| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 7500 |
tcp,udp |
games |
not scanned |
Anarchy Online, developer: FunCom |
| 7501 |
tcp,udp |
games |
not scanned |
Anarchy Online, developer: FunCom |
| 7508 |
tcp |
adcp |
not scanned |
Automation Device Configuration Protocol [Festo AG] (IANA official) |
| 7509 |
tcp |
acplt |
not scanned |
IANA registered for: ACPLT - process automation service |
| 7511 |
tcp |
trojan |
Premium scan |
Genue trojan |
| 7547 |
tcp |
tr069 |
Members scan |
CPE WAN Management Protocol Technical Report 069 uses port 7547 (TCP/UDP).
Port associated with TR-069 - application layer protocol for remote management of end-user devices. It is a bidirectional SOAP/HTTP-based protocol that provides communication between CPE devices and auto-configuration servers (ACS). It can be used by some modems, gateways, routers, VoIP phones, set-top boxes. TR-069 has some known exploits as demonstrated at the DEFCON22 conference.
If your NAT router/gateway keeps this port open and you are sure you want to filter it (potential interference with ISPs pushing firmware updates), try the following. Navigate to your router's admin interface and disable TR-069. If that does not work, look under "port forwarding", or "virtual servers", and forward the port to an unused local IP address, like (192.168.1.252)
The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.
References: [CVE-2016-10372], [XFDB-126658]
IANA registered for: Broadband Forum CWMP (TCP/UDP) |
| 7550 |
udp |
cloudsignaling |
not scanned |
IANA registered for: Cloud Signaling Service |
| 7551 |
tcp |
controlone-con |
not scanned |
BORGChat is vulnerable to a denial of service. By sending specially crafted data to port 7551, a remote attacker could exploit this vulnerability to cause the application to crash.
References [XFDB-151989]
A vulnerability, which was classified as problematic, was found in BORGChat 1.0.0 Build 438. This affects an unknown part of the component Service Port 7551. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252039.
References: [CVE-2024-0888]
IANA registered for: ControlONE Console signaling |
| 7555 |
udp |
worm-linux |
not scanned |
Linux.Plupii.B [Symantec-2005-111712-0018-99] (2005.11.16) - a worm with backdoor capabilities. Attempts exploiting Linux vulnerabilities. Opens a backdoor and listens for remote commands on port 7555/udp. |
| 7563 |
tcp |
cfw |
not scanned |
Control Framework [RFC 6230] (IANA official) |
| 7569 |
tcp |
dell-eql-asm |
not scanned |
Dell EqualLogic Host Group Management |
| 7597 |
tcp |
trojan |
Premium scan |
Qaz trojan (a.k.a. W32.HLLW.Qaz.A [Symantec-2000-122013-5944-99]) |
| 7599 |
udp |
malware |
Premium scan |
W32.Jacksuf virus is a computer virus that is capable of downloading other malware onto the system and infecting other executables. Once installed it will contact the attacker's website and download additional executables which add information theft capabilities and backdoor access to the infected system.
Once executed, the W32.Jacksuf malware will create several files. The first is C:\setup.exe, which is an installer that will create and launch the file C:\WINDOWS\SYSTEM\internat.exe, as well as c:\autorun.inf. The "autorun" file is used to make sure that the malware is started at whenever the drive is mounted. This same "autorun" file is copied to every drive root, including removal drives.
The "internat" program will attempt to download other files as directed by the website at http://mm.21380.com/. One of these files downloaded includes "inetinf.exe", a program that creates a backdoor process on UDP port 7599. Other files include binaries to steal game login information and chat program login credentials. |
| 7606 |
tcp,udp |
mipi-debug |
not scanned |
IANA registered for: MIPI Alliance Debug |
| 7609 |
tcp |
trojan |
Premium scan |
Snid X2 trojan horse |
| 7614 |
tcp |
trojans |
Premium scan |
Backdoor.GRM [Symantec-2002-062714-1321-99], Wollf
Backdoor.Win32.Wollf.14 / Missing Authentication - Wollf.14 listens on TCP port 7614 and creates a service "wrm" running as SYSTEM. The backdoor then allows casual intruders to take control of the infected system as there is no authentication required.
References: [MVID-2021-0055] |
| 7615 |
tcp,udp |
applications |
not scanned |
IANA registered for: ISL Online products. |
| 7624 |
tcp,udp |
indi |
not scanned |
IANA registered for: Instrument Neutral Distributed Interface |
| 7626 |
tcp |
trojans |
Premium scan |
Binghe, Glacier, Hyne
SImple Middlebox COnfiguration (SIMCO) Server (IANA official) [RFC 4540] |
| 7630 |
tcp |
hawk |
not scanned |
HA Web Konsole |
| 7631 |
tcp |
tesla-sys-msg |
not scanned |
TESLA System Messaging |
| 7634 |
tcp |
applications |
not scanned |
hddtemp - Utility to monitor hard drive temperature |
| 7648 |
tcp |
trojans |
Premium scan |
NextPVR NEWA uses port 7648 for streaming by default. NextPVR xbmc web server uses port 8866 tcp.
Cu-SeeMe Cornell uses this port.
Malware using this port: BlackStar, Ghost, XHX
|
| 7649 |
tcp,udp |
applications |
not scanned |
CU-SeeMe, Enhanced CUSM, LDAP |
| 7652 |
tcp,udp |
applications |
not scanned |
LDAP
I2P anonymizing overlay network also uses port 7652 (TCP). |
| 7654 |
tcp |
applications |
not scanned |
SSH Tunneling |
| 7655 |
udp |
applications |
not scanned |
I2P SAM Bridge Socket API |
| 7656 |
tcp |
applications |
not scanned |
I2P anonymizing overlay network |
| 7659 |
tcp,udp |
applications |
not scanned |
Polypheny User Interface (database system) |
| 7663 |
tcp,udp |
rome |
not scanned |
IANA registered for: Proprietary immutable distributed data storage |
| 7670 |
tcp |
applications |
not scanned |
BrettspielWelt BSW Boardgame Portal |
| 7672 |
tcp |
imqstomp |
not scanned |
iMQ STOMP Server |
| 7673 |
tcp |
trojan |
Premium scan |
Neoturk trojan
IANA registered for iMQ STOMP Server over SSL. |
| 7676 |
tcp |
trojan |
Basic scan |
Some ZyXEL DSL modems/routers have port 7676/tcp open by default, reserved for remote WAN management by the ISP (TR069 connection request port).
Aqumin AlphaVision Remote Command Interface also uses port 7676 (TCP).
The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a "jmx_rmi remote monitoring and control problem." NOTE: this is not an Oracle supported product.
References: [CVE-2018-14324]
Malware that uses this port: Neoturk trojan
IANA registered for: iMQ Broker Rendezvous (TCP/UDP) |
| 7677 |
tcp |
trojan |
Premium scan |
Neoturk trojan |
| 7680 |
tcp |
wudo |
not scanned |
TCP port 760 is used by WUDO (Windows Update Delivery Optimization) in Windows LANs. This includes both local and remote computers within a domain
Microsoft Delivery Optimization Peer-to-Peer (TCP/UDP) (IANA official) |
| 7680 |
tcp |
wud0 |
not scanned |
TCP port 7680 is used by WUDO (Windows Update Delivery Optimization) to distribute updates in Windows LANs.
IANA registered for: Pando Media Public Distribution |
| 7681 |
tcp |
nvr |
not scanned |
HikVision NVR uses port 7681 TCP |
| 7683 |
tcp |
dmt |
not scanned |
Cleondris DMT (IANA official) |
| 7687 |
tcp |
bolt |
not scanned |
IANA registered for: Bolt database connection |
| 7690 |
tcp |
sovd |
not scanned |
Service-Oriented Vehicle (IANA official) |
| 7700 |
udp |
applications |
not scanned |
P2P DC (RedHub) |
| 7701 |
sctp |
nfapi |
not scanned |
IANA registered for: SCF nFAPI defining MAC/PHY split |
| 7707 |
udp |
applications |
not scanned |
Killing Floor |
| 7708 |
udp |
applications |
not scanned |
Killing Floor |
| 7714 |
tcp |
trojans |
Members scan |
Backdoor.Berbew [Symantec-2003-071616-0350-99] (2003.07.16) - a backdoor trojan horse that steals passwords, may open ports 7714 and 8546.
Port is IANA assigned for: GunZ |
| 7717 |
udp |
applications |
not scanned |
Killing Floor |
| 7718 |
tcp |
trojan |
Premium scan |
Glacier trojan |
| 7722 |
tcp |
trojan |
Premium scan |
KiLo [Symantec-2003-021319-1815-99] trojan
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 7724 |
tcp,udp |
nsdeepfreezectl |
not scanned |
Novell Snap-in Deep Freeze Control, GunZ |
| 7725 |
tcp,udp |
applications |
not scanned |
Nitrogen Service
GunZ
Faronics Deep Freeze (workstation OS protection software) - uses either port 1971 or 7725. |
| 7728 |
tcp,udp,sctp |
osvr |
not scanned |
Open-Source Virtual Reality (IANA official) |
| 7741 |
tcp,udp |
scriptview |
not scanned |
ScriptView Network |
| 7744 |
tcp,udp |
raqmon-pdu |
not scanned |
RAQMON PDU (IANA official) [RFC 4712] |
| 7745 |
tcp |
trojans |
Premium scan |
W32.Mytob.HG@mm [Symantec-2005-071115-1349-99] (2005.07.11) - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 7745/tcp. |
| 7754 |
tcp |
malware |
not scanned |
Backdoor.Win32.Wollf.c / Hardcoded Backdoor Password - the backdoor creates a service "sysocm.exe" running with SYSTEM integrity. The sysocm service listens for commands on TCP port 7754. The backdoors remote logon password is "mDVs3TAv8sByKyG6YgwbtYQK6fSQeauz" and while strong, its stored in the executable and easily discovered using strings utility.
References: [MVID-2021-0053] |
| 7755 |
udp |
games |
not scanned |
Red Faction
THQ Volition Red Faction Game allows remote attackers to cause a denial of service (hang) of a client or server via packets to UDP port 7755.
References: [CVE-2001-0952], [BID-3651] |
| 7771 |
tcp |
applications |
not scanned |
HP Operations Agent for NonStop is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ELinkService process. By sending a specially-crafted HEALTH packet to TCP port 7771 or 8976, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-77930], [BID-55161], [OSVDB-84854] |
| 7772 |
tcp |
applications |
not scanned |
Tams ii Gaming Lobby & Games |
| 7775 |
tcp |
games |
not scanned |
Ultima Online
IANA registered for: A File System using TLS over a wide area network |
| 7776 |
tcp |
applications |
Premium scan |
Backdoor.Remocy [Symantec-2003-102217-2215-99] (2003.10.22) - a backdoor trojan horse that gives its creator full control over a computer through a Web browser. The existence of the Inject.dll file is an indication of a possible infection.
Trojans: marlDOOM, PoslDOOM |
| 7776 |
udp |
games |
not scanned |
Port used by: Spliter Cell Chaos Theory w AllSeeingEye, Spliter Cell Pandora Tomorrow, GunZ, Ultima Online |
| 7777 |
tcp |
trojans |
Members scan |
Applications:
iChat server file transfer proxy
Oracle Cluster File System 2
Satisfactory's dedicated server
Xivio default Chat Server
Games:
Active Worlds (TCP/UDP)
Fabula Mortis uses ports 7777 and 7778
ARK: Survival Evolved server
Terraria game (TCP/UDP)
Ultima Online
Malware: GodMessage trojan, The Thing trojan, tini.exe Windows backdoor program
Backdoor.Darkmoon [Symantec-2005-081910-3934-99] (2005.08.18) - trojan that opens a backdoor on the compromised computer and has keylogging capabilities. Opens a backdoor and listens for remote commands on ports 6868/tcp and 7777/tcp.
UsbCharger.dll in the Energizer DUO USB battery charger software contains a backdoor that is implemented through the Arucer.dll file in the %WINDIR%\system32 directory, which allows remote attackers to download arbitrary programs onto a Windows PC, and execute these programs, via a request to TCP port 7777. References: [CVE-2010-0103], [BID-38571]
OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 sends the configuration of the printer in cleartext, which allows remote attackers to obtain the administrative password by connecting to TCP port 5548 or 7777. References: [CVE-2008-0374], [BID-27339]
SKIDATA RFID Freemotion.Gate could allow a remote attacker to execute arbitrary commands on the system, caused by failure to restrict access to the RTP|One Gate web service and Gate. By sending a specially-crafted request to TCP port 7777, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system with root privileges. References: [XFDB-89103]
A flaw was found in podman. The 'podman machine' function (used to create and manage Podman virtual machine containing a Podman process) spawns a 'gvproxy' process on the host system. The 'gvproxy' API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the 'gvproxy' API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
References: [CVE-2021-4024]
Backdoor.Win32.Levelone.b / Remote Stack Buffer Overflow - the backdoor listens on Port 7777, sending two large consecutive HTTP OPTIONS requests trigger the buffer overflow overwriting EIP.
References: [MVID-2021-0021]
Backdoor.Win32.Tiny.a / Unauthenticated Remote Command Execution - the malware listens on TCP port 7777. Third-party attackers who can reach an infected system can run any OS commands hijacking the compromised host.
References: [MVID-2022-0533] |
| 7777 |
udp |
applications |
not scanned |
Unreal Tournament 2004 Game port, SCP: Secret Laboratory Multiplayer Server, San Andreas Multiplayer default server |
| 7778 |
tcp |
Oracle9iAS-OJSP |
not scanned |
AT&T Connect Web Conferencing uses TCP ports 443,80 and 7778
Oracle 9i Application Server Oracle Java Server Pages, Bad Trip MUD
Games:
Fabula Mortis uses ports 7777 and 7778
Tribes Vengeance uses port 7778 tcp/udp
The OHS component 1.0.2 through 10.x, when UseWebcacheIP is disabled, in Oracle Application Server allows remote attackers to bypass HTTP Server mod_access restrictions via a request to the webcache TCP port 7778.
References: [CVE-2005-1383] [BID-13418] [OSVDB-15908] [SECUNIA-15143]
Backdoor.Win32.RmtSvc.l / Remote Denial of Service - the malware listens on TCP port 7778. Third-party attackers who can reach infected systems can send a specially crafted junk HTTP CONNECT request to trigger an access violation and crash.
References: [MVID-2021-0348]
Backdoor.Win32.Tiny.c / Unauthenticated Remote Command Execution - the malware listens on TCP port 7778. Third party attackers who can reach an infected system can run any OS commands hijacking the compromised host.
References: [MVID-2022-0476] |
| 7778 |
udp |
applications |
not scanned |
Unreal Tournament 2004 Query port
uConfig agent in Compex NetPassage WPE54G router allows remote attackers to cause a denial of service (unresposiveness) via crafted datagrams to UDP port 7778.
References: [CVE-2006-0960] [BID-16894] [SECUNIA-19037]
Unreal Tournament 2003 (ut2003) clients and servers allow remote attackers to cause a denial of service via malformed messages containing a small number of characters to UDP ports 7778 or 10777.
References: [CVE-2002-1507]
Port is also IANA registered for Interwise |
| 7779 |
tcp |
feodo |
Premium scan |
Feodo and Geodo (a.k.a. Cridex or Bugat) is a trojan used to commit e-banking fraud and steal sensitive information from the victims computers, such as credit card details. Feodo and Geodo is hosted on compromised webservers running a nginx proxy on port 8080 TCP, or port 7779 TCP. Geodo also communicates with the botnet C&C server on ports 8080 TCP and/or 7779 TCP. |
| 7780 |
udp |
games |
not scanned |
Will Rock, developer: Saber Interactive |
| 7786 |
tcp |
applications |
not scanned |
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
References: [CVE-2020-27654], [XFDB-190889] |
| 7787 |
udp |
applications |
not scanned |
Unreal Tournament 2004 GameSpy query port |
| 7787 |
tcp |
applications |
not scanned |
GFI EventsManager 7 & 8
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
References: [CVE-2020-27654], [XFDB-190889] |
| 7788 |
tcp,udp |
trojans |
Premium scan |
Trojans that use this port: Last 2000, Singularity (Backdoor.Singu)
Tom Clancy's H.A.W.X. also uses port 7788 (UDP), developer: Ubisoft Romania |
| 7789 |
tcp |
trojan |
Members scan |
Mozilla trojan, Back Door Setup trojan, ICKiller trojan |
| 7790 |
tcp,udp |
games |
not scanned |
Deus Ex |
| 7791 |
tcp,udp |
games |
not scanned |
Deus Ex |
| 7792 |
tcp,udp |
games |
not scanned |
Deus Ex |
| 7797 |
tcp |
applications |
not scanned |
Accelerate It, Humboldt Internet Accelerator, Hyperspeed Dialup |
| 7798 |
tcp,udp |
pnet-enc |
not scanned |
Propel Encoder port, GunZ |
| 7800 |
tcp |
trojan |
Premium scan |
Paltalk trojan
NetScreen-Security Manager is vulnerable to a denial of service attack. A remote attacker could send specially-crafted requests to the guiSrv service on port 7800 or the devSrv service on port 7801 to cause the targeted service to crash.
References: [BID-16075], [CVE-2005-4587], [XFDB-23850]
Port is also IANA registered for Apple Software Restore (TCP/UDP) |
| 7801 |
tcp,udp |
applications |
not scanned |
NetScreen-Security Manager is vulnerable to a denial of service attack. A remote attacker could send specially-crafted requests to the guiSrv service on port 7800 or the devSrv service on port 7801 to cause the targeted service to crash.
References: [BID-16075], [CVE-2005-4587], [XFDB-23850]
Port is also IANA registered for Secure Server Protocol - client |
| 7802 |
udp |
vns-tp |
not scanned |
Virtualized Network Services Tunnel Protocol [Juniper_Networks] (IANA official) |
| 7810 |
tcp |
wanopt |
not scanned |
Fortigate WAN optimization tunnel.
IANA registered for: Riverbed WAN Optimization Protocol
|
| 7811 |
tcp,udp |
trojans |
Premium scan |
Backdoor.RemoteSOB [Symantec-2003-010815-3452-99] (2003.01.08) - allows unauthorized access to the infected computer, listens to port 7811 by default and uses ICQ to notify the hacker. |
| 7812 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AP [Symantec-2005-030416-5626-99] (2005.03.04) - worm with backdoor capabilities. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 7812/tcp. |
| 7823 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 7826 |
tcp |
trojan |
Premium scan |
MiniOblivion trojan
Trojan-Dropper.Win32.Juntador.a / Weak Hardcoded Password - the malware listens on TCP ports 7826 and 13013 and drops executables under the Windows dir. Authentication is required for remote user access. However, the password "sexjerx sexjerx" is weak and hardcoded in plaintext within the executable.
References: [MVID-2021-0259]
Backdoor.Win32.Oblivion.01.a / Insecure Transit Password Disclosure - the malware listens on TCP port 7826 and makes HTTP GET requests to port 80 for "/scripts/WWPMsg.dll". The system logon credentials "Pass=beacytan" are sent plaintext via the URL query string. Third party attackers who can sniff traffic may locate the credentials which can also potentially be leaked to web server logs and or shared systems.
References: [MVID-2022-0658] |
| 7831 |
tcp |
applications |
not scanned |
Default used by Smartlaunch Internet Cafe Administration software |
| 7844 |
tcp |
cloudflared |
Premium scan |
Cloudflare Argo Tunnel - connects a web server to the Cloudflare network via HTTP2 over a TLS encrypted tunnel. |
| 7845 |
tcp,udp |
applications |
not scanned |
ZNES
APC 7845 [American Power Conversion] (IANA official) |
| 7846 |
tcp,udp |
apc-7846 |
not scanned |
APC 7846 [American Power Conversion] (IANA official) |
| 7847 |
tcp |
csoauth |
not scanned |
IANA registered for: A product key authentication protocol made by CSO |
| 7850 |
tcp |
trojan |
Premium scan |
Paltalk trojan |
| 7869 |
tcp |
mobileanalyzer |
not scanned |
MobileAnalyzer& MobileMonitor |
| 7870 |
tcp |
applications |
not scanned |
The Cisco ATA 187 Analog Telephone Adaptor with firmware 9.2.1.0 and 9.2.3.1 before ES build 4 does not properly implement access control, which allows remote attackers to execute operating-system commands via vectors involving a session on TCP port 7870, aka Bug ID CSCtz67038.
References: [CVE-2013-1111]
The Cisco Unified SIP Phone 3905 with firmware before 9.4(1) allows remote attackers to obtain root access via a session on the test interface on TCP port 7870, aka Bug ID CSCuh75574.
References: [CVE-2014-0721]
Riverbed Steelhead Mobile Service (IANA official) |
| 7871 |
udp |
trojans |
Members scan |
Trojan.Peacomm [Symantec-2007-011917-1403-99] (2007.01.19) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271. |
| 7871 |
tcp |
mdm |
not scanned |
IANA registered for: Mobile Device Management |
| 7872 |
udp |
mipv6tls |
not scanned |
TLS-based Mobile IPv6 Security [IESG] [RFC 6618] (IANA official) |
| 7875 |
tcp |
games |
not scanned |
Ultima |
| 7878 |
tcp |
trojan |
Premium scan |
Paltalk trojan
IANA registered for: Opswise Message Service |
| 7879 |
tcp |
trojan |
Premium scan |
Paltalk trojan |
