| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 20803 |
tcp,udp |
games |
not scanned |
Tiger Woods 2004 uses ports 20803-20809 |
| 20809 |
tcp,udp |
games |
not scanned |
Tiger Woods 2004 uses ports 20803-20809 |
| 20810 |
udp |
games |
not scanned |
Call of Duty 4 |
| 20810 |
tcp |
crtech-nlm |
not scanned |
CRTech NLM (IANA official) |
| 20851 |
tcp |
games |
not scanned |
Arcanum |
| 20871 |
tcp |
games |
not scanned |
Throne of Darkness |
| 20888 |
tcp |
malware |
not scanned |
Backdoor.Win32.XRat.d / Unauthenticated Remote Command Execution - XRat malware runs with SYSTEM integrity and listens on TCP port 20888. Third-party attackers who can reach the system can connect, switch to DOS prompt mode and run any OS commands re-compromising the already infected system.
References: [MVID-2021-0242]
Backdoor.Win32.XRat.k / Unauthenticated Remote Command Execution - XRat malware listens on TCP port 20888. Third-party attackers who can reach the system can run commands hijacking the infected host.
References: [MVID-2022-0482] |
| 20931 |
tcp,udp |
applications |
not scanned |
WanCatan |
| 20941 |
tcp |
games |
not scanned |
Emperor: Rise of the Middle Kingdom |
| 21000 |
udp |
games |
not scanned |
Soldier of Fortune 2, IL2 Sturmovik (TCP/UDP), IL2 Sturmovik: Forgotten Battles (TCP/UDP), Pacific Fighters: IL2 (TCP/UDP) |
| 21000 |
tcp |
malware |
not scanned |
Backdoor.Win32.Coredoor.10.a / Port Bounce Scan - the malware listens on TCP port 21000. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0411]
Backdoor.Win32.Coredoor.10.a / Authentication Bypass - the malware runs an FTP server on TCP port 21000. Third-party
attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2022-0618] |
| 21001 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-admin default port |
| 21009 |
tcp |
trojans |
Premium scan |
Backdoor.Djump [Symantec-2003-090116-0418-99] (2003.09.01) - a trojan horse that opens TCP ports 21009 and 2485 on a computer
SonicWall Global Management System Virtual Appliance could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to prevent unauthenticated, external entities from making XML-RPC requests to port 21009 of the virtual app. An attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.
References: [XFDB-147770] |
| 21011 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-01 default http port |
| 21012 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-01 default https port |
| 21021 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-02 default http port |
| 21022 |
tcp |
applications |
not scanned |
AMLFilter, AMLFilter Inc. amlf-engine-02 default https port |
| 21027 |
udp |
syncthing |
not scanned |
Syncthing uses the following ports:
8384/TCP - web GUI
22000/TCP - listening port
21027/UDP - discovery broadcasts on IPv4, multicasts on IPv6. |
| 21030 |
tcp |
tablo |
not scanned |
Tablo Connect (TV streaming) uses the following ports: TCP 21030, 21031, 21032.
Tablo can instead use the following set of ports: TCP 31887, 31880, 31883 (3188x public/WAN ports are mapped to different private/LAN ports as follows: 31887 WAN -> 8887 LAN, 31880 WAN -> 80 LAN, 31883 WAN -> 443 LAN). |
| 21031 |
tcp |
tablo |
not scanned |
Tablo Connect (TV streaming) uses the following ports: TCP 21030, 21031, 21032.
Tablo can instead use the following set of ports: TCP 31887, 31880, 31883 (3188x public/WAN ports are mapped to different private/LAN ports as follows: 31887 WAN -> 8887 LAN, 31880 WAN -> 80 LAN, 31883 WAN -> 443 LAN). |
| 21032 |
tcp |
tablo |
not scanned |
Tablo Connect (TV streaming) uses the following ports: TCP 21030, 21031, 21032.
Tablo can instead use the following set of ports: TCP 31887, 31880, 31883 (3188x public/WAN ports are mapped to different private/LAN ports as follows: 31887 WAN -> 8887 LAN, 31880 WAN -> 80 LAN, 31883 WAN -> 443 LAN). |
| 21064 |
tcp |
citrix |
not scanned |
Citrix XenServer clustering uses these ports: 5404, 5405 UDP, and 8892, 21064 TCP
Default port for Ingres DBMS server |
| 21101 |
tcp |
games |
not scanned |
UEFA EURO 2004 uses ports 21101-21109 |
| 21109 |
tcp |
games |
not scanned |
UEFA EURO 2004 uses ports 21101-21109 |
| 21112 |
tcp,udp |
applications |
not scanned |
GeoVision |
| 21157 |
udp |
games |
not scanned |
Activision gaming protocol [RFC 3027] |
| 21201 |
tcp |
memcachedb |
not scanned |
Port used by Memcachedb |
| 21211 |
tcp |
trojans |
Members scan |
W32.Dasher.B [Symantec-2005-121610-5037-99] (2005.12.16) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp. |
| 21212 |
tcp |
trojans |
Premium scan |
Schwindler, Sensive
IANA registered for Distributed artificial intelligence |
| 21213 |
tcp |
cohesity-agent |
not scanned |
IANA registered for: Cohesity backup agents |
| 21220 |
tcp |
malware |
not scanned |
Backdoor.Win32.Kurbadur.A / Remote Stack Buffer Overflow - the malware listens on TCP port 21220, by sending incrementing HTTP TRACE requests with an increasing payload size, we trigger buffer overflow overwriting EIP. Upon running a fake error message box will appear, the specimen also tries to connect to SMTP port 25.
References: [MVID-2021-2023] |
| 21221 |
tcp |
aigairserver |
not scanned |
IANA registered for: Services for Air Server |
| 21274 |
tcp,udp |
games |
not scanned |
Port used by Minecraft |
| 21300 |
tcp,udp |
applications |
not scanned |
FreeTel audioconferencing |
| 21301 |
tcp,udp |
applications |
not scanned |
FreeTel audioconferencing |
| 21302 |
tcp,udp |
applications |
not scanned |
BitchX IRC Client, FreeTel audioconferencing |
| 21303 |
tcp,udp |
applications |
not scanned |
FreeTel audioconferencing |
| 21315 |
tcp |
botnet |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 21325 |
tcp |
trezord |
not scanned |
Trezor Bridge - an application for communication between the Trezor cryptocurrency hardware wallet and supported browsers. |
| 21422 |
tcp |
malware |
not scanned |
Backdoor.Win32.Serman.a / Unauthenticated Open Proxy - the malware listens on TCP port 21422 by default but it can be changed. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2022-0659] |
| 21509 |
tcp,udp |
applications |
not scanned |
An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters.
References: [CVE-2019-14514], [XFDB-176467]
|
| 21544 |
tcp |
trojans |
Members scan |
Unknown Trojan, Exploiter, Girl Friend, Kid Terror, Matrix, Schwindler, Winsp00fer |
| 21553 |
tcp |
rdm-tfs |
not scanned |
IANA registered for: Raima RDM TFS |
| 21554 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: Exploiter, Kid Terror, Winsp00fer, GirlFriend
Scwhindler remote access trojan - ports 21554, 50766
Backdoor.Win32.GF.j / Unauthenticated Remote Command Execution - the malware listens on TCP port 21554. Third-party adversaries who can reach infected hosts can run commands made available by the backdoor.
References: [MVID-2022-0566]
|
| 21579 |
tcp |
trojan |
Premium scan |
Breach trojan |
| 21584 |
tcp |
trojan |
Premium scan |
Breach trojan |
| 21605 |
tcp |
citrix |
not scanned |
Citrix XenServer 5.6 and earlier: SOAP over HTTP integrated Storage Link traffic |
| 21684 |
tcp |
trojan |
Premium scan |
Intruse trojan |
| 21700 |
tcp |
applications |
not scanned |
Directory traversal vulnerability in the web server for 3Com Network Supervisor 5.0.2 allows remote attackers to read arbitrary files via ".." sequences in the URL to TCP port 21700.
References: [CVE-2005-2020] |
| 21801 |
tcp |
sal |
not scanned |
Safe AutoLogon (IANA official) |
| 21810 |
tcp |
trojan |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 21840 |
tcp,udp |
games |
not scanned |
Burnout Paradise - The Ultimate Box, developer: Criterion Games |
| 21957 |
tcp |
trojan |
Premium scan |
Backdoor.Latinus [Symantec-2002-060710-5206-99] - remote access trojan, afects Windows 9x/ME/NT/2k/XP, opens TCP port 11831/tcp for direct control, 29559/tcp for file transfer, may also use ports 21957/tcp, 24289/tcp, 29559/tcp. |
| 21964 |
tcp |
applications |
not scanned |
Exteel |
| 22000 |
udp |
applications |
not scanned |
Gamespy Lan Port (for LAN games only), Battlefield Vietnam, Medal of Honor Allied Assault |
| 22000 |
tcp |
applications |
not scanned |
Syncthing uses the following ports:
8384/TCP - web GUI
22000/TCP - listening port
21027/UDP - discovery broadcasts on IPv4, multicasts on IPv6.
Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values.
References: [CVE-2020-10612] |
| 22003 |
tcp,udp |
applications |
not scanned |
MTA SA R1.0
Directory traversal vulnerability in the FTP server (port 22003/tcp) in Farmers WIFE 4.4 SP1 allows remote attackers to create arbitrary files via .. (dot dot) sequences in a (1) PUT, (2) SIZE, and possibly other commands.
References: [CVE-2006-0319], [BID-16321]
Port is also IANA registered for Opto Host Port 3 |
| 22067 |
tcp |
syncthing |
Premium scan |
Syncthing listens on TCP ports 443, 22067, 22070 |
| 22068 |
tcp |
trojan |
Premium scan |
AcidShiver trojan |
| 22070 |
tcp |
syncthing |
Premium scan |
Syncthing listens on TCP ports 443, 22067, 22070 |
| 22101 |
tcp,udp |
games |
not scanned |
Star Trek: Bridge Commander |
| 22115 |
tcp |
trojan |
Premium scan |
Cyn trojan |
| 22125 |
tcp |
dcap |
not scanned |
dCache Access Protocol |
| 22126 |
tcp,udp |
applications |
not scanned |
MTA SA R1.0 |
| 22128 |
tcp |
gsidcap |
not scanned |
GSI dCache Access Protocol |
| 22136 |
tcp |
applications |
not scanned |
FLIR Systems, Camera Resource Protocol (IANA official) |
| 22200 |
udp |
applications |
not scanned |
Ultimate Baseball Online Client uses ports 20000-22200 |
| 22202 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the Open Database Connectivity (ODBC) service (Odbcixv9se.exe) in 7-Technologies Interactive Graphical SCADA System (IGSS) 9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet to TCP port 22202.
References: [CVE-2011-2959], [BID-47597] |
| 22222 |
tcp |
multiple |
Members scan |
Fortnight to AWS
Redgate licensing client, Davis Instruments, WeatherLink IP
SolarEdge solar plant uses this port to upload data into their cloud.
Viasat (Swedish TV provider) routes traffic to digital boxes for digital TV through this port.
Hola VPN
Some trojans/backdoors use this port: Donald D1ck, G.R.O.B, Prosiak, Ruler, RUX The TIc.K
EasyEngine - CLI tool to manage WordPress Sites on Nginx server [rtCamp_Solutions_Private_Limited] (IANA official) |
| 22223 |
tcp |
trojan |
Premium scan |
RUX The TIc.K trojan |
| 22292 |
tcp |
trojan |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 22306 |
tcp |
applications |
not scanned |
Incorrect access control for the diagnostic files of the iSmartAlarm Cube One through 2.2.4.10 allows an attacker to retrieve them via a specifically crafted TCP request to port 12345 and 22306, and access sensitive information from the device.
References: [CVE-2018-16224] |
| 22311 |
tcp |
trojans |
Premium scan |
Backdoor.Simali [Symantec-2003-042414-3952-99] - remote access trojan, affects Windows, listens on port 22311 by default. Notifies attacker via email or ICQ. |
| 22333 |
tcp,udp |
showcockpit-net |
not scanned |
IANA registered for: ShowCockpit Networking |
| 22335 |
tcp |
shrewd-control |
not scanned |
Initium Labs Security and Automation Control (IANA official) |
| 22335 |
udp |
shrewd-stream |
not scanned |
Initium Labs Security and Automation Streaming (IANA official) |
| 22345 |
tcp |
applications |
Premium scan |
Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string).
References: [CVE-2019-9160] |
| 22347 |
tcp,udp |
wibukey |
not scanned |
Siemens Licensing Software for SICAM 230 is vulnerable to a heap-based buffer overflow. By sending a specially-crafted TCP packet to TCP port 22347, a remote attacker could overflow a buffer and execute arbitrary code on the system.
References: [CVE-2018-3991], [XFDB-156948]
WibuKey Standard WkLan (IANA official) |
| 22349 |
tcp |
applications |
not scanned |
Wolfson Microelectronics, WISCEBridge Debug Protocol |
| 22350 |
tcp,udp |
codemeter |
not scanned |
Tom Clancy's Splinter Cell: Conviction uses ports 22350-22380, developer: Ubisoft Montreal
Wibu-Systems AG CodeMeter Runtime 4.30c, 4.10b, and possibly other versions before 4.40 allows remote attackers to cause a denial of service (CodeMeter.exe crash) via certain crafted packets to TCP port 22350.
References: [CVE-2011-4057], [BID-51382]
CodeMeter Standard (IANA official) |
| 22380 |
tcp |
games |
not scanned |
Tom Clancy's Splinter Cell: Conviction uses ports 22350-22380, developer: Ubisoft Montreal |
| 22450 |
tcp,udp |
applications |
not scanned |
SiN |
| 22456 |
tcp |
trojans |
Premium scan |
Clandestine trojan
Backdoor.Bla.Trojan [Symantec-2000-121815-1846-99] - opens TCP ports 20331, 22456, 22457 by default. |
| 22457 |
tcp |
trojans |
Premium scan |
AcidShiver trojan
Backdoor.Bla.Trojan [Symantec-2000-121815-1846-99] - opens TCP ports 20331, 22456, 22457 by default. |
| 22537 |
tcp |
caldsoft-backup |
not scanned |
CaldSoft Backup server file transfer [CaldSoft] (IANA official) |
| 22554 |
tcp |
trojan |
Premium scan |
Schwindler trojan horse |
| 22555 |
udp |
vocaltec |
not scanned |
Port used by VocalTec Internet Phone. |
| 22556 |
tcp |
cryptocurrency |
Premium scan |
Dogecoin cryptocurrency uses port 22556.
Common cryptocurrency ports (TCP):
Bitcoin: 8333
Litecoin: 9333
Dash: 9999
Dogecoin: 22556
Ethereum: 30303 |
| 22609 |
tcp |
applications |
not scanned |
exacqVision |
| 22701 |
udp |
applications |
not scanned |
annclist.exe in webTV for Windows allows remote attackers to cause a denial of service by via a large, malformed UDP packet to ports 22701 through 22705.
References: [CVE-2000-0830], [BID-1671] |
| 22703 |
tcp,udp |
webtv |
not scanned |
WebTV is vulnerable to a DoS exploit on this port that can reboot the machine. |
| 22705 |
udp |
applications |
not scanned |
annclist.exe in webTV for Windows allows remote attackers to cause a denial of service by via a large, malformed UDP packet to ports 22701 through 22705.
References: [CVE-2000-0830], [BID-1671] |
| 22777 |
tcp |
worm |
not scanned |
W32.Spybot.ATZN [Symantec-2007-082821-0920-99] (2007.08.28) - a worm that spreads by exploiting system vulnerabilities |
| 22783 |
tcp |
trojan |
Premium scan |
Intruzzo trojan [Symantec-2002-051012-5520-99] |
| 22784 |
tcp |
trojans |
Premium scan |
Backdoor-ADM
Intruzzo trojan [Symantec-2002-051012-5520-99]
Backdoor.Renomb [Symantec-2002-090211-1409-99] (2002.09.02) - a backdoor trojan coded in Visual Basic that gives an attacker unauthorized access to an infected computer. By default it opens port 22784 on the compromised computer. |
| 22785 |
tcp |
trojan |
Premium scan |
Intruzzo trojan [Symantec-2002-051012-5520-99] |
| 22793 |
tcp |
vocaltec |
not scanned |
VocalTec Internet Phone - tcp connection to VocalTec servers on this port. |
| 22794 |
tcp |
applications |
not scanned |
The TimesTenD process in Cisco Unified Presence 1.x, 6.x before 6.0(6), and 7.x before 7.0(4) allows remote attackers to cause a denial of service (process crash) via a large number of TCP connections to ports 16200 and 22794, aka Bug ID CSCsy17662.
References: [CVE-2009-2874], [BID-36675] |
| 22845 |
tcp |
trojan |
Premium scan |
Breach trojan |
| 22847 |
tcp |
trojan |
Premium scan |
Breach trojan |
