| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 45678 |
tcp,udp |
eba |
not scanned |
EBA PRISE |
| 45682 |
tcp,udp |
applications |
not scanned |
pseudo-default uTorrent port |
| 45824 |
tcp |
dai-shell |
not scanned |
Server for the DAI family of client-server products [Data Access Inc] (IANA official) |
| 45836 |
tcp,udp |
worm |
not scanned |
W32.HLLW.Graps [Symantec-2003-070717-0814-99] - a network-aware worm with backdoor capabilities. By default, it opens port 45836 for listening. The worm copies itself to available network shares by connecting with weak passwords. |
| 45869 |
tcp |
hydrus |
not scanned |
Hydrus Network client API default port |
| 45966 |
tcp,udp |
ssr-servermgr |
not scanned |
SSRServerMgr |
| 46000 |
tcp,udp |
games |
not scanned |
Strike Fighters Project 1, developer: Third Wire |
| 46336 |
tcp |
inedo |
not scanned |
IANA registered for: Inedo agent communication |
| 46440 |
udp |
games |
not scanned |
Scrabble Complete |
| 46626 |
tcp |
trojan |
Premium scan |
Psychward [Symantec-2001-052208-1840-99] - trojan with backdoor capabilities. |
| 46631 |
tcp |
games |
not scanned |
Hedgewars game |
| 46666 |
tcp,udp |
trojan |
not scanned |
Taskman trojan |
| 46823 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted 0x02 opcode to TCP port 46823.
References: [CVE-2011-0517], [BID-45813], [EDB-15992] |
| 46824 |
tcp |
applications |
not scanned |
Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 do not validate the return value of the realloc function, which allows remote attackers to cause a denial of service (invalid 0x00 write operation and daemon crash) or possibly have unspecified other impact via a port-46824 TCP packet with a crafted positive integer after the opcode.
References: [CVE-2012-4358] [SECUNIA-49395]
Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 46824. NOTE: some of these details are obtained from third party information.
References: [CVE-2012-3815] [BID-53811] [OSVDB-82654] [SECUNIA-49395] |
| 46882 |
tcp |
trojan |
Premium scan |
Psychward [Symantec-2001-052208-1840-99] - trojan with backdoor capabilities. |
| 46998 |
tcp |
sp-remotetablet |
not scanned |
Connection between a desktop computer or server and a signature tablet to capture handwritten signatures [SOFTPRO GmbH] (IANA official) |
| 47000 |
tcp,udp |
mbus |
not scanned |
Message Bus |
| 47001 |
tcp |
winrm |
not scanned |
Windows Remote Management Service |
| 47017 |
tcp |
trojan |
Premium scan |
T0rn Rootkit trojan |
| 47100 |
udp |
jvl-mactalk |
not scanned |
Configuration of motors connected to Industrial Ethernet [JVL_Industri_Elektronik] (IANA official) |
| 47141 |
tcp,udp |
applications |
not scanned |
Dartpro |
| 47252 |
tcp |
trojan |
Premium scan |
Delta Source trojan |
| 47262 |
udp |
trojan |
not scanned |
Delta Source trojan |
| 47387 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 47545 |
udp |
canon |
not scanned |
Canon printers management console uses these ports (in addition to standard ports 25, 80, 110, 137, 389, 443, etc.):
427 UDP - SLP multicast discovery
5355 TCP/UDP - LLMNR device discovery for SNMP, SLP
8000, 8080 TCP - UI HTTP access
11427 UDP - device sleep notifications
47545 UDP - communication with devices
47547 TCP - communication with devices |
| 47547 |
tcp |
canon |
not scanned |
Canon printers management console uses these ports (in addition to standard ports 25, 80, 110, 137, 389, 443, etc.):
427 UDP - SLP multicast discovery
5355 TCP/UDP - LLMNR device discovery for SNMP, SLP
8000, 8080 TCP - UI HTTP access
11427 UDP - device sleep notifications
47545 UDP - communication with devices
47547 TCP - communication with devices
|
| 47557 |
tcp,udp |
dbbrowse |
not scanned |
Databeam Corporation |
| 47611 |
tcp,udp |
games |
not scanned |
Vindictus MMORPG (devCAT) uses ports 47611 tcp/udp and 27000-27025 tcp/udp |
| 47624 |
tcp,udp |
applications |
not scanned |
Battlecom, Age of Empires II, MechCommander 2, Star Wars Galactic Battlegrounds, Flight Simulator 2002 (TCP), Total Annihilation (TCP), Stronghold Crusader (TCP), Cossacks (TCP).
Spiral Knights uses ports 47624-47634.
IANA registered for Direct Play Server. |
| 47626 |
udp |
games |
not scanned |
Sudden Strike |
| 47634 |
tcp,udp |
games |
not scanned |
Spiral Knights uses ports 47624-47634 |
| 47698 |
tcp |
trojan |
Premium scan |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 47785 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 47800 |
tcp,udp |
applications |
not scanned |
Outpost 2 Divided Destiny
Infostealer.Reoxtan [Symantec-2005-090511-5408-99] - a trojan horse program that attempts to steal user names, passwords, and other computer information. It also attempts to lower security settings on the compromised computer. |
| 47806 |
tcp,udp |
ap |
not scanned |
ALC Protocol |
| 47808 |
tcp,udp |
bacnet |
not scanned |
The BACNet Test Server is vulnerable to a denial of service (DoS) vulnerability when sending malformed BVLC Length UDP packet to port 47808 causing the application to crash.
References: [EDB-48860]
IANA registered for: Building Automation and Control Networks |
| 47837 |
udp |
games |
not scanned |
Will Rock, developer: Saber Interactive |
| 47885 |
tcp |
malware |
not scanned |
Backdoor.Win32.Indexer.a / Hardcoded Weak Credentials - Indexer.a backdoor runs an FTP server that listens on TCP port 47885 and uses several weak hardcoded credentials "Ronald Reagen", "Boris Becker", "Donald Duck". The credentials can be easily veiwed in the binary using strings util. This can allow anyone with up front knowledge to logon to the infected system.
References: [MVID-2021-0091] |
| 47891 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam [Symantec-2002-060715-0902-99], a.k.a. AntiLamer backdoor - remote access trojan, affects Windows, listens on TCP ports 29559 and 47891, may also use port 29999.
Backdoor.Win32.Antilam.14.o / Unauthenticated Remote Command Execution - the malware listens on TCP ports 47891, 29559. Third party attackers who can reach infected systems can execute commands made available by the backdoor. Netcat utility worked the best for running commands, which are supplied as numeric values or hex characters. The values sent correspond to different commands mapped in the backdoor. Commands are typically three digits e.g. 001 and perform various actions on the infected host.
References: [MVID-2021-0379] |
| 48000 |
tcp,udp |
nimcontroller |
not scanned |
World in Conflict (WIC) 1.008 and earlier allows remote attackers to cause a denial of service (access violation and crash) via a zero-byte data block to TCP port 48000, which triggers a NULL pointer dereference.
References: [CVE-2008-6713], [BID-29888]
Massive Entertainment World in Conflict 1.001 and earlier allows remote attackers to cause a denial of service (failed assertion and daemon crash) via a large packet to TCP or UDP port 48000.
References: [CVE-2007-5711] [OSVDB-39019] [SECUNIA-27417]
Port is also IANA registered for Nimbus Controller. |
| 48001 |
tcp,udp |
nimspooler |
not scanned |
Nimbus Spooler |
| 48002 |
tcp,udp |
nimhub |
not scanned |
Nimbus Hub |
| 48003 |
tcp,udp |
nimgtw |
not scanned |
Nimbus Gateway |
| 48004 |
tcp |
trojan |
Premium scan |
Fraggle Rock trojan
IANA registered for: NimbusDB Connector. |
| 48005 |
tcp |
nimbusdbctrl |
not scanned |
IANA registered for: NimbusDB Control |
| 48006 |
tcp |
trojan |
Premium scan |
Fraggle Rock trojan |
| 48048 |
tcp |
juliar |
not scanned |
IANA registered for: Juliar Programming Language Protocol |
| 48049 |
tcp,udp |
3gpp |
not scanned |
3GPP Cell Broadcast Service Protocol |
| 48094 |
tcp |
trojans |
Premium scan |
Backdoor.Nibu.M [2005-071112-2150-99] - a trojan with backdoor capabilities, that runs a keylogger, sends information periodically to a remote server (via http), and also blocks access to security-related websites. Listens for remote commands on port 48094/tcp. |
| 48101 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in PQCore.exe in Print Manager Plus 2008 Client Billing and Authentication allows remote attackers to cause a denial of service (service outage) via a series of long packets to TCP port 48101.
References: [CVE-2008-0693], [BID-27604] |
| 48512 |
tcp |
trojan |
Premium scan |
Arctic trojan |
| 48556 |
tcp,udp |
com-bardac-dw |
not scanned |
com-bardac-dw, drive.web AC/DC Drive Automation and Control Networks |
| 48653 |
tcp,udp |
robotraconteur |
not scanned |
Robot Raconteur transport - a communication library for robotics and automation, developed by Wason Technology, LLC [Wason_Technology_LLC] (IANA official) |
| 48705 |
tcp |
viera |
not scanned |
Panasonic Viera cast may use the following ports: 80, 443, 43654, 48705 |
| 48899 |
udp |
applications |
not scanned |
The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending a crafted UDP packet to port 48899 (TCATSysSrv.exe).
References: [CVE-2011-3486], [OSVDB-75495] |
| 49000 |
tcp |
trojan |
Premium scan |
Fraggle Rock trojan
IANA registered for: Matahari Broker |
| 49001 |
udp |
games |
not scanned |
Far Cry
IANA registered for: Nuance Unity Service Discovery Protocol |
| 49001 |
tcp |
nusrp |
not scanned |
IANA registered for: Nuance Unity Service Request Protocol |
| 49002 |
tcp,udp |
games |
not scanned |
Far Cry |
| 49124 |
tcp,udp |
games |
not scanned |
Far Cry |
| 49150 |
tcp |
inspider |
not scanned |
IANA registered for: InSpider System |
| 49152 |
tcp,udp |
applications |
Members scan |
As the first port in the dynamic/private range (49152-65535), this port is commonly used by applications that utilize a dynamic/random/configurable port.
Many embedded Linux based systems (i.e. home routers, remote management devices, IP cameras) have UPnP enabled, broadcasting their kernel version and hardware architecture over port 49152.
Some P2P torernt clients often use this port: uTorrent, Azureus/Vuze, etc.
Older IPMI firmware versions reveal cleartext login credentials over UDP port 49152.
Apple AirPlay dynamic mirroring TCP port.
YotaPhone 2 opens port 49152.
Apple Xsan Filesystem Access uses the dynamic/private range 49152-65535.
Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures an unauthenticated proxy service on WAN TCP port 49152, which allows remote attackers to establish arbitrary TCP connections to intranet hosts by sending \x2a\xce\x01 followed by other predictable values.
References: [CVE-2017-14117], [BID-100585]
The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions. The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily. The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152.
References: [CVE-2022-30521] |
| 49153 |
tcp |
applications |
not scanned |
ANTLR, ANother Tool for Language Recognition, (formerly PCCTS) - a parser generator for recognizing languages |
| 49154 |
tcp |
applications |
not scanned |
Xsan Filesystem Access |
| 49156 |
tcp,udp |
applications |
not scanned |
Azureus |
| 49159 |
tcp,udp |
applications |
Premium scan |
Bonjour for Windows - employed by iTunes and iChat for sharing files between Windows and Mac OS. |
| 49160 |
tcp,udp |
applications |
not scanned |
SJPhone (VoIP softphone), Azureus/Vuze BitTorrent client |
| 49165 |
tcp,udp |
applications |
not scanned |
Siebel Server - Siebel Customer Relationship Management application |
| 49177 |
tcp |
applications |
not scanned |
Monsoon Vulkano |
| 49181 |
tcp |
games |
not scanned |
Empire: Total War, developer: The Creative Assembly |
| 49182 |
tcp,udp |
applications |
not scanned |
BlueHeat/Net Port 15 - Command Port |
| 49201 |
tcp |
applications |
not scanned |
Borland StarTeam is vulnerable to a heap-based buffer overflow, caused by an integer overflow error in the StarTeam Server service (starteamserver.exe). By sending specially-crafted packets to TCP port 49201, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Reference: [XFDB-40965] |
| 49301 |
tcp |
trojan |
Premium scan |
Online Keylogger (TCP) |
| 49495 |
tcp |
trojans |
Premium scan |
Backdoor.Danrit [Symantec-2005-111515-2142-99] (2005.11.15) - a trojan that opens a backdoor and logs keystrokes, opens a backdoor on port 49495/tcp. |
| 49683 |
tcp,udp |
trojan |
not scanned |
Fenster trojan (a.k.a. Trojan.Win32.Fenster, Backdoor.Fenster.21) |
| 49698 |
udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
| 49701 |
tcp |
malware |
not scanned |
Backdoor.Win32.DirectConnection.103 (1.0 RAT-Tool) / Weak Hardcoded Password - the malware listens on random incrementing high TCP ports 49701,49702 etc. When updating the backdoor the output files password "1234!" is weak and hardcoded in cleartext within the PE file.
References: [MVID-2022-0508] |
| 49702 |
tcp |
malware |
not scanned |
Backdoor.Win32.DirectConnection.103 (1.0 RAT-Tool) / Weak Hardcoded Password - the malware listens on random incrementing high TCP ports 49701,49702 etc. When updating the backdoor the output files password "1234!" is weak and hardcoded in cleartext within the PE file.
References: [MVID-2022-0508] |
| 49752 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 49875 |
tcp |
xsan |
not scanned |
Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access
|
| 49896 |
tcp |
oracle |
not scanned |
Oracle Database Management uses the following ports:
1521 TCP - Oracle SQL Net Listener and Data Guard
1832 TCP - Oracle Enterprise Management Agent HTTP (range 1830-1849)
49896 TCP - Oracle Clusterware (CRS daemon)
|
| 49941 |
tcp |
malware |
not scanned |
Backdoor.Win32.RemoteNC.beta4 / Unauthenticated Remote Command Execution - the malware listens on TCP port 49941. Third-party attackers who can reach an infected host can execute any OS commands hijacking taking over the system.
References: [MVID-2022-0507] |
| 49955 |
tcp,udp |
applications |
not scanned |
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a session on port 49955 and then installing new software, such as BusyBox with "nc -l" support.
References: [CVE-2017-14116], [BID-100585] |
| 49971 |
tcp |
malware |
not scanned |
Backdoor.Win32.Upload.a / Remote Denial of Service - the malware listens on TCP port 49971, each time it is run the port increments by one 49972 etc. Third-party attackers who can reach the infected host can send a payload of just few bytes to crash the backdoor.
References: [MVID-2021-0224] |
| 50000 |
tcp |
applications |
Premium scan |
LAN Messenger uses port 50000 tcp/udp
SVAT CLEARVU1, Serv-U use ports 50000-50004 tcp/udp
IBM License Metric Tool ports
1433 TCP - SQL server connection
9081 TCP - HTTPS web browser connections to server
50000 TCP - DB2 server connection
52311 TCP - BigFix clients and console connect to the server
Infector [trojan]
SubSARI [Symantec-2003-030315-2821-99] |
| 50000 |
udp |
applications |
not scanned |
LAN Messenger uses port 50000 tcp/udp
SVAT CLEARVU1, Serv-U use ports 50000-50004 tcp/udp
The EN100 module with firmware before 4.25 for Siemens SIPROTEC 4 and SIPROTEC Compact devices allows remote attackers to cause a denial of service via crafted packets on UDP port 50000.
References: [CVE-2015-5374], [XFDB-104946]
A vulnerability has been identified in SIPROTEC 4 and SIPROTEC Compact relays equipped with EN100 Ethernet communication modules (All versions). Specially crafted packets sent to port 50000/UDP of the EN100 Ethernet communication modules could cause a Denial-of-Service of the affected device. A manual reboot is required to recover the service of the device. At the time of advisory publication no public exploitation of this security vulnerability was known to Siemens.
References: [CVE-2019-19279], [XFDB-176112] |
| 50001 |
tcp,udp |
applications |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004
Java Remote Shell Server, Zotero, IBM DB2
M*Modal Fluency Direct (3M medical dictation software)
The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot) via a %0d%0a sequence in the page parameter to the xslt program on TCP port 50001.
References: [CVE-2009-3962] |
| 50002 |
tcp,udp |
discord |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004 |
| 50003 |
tcp,udp |
applications |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004
Apple FileMaker server service |
| 50004 |
tcp,udp |
applications |
not scanned |
Discord uses ports 50001-50004 for media streaming
Serv-U uses ports 50000-50004 |
| 50005 |
tcp |
trojan |
Premium scan |
Trojan.Fulamer.25 |
| 50006 |
tcp,udp |
applications |
not scanned |
Apple FileMaker helper service |
| 50021 |
tcp |
trojan |
Premium scan |
Optix Pro trojan
Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device.
References: [CVE-2016-8731], [BID-99193] |
| 50047 |
udp |
games |
not scanned |
Virtual Tennis, developer: Strangelite |
| 50050 |
tcp |
|
not scanned |
Cobalt Strike (network security assessment tool) default port. See: www.cobaltstrike.com/help-setup-collaboration |
| 50123 |
udp |
applications |
not scanned |
Vulnerability in GpsDrive, can cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. The vulnerability is caused due to a format string error in the "dg_echo()" function in "friendsd.c" when displaying received GPS position data. This can potentially be exploited to execute arbitrary code via a specially crafted UDP packet. Successful exploitation requires the ability to send UDP packets to port 50123/udp.
References: [CVE-2005-3523] [SECUNIA-17473]
|
| 50130 |
tcp |
trojan |
Premium scan |
Enterprise trojan |
| 50138 |
udp |
applications |
not scanned |
Network Assistant (Nassi) is vulnerable to a denial of service attack. A remote attacker could send a specially-crafted UDP packet to UDP port 50138, which is the default port for Nassi, to cause the service to crash.
References: [BID-12226], [XFDB-18826], [SECUNIA-13770] |
| 50160 |
tcp,udp |
applications |
not scanned |
S-CONNECT protocol - data exchange (TCP) and manual device pairing (UDP) |
| 50161 |
udp |
applications |
not scanned |
S-CONNECT protocol - automatic device pairing |
