| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 15425 |
tcp,udp |
trojan |
Premium scan |
Backdoor.Rohimafo [Symantec-2010-041308-3301-99] (2010.04.13) - a trojan horse that opens a back door and steals information from the compromised computer. It creates a proxy server on TCP port 15425.
IRLP - Internet Radio Linking Project (uses port 1545 tcp/udp) |
| 15432 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234. |
| 15441 |
tcp,udp |
applications |
not scanned |
ZeroNet fileserver |
| 15485 |
tcp |
trojan |
Premium scan |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 15486 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 15500 |
tcp |
trojan |
Premium scan |
In Route to the Hell trojan
Nascar 3, Hoyle Online also use this port. |
| 15512 |
tcp |
trojan |
Premium scan |
Iani trojan |
| 15551 |
tcp |
trojan |
Premium scan |
In Route to the Hell trojan |
| 15553 |
tcp |
trojans |
not scanned |
Backdoor.Dewin [Symantec-2002-061211-5916-99] (2002.06.12) - allows a hacker to gain access to and remotely control an infected computer. The Trojan program is written in Microsoft Visual C++ and is compressed with PECompact. |
| 15555 |
tcp |
trojan |
Premium scan |
ICMIBC trojan |
| 15556 |
tcp,udp |
applications |
not scanned |
Jeex.EU Artesia (direct client-to-db.service) |
| 15567 |
udp |
applications |
not scanned |
Battlefield Vietnam server port |
| 15668 |
udp |
games |
not scanned |
Heroes of Might and Magic III, developer: New World Computing |
| 15670 |
tcp |
stomp |
not scanned |
Port sometimes used by STOMP (Simple/Streaming Text Oriented Messaging Protocol, a web version of AMQP, or MQTT). |
| 15672 |
tcp,udp |
applications |
not scanned |
360 Share, developer: 360share
RabbitMQ management plugin uses this port |
| 15674 |
tcp |
stomp |
not scanned |
STOMP (Simple/Streaming Text Oriented Messaging Protocol) standard port. STOMP is a web version of AMQP or MQTT |
| 15690 |
udp |
applications |
not scanned |
ASE Port, Battlefield Vietnam |
| 15695 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro trojan |
| 15800 |
tcp |
games |
not scanned |
Tribes 2, Emperor: Rise of the Middle Kingdom, Swat 3, Arcanum |
| 15802 |
tcp |
games |
not scanned |
Throne of Darkness |
| 15845 |
udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 15852 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro trojan |
| 15855 |
tcp |
trojans |
not scanned |
Trojan.Looksky [Symantec-2006-060512-1520-99] (2006.06.05) - a trojan horse that opens a back door and downloads files onto the compromised computer. The trojan also contains rootkit functionality. |
| 15858 |
tcp |
trojans |
Premium scan |
CDK trojan (ports 79, 15858) |
| 15963 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 15998 |
udp |
2ping |
not scanned |
IANA registered for: 2ping Bi-Directional Ping Service |
| 15999 |
tcp |
programmar |
not scanned |
IANA registered for: ProGrammar Enterprise. |
| 16000 |
tcp,udp |
applications |
not scanned |
Motorhead Server, shroudBNC
Oracle WebCenter Content: Imaging (formerly known as Oracle Universal Content Management) (TCP). Port though often changed during installation.
Administration Server Access (IANA official)
|
| 16001 |
tcp |
fmsascon |
not scanned |
IANA registered for: Administration Server Connector. |
| 16002 |
tcp |
gsms |
not scanned |
IANA registered for: GoodSync Mediation Service |
| 16003 |
udp |
alfin |
not scanned |
IANA registered for: Automation and Control by REGULACE.ORG |
| 16010 |
tcp,udp |
applications |
not scanned |
Motorhead Server uses ports 16010-16030 |
| 16020 |
tcp |
jwpc |
not scanned |
Filemaker Java Web Publishing Core |
| 16021 |
tcp |
jwpc-bin |
not scanned |
Filemaker Java Web Publishing Core Binary |
| 16030 |
tcp,udp |
applications |
not scanned |
Motorhead Server uses ports 16010-16030 |
| 16057 |
tcp |
trojan |
Premium scan |
MoonPie trojan |
| 16080 |
tcp |
applications |
not scanned |
Mac OS X Server Web (HTTP) service with performance cache |
| 16102 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to execute arbitrary code via a large packet to the synchronization port (16102/tcp)
References: [CVE-2011-5124] |
| 16162 |
tcp |
solaris-audit |
not scanned |
Solaris Audit - secure remote audit log |
| 16200 |
tcp |
applications |
not scanned |
Oracle Universal Content Management Content Server
The TimesTenD process in Cisco Unified Presence 1.x, 6.x before 6.0(6), and 7.x before 7.0(4) allows remote attackers to cause a denial of service (process crash) via a large number of TCP connections to ports 16200 and 22794, aka Bug ID CSCsy17662.
References: [CVE-2009-2874], [BID-36675] |
| 16250 |
udp |
applications |
not scanned |
Ghost Recon Advanced Warfighter is vulnerable to a denial of service, caused by a signedness error. By sending specially-crafted packets to UDP port 16250, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-60153], [BID-41459], [SECUNIA-40465] |
| 16250 |
tcp |
applications |
not scanned |
Oracle Universal Content Management Inbound Refinery |
| 16261 |
tcp,udp |
applications |
not scanned |
Project Zomboid multiplayer. Additional sequential ports used for each player connecting to server |
| 16286 |
tcp,udp |
applications |
not scanned |
The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote attackers to cause a denial of service (resource exhaustion) by connecting to port 16286 and not disconnecting, which prevents users from making license requests.
References: [CVE-2001-1057], [BID-3120] |
| 16322 |
tcp |
trojans |
Premium scan |
Backdoor.Lastdoor [Symantec-2002-090517-3251-99] (2002.09.04) - remote access trojan. Affects all current Windows versions. |
| 16384 |
udp |
connected |
not scanned |
Apple iChat AV (Audio RTP, RTCP; Video RTP, RTCP) uses ports 16384-16403
Verizon VoiceWing uses ports 16384-16392 (TCP/UDP)
Iron Mountain Digital online backup
Connected Corp (TCP/UDP) (IANA official) |
| 16385 |
udp |
applications |
not scanned |
Apple FaceTime, Apple Game Center (RTP/RTCP) |
| 16385 |
tcp |
rdgs |
not scanned |
Reliable Datagram Sockets (IANA official) |
| 16386 |
udp |
applications |
not scanned |
Apple FaceTime, Apple Game Center (RTP/RTCP) |
| 16387 |
udp |
applications |
not scanned |
Apple Game Center (RTP/RTCP) |
| 16389 |
tcp |
applications |
not scanned |
A vulnerability was discovered in Siemens SIMATIC Logon (All versions before V1.6) that could allow specially crafted packets sent to the SIMATIC Logon Remote Access service on port 16389/tcp to cause a Denial-of-Service condition. The service restarts automatically.
References: [CVE-2017-9938], [BID-99539], [XFDB-128367] |
| 16392 |
tcp,udp |
applications |
not scanned |
Verizon VoiceWing uses ports 16384-16392 |
| 16393 |
udp |
applications |
not scanned |
Apple FaceTime (RTP/RTCP) uses ports 16393-16402 |
| 16402 |
udp |
applications |
not scanned |
Apple FaceTime (RTP/RTCP) uses ports 16393-16402 |
| 16403 |
udp |
applications |
not scanned |
Apple Game Center (RTP/RTCP) uses ports 16403-16472 |
| 16420 |
udp |
applications |
not scanned |
Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)
Apple Game Center also uses this port |
| 16464 |
tcp |
trojan |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16465 |
tcp |
trojan |
not scanned |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16470 |
tcp |
zeroaccess |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16471 |
tcp |
trojan |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 16484 |
tcp |
trojan |
not scanned |
Mosucker trojan |
| 16499 |
udp |
games |
not scanned |
Star Trek Armada II |
| 16514 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 16515 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 16523 |
tcp |
trojan |
Premium scan |
Back streets trojan |
| 16567 |
udp |
applications |
not scanned |
Default Battlefield 2 server port |
| 16638 |
udp |
games |
not scanned |
SWAT3 game |
| 16639 |
tcp |
games |
not scanned |
SWAT3 game |
| 16660 |
tcp |
trojan |
not scanned |
Stacheldraht (DDoS) |
| 16661 |
tcp |
trojans |
Premium scan |
Backdoor.Haxdoor.D [Symantec-2005-012411-2332-99] (2005.01.24) - backdoor trojan program. Also attempts to log key strokes and steal passwords. Listens on port 16661/tcp, opens two additional high random ports.
Backdoor.Haxdoor.E [Symantec-2005-080212-3505-99] (2005.08.01) - trojan that opens a backdoor on the compromised computer, logs keystrokes, steals passwords and drops rootkits that run in safe mode. Opens a backdoor on one or more of the following ports: 7080/tcp, 8008/tcp, or 16661/tcp.
|
| 16666 |
udp |
vtp |
not scanned |
Vidder Tunnel Protocol [Vidder Inc] (IANA official) |
| 16699 |
tcp |
games |
not scanned |
Stronghold 2 |
| 16712 |
tcp |
trojan |
Premium scan |
KiLo trojan [Symantec-2003-021319-1815-99]
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 16761 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro trojan |
| 16768-16771 |
tcp |
spector |
not scanned |
ports 16768-16771 are used by SpectorSoft products to check for updates and exchange information with their servers, and for user remote access. Ports 16770/16771 are commonly open.
Port 16770 - Primary Server / listen IP port
Port 16771 - Web Filter Server
Port 16768 - Control Center Server
Port 16769 - Recorder Data Vault |
| 16772 |
tcp |
trojan |
not scanned |
ICQ Revenge (TCP) |
| 16789 |
tcp |
cadsisvr |
not scanned |
Mainframe External Security Managers from any TCP/IP platform (IANA official) |
| 16900 |
tcp,udp |
newbay-snc-mc |
not scanned |
Newbay Mobile Client Update Service |
| 16959 |
tcp |
trojan |
Premium scan |
SubSeven [Symantec-2001-020114-5445-99] |
| 16969 |
tcp |
trojan |
not scanned |
Priority trojan |
| 16982 |
tcp |
trojan |
Premium scan |
AcidShiver trojan |
| 16999 |
tcp |
trojans |
Premium scan |
Backdoor.Stealer [Symantec-2003-070415-5712-99] (2003.07.04) a.k.a. Trojan.Spy.MSNLogThief [KAV], MSNLogThief [McAfee] - a trojan that gives its creator full control over the infected computer, uses ports 16999,60101. |
| 17000 |
tcp |
applications |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
Oracle TimesTen In-Memory Database is vulnerable to a denial of service, caused by an error in the timestend daemon. By sending an overly large HTTP request to TCP port 17000, a remote attacker could exploit this vulnerability to cause the process to crash.
References: [BID-38019]
|
| 17001 |
tcp,udp |
applications |
not scanned |
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
References: [CVE-2019-7214]
Backdoor.Win32.Prexot.a / Authentication Bypass - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0484]
Backdoor.Win32.Prexot.a / Port Bounce Scan (MITM) - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0485] |
| 17010 |
tcp |
ncpu |
not scanned |
Games: Worms Armageddon (TCP/UDP)
Plan 9 cpu port (IANA official) |
| 17100 |
tcp |
klactprx |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 17166 |
tcp |
trojan |
Premium scan |
Mosaic trojan |
| 17185 |
udp |
applications |
not scanned |
Cisco IP Phone (VoIP) 7920 1.0(8) listens to UDP port 17185 to support a VxWorks debugger, which allows remote attackers to obtain sensitive information and cause a denial of service.
References: [CVE-2005-3804], [SECUNIA-17604], [BID-15456]
Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288]
The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804.
References: [CVE-2010-2965]
The debugging feature on the Siemens CP 1604 and CP 1616 interface cards with firmware before 2.5.2 allows remote attackers to execute arbitrary code via a crafted packet to UDP port 17185.
References: [CVE-2013-0659]
This document describes a security vulnerability in Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity products. All J/H-series NonStop systems have a security vulnerability associated with an open UDP port 17185 on the Maintenance LAN which could result in information disclosure, denial-of-service attacks or local memory corruption against the affected system and a complete control of the system may also be possible. This vulnerability exists only if one gains access to the Maintenance LAN to which Blade Maintenance Entity, Integrated Maintenance Entity or Maintenance Entity product is connected. **Workaround:** Block the UDP port 17185(In the Maintenance LAN Network Switch/Firewall). Fix: Install following SPRs, which are already available: * T1805A01^AAI (Integrated Maintenance Entity) * T4805A01^AAZ (Blade Maintenance Entity). These SPRs are also usable with the following RVUs: * J06.19.00 ? J06.23.01. No fix planned for the following RVUs: J06.04.00 ? J06.18.01. No fix planned for H-Series NonStop systems. No fix planned for the product T2805 (Maintenance Entity).
References: [CVE-2020-7131], [XFDB-180715]
Schneider Electric SCADAPack could allow a remote attacker to execute arbitrary code on the system, caused by the enablement of the VxWorks debug agent. By sending specially-crafted requests to UDP Port 17185, an attacker could exploit this vulnerability to gain control of the device or cause a denial of service.
References: [XFDB-91050] |
| 17220 |
tcp,udp |
avtp |
not scanned |
IEEE 1722 Transport Protocol Applications (IANA official) |
| 17221 |
tcp,udp |
avdecc |
not scanned |
Enumeration, Connection management, and Control IEEE 1722.1 AVB Discovery [IEEE 1722 1] (IANA official) |
| 17222 |
udp |
cpsp |
not scanned |
Control Plane Synchronization Protocol |
| 17224 |
udp |
trdp-pd |
not scanned |
Train Realtime Data Protocol (TRDP) Process Data (IANA official) |
| 17225 |
tcp,udp |
trdp-md |
not scanned |
Train Realtime Data Protocol (TRDP) Message Data |
| 17234 |
tcp,udp |
integrius-stp |
not scanned |
Integrius Secure Tunnel Protocol |
| 17300 |
tcp |
trojans |
Premium scan |
Milkit backdoor (Spybot 3), Kuang2 the_Virus trojan. |
| 17310-17542 |
tcp |
applications |
not scanned |
Cisco Prime Central for HCS Assurance is vulnerable to a denial of service, caused by an error in the Cisco Tivoli Business Service Manager (TBSM) component. By sending a flood of TCP packets directed to ports 17310-17542, a remote attacker could exploit this vulnerability to cause the service to hang.
References: [CVE-2013-1174], [XFDB-83250], [BID-58907] |
| 17336 |
udp |
applications |
not scanned |
The Sierra Wireless AirLink Raven X EV-DO gateway 4221_4.0.11.003 and 4228_4.0.11.003 allows remote attackers to reprogram the firmware via a replay attack using UDP ports 17336 and 17388.
References: [CVE-2013-2820] |
| 17388 |
udp |
applications |
not scanned |
The Sierra Wireless AirLink Raven X EV-DO gateway 4221_4.0.11.003 and 4228_4.0.11.003 allows remote attackers to reprogram the firmware via a replay attack using UDP ports 17336 and 17388.
References: [CVE-2013-2820] |
| 17437 |
tcp,udp |
games |
not scanned |
Kohan Immortal Sovereigns |
| 17440 |
tcp |
vmware |
not scanned |
VMWare TrustPoint Security Platform uses the following ports:
17440/TCP, 443/TCP - console to server communication
17442/TCP - clients to server
17443/TCP - console and trace clients to trace server traffic
17444/TCP - trace clients to module server
17472/TCP - server to zone server, local client to client traffic
17477/TCP - server to module server
|
