANA official) [RFC 5389]
TURN over TLS (IANA official) [RFC 5766]
STUN Behavior Discovery over TLS (IANA official)
See also [RFC 5780] |
5349 |
udp |
stuns |
not scanned |
STUN over DTLS (IANA official) [RFC 7350]
TURN over DTLS (IANA official) [RFC 7350]
The port is also reserved for a future enhancement of STUN-BEHAVIOR
See also [RFC 5780] |
5350 |
tcp |
trojan |
Premium scan |
Pizza trojan |
5350 |
udp |
pcp-multicast |
not scanned |
WarRock, developer: Dream Execution Technologies
Port Control Protocol Multicast (IANA official) [RFC 6887] |
5351 |
udp |
games |
not scanned |
WarRock, developer: Dream Execution Technologies
Port Control Protocol (IANA official) [RFC 6887] |
5352 |
tcp,udp |
dns-llq |
not scanned |
IANA registered for: DNS Long-Lived Queries |
5353 |
tcp,udp |
mdns |
not scanned |
Multicast DNS (MDNS) [IESG] (IANA official) [RFC 6762]
iChat, Mac OS X Bonjour/Zeroconf port
Plex Media Server uses port 5353 UDP locally for older Bonjour/Avahi network discovery.
TeamViewer remote desktop protocol uses ports 5938/TCP, 5939/TCP, 5353/UDP
Backdoor.Optix.04.E [Symantec-2004-021021-2851-99] (2004.02.10) - a backdoor trojan horse that gives an attacker unauthorized access to an infected computer by opening TCP port 5353 and listening for incoming connections.
Remote attackers can perform a denial of service in WebRamp systems by sending a malicious UDP packet to port 5353, changing its IP address.
References: [CVE-1999-0438]
Avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS IPv4 or IPv6 UDP packet to port 5353.
References: [CVE-2011-1002], [BID-46446]
Avahi is vulnerable to a denial of service, caused by a NULL pointer dereference error within the avahi-core/socket.c. By sending a specially-crafted UDP packet to UDP port 5353, a remote attacker could exploit the vulnerability to cause the application to enter into an infinite loop.
References: [CVE-2011-0634] [XFDB-65524] [BID-46446] [SECUNIA-43361]
The Multicast DNS (mDNS) responder in IBM Security Access Manager for Web 7.x before 7.0.0 FP12 and 8.x before 8.0.1 FP1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets.
References: [CVE-2015-1892]
The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component.
References: [CVE-2015-2809]
Cisco IOS and Cisco IOS XE are vulnerable to a denial of service, caused by an error within the multicast DNS (mDNS) gateway function when processing malicious packets. By sending specially-crafted IP version 4 (IPv4) or IP version 6 (IPv6) packets on UDP port 5353, a remote attacker could exploit this vulnerability to cause the device to reload.
References: [CVE-2015-0650] [XFDB-101807]
The Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 inadvertently responds to IPv4 unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets.
References: [CVE-2017-6520], [XFDB-128565]
avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809.
References: [CVE-2017-6519], [XFDB-128566] |
Vulnerabilities listed: 100 (some use multiple ports)
|