| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 57005 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Cirebot [Symantec-2003-080214-3019-99] (2003.08.02). Trojan that exploits the MS DCOM vulnerability and installs a backdoor. Uses ports 445 & 69, opens port 57005. |
| 57123 |
tcp |
trojans |
Premium scan |
Backdoor.Mprox [Symantec-2003-092417-2624-99] (2003.09.24) - a backdoor trojan horse that opens a proxy server on TCP port 57123. |
| 57163 |
tcp |
trojan |
Premium scan |
BlackRat |
| 57331 |
tcp,udp |
applications |
not scanned |
PlayOn |
| 57341 |
tcp |
trojans |
Premium scan |
Port used by NetRaider trojan. |
| 57588 |
tcp,udp |
gtk |
not scanned |
Gtk#
The Gtk# GUI toolkit from Novell employs port 57588 to connect with its host site. It contains a collection of .NET bindings and an assortment of GNOME libraries. |
| 57612 |
udp |
applications |
not scanned |
The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement.
References: [CVE-2022-30312] |
| 57621 |
udp |
spotify |
not scanned |
Port 57621 UDP is used by Spotify client for P2P communication |
| 57621 |
udp |
spotify |
not scanned |
Spotify client uses port 57621 UDP for P2P communication |
| 57785 |
tcp |
trojan |
Premium scan |
G.R.O.B. |
| 57851-57943 |
tcp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
| 58008 |
tcp |
trojans |
Premium scan |
Backdoor.Tron [Symantec-2002-060414-2700-99] (2002.06.04) - remote access trojan, affects Windows, has the ability to kill software firewall processes. |
| 58009 |
tcp |
trojan |
Premium scan |
Backdoor.Tron [Symantec-2002-060414-2700-99] (2002.06.04) - remote access trojan, affects Windows, has the ability to kill software firewall processes. |
| 58134 |
tcp |
trojan |
Premium scan |
Charge trojan |
| 58339 |
tcp |
trojan |
Members scan |
ButtFunnel trojan |
| 58343 |
tcp |
trojans |
Premium scan |
Backdoor.Prorat [Symantec-2003-061315-4216-99] (2003.06.13) - remote access trojan, affects Windows, opens port 58343 by default. |
| 58641 |
tcp |
trojans |
Premium scan |
W32.Kalel.B@mm [Symantec-2005-061615-2836-99] (2005.06.15) - mass-mailing worm with keylogger and backdoor capabilities. Spreads through email and file-sharing networks. Opens a backdoor and listens for remote commands on port 58641/tcp. |
| 58642 |
tcp |
applications |
not scanned |
Jamcast |
| 58666 |
tcp |
trojans |
Premium scan |
Backdoor.Redkod [Symantec-2003-022517-1058-99] (2003.02.03) - remote access trojan, affects Windows NT/2000/XP. |
| 58723 |
tcp |
applications |
not scanned |
Open Automation Software OPC Systems.NET before 5.0 allows remote attackers to cause a denial of service via a malformed .NET RPC packet on TCP port 58723.
References: [CVE-2011-4871] |
| 59000 |
tcp,udp |
applications |
not scanned |
Tekkotsu, Cisco Agent Desktop
Tekkotsu is an open-source environment for the programming of robots.
Cisco Agent Desktop is an application for Computer Telephony Integration (CTI). |
| 59211 |
tcp |
trojans |
Premium scan |
Backdoor.Ducktoy [Symantec-2002-071814-5240-99] (2002.07.18) - remote access trojan, affects Windows, listens to ports 29559 and 59211 by default.
NewFuture trojan |
| 59234 |
tcp,udp |
whatsapp |
not scanned |
WhatsApp uses these ports:
80, 443, 4244, 5222, 5223, 5228, 5242 TCP
50318, 59234 TCP/UDP
3478, 45395 UDP
|
| 59278 |
tcp,udp |
applications |
not scanned |
WS-Proxy in Eye-Fi 1.1.2 allows remote attackers to cause a denial of service (crash) via an empty query string to port 59278 and other unspecified vectors.
References: [CVE-2008-7137], [BID-28085] |
| 59777 |
tcp |
applications |
not scanned |
ES File Explorer File Manager application for Android could allow a remote attacker to execute arbitrary code on the system. By sending specially-crafted requests to TCP port 59777, an attacker could exploit this vulnerability to read arbitrary files or execute arbitrary code on the system.
References: [CVE-2019-6447], [XFDB-155682] |
| 59969 |
tcp,udp |
games |
not scanned |
Genesis Rising: The Universal Crusade Beta |
| 60000 |
tcp |
trojans |
Premium scan |
Trojans/backdoors that use this port: DeepThroat/BackDoor-J, F0replay/WiNNUke eXtreame, Sockets des Troie, MiniBacklash |
| 60000 |
udp |
sco |
not scanned |
SCO Copy Protection Demon (CPD)
Among the products protected by SCO CPD are the SCO UnixWare, SCO OpenServer, Smallfoot, SCOoffice Server, WebFace, SCOx Web Services Substrate, Me Inc., and Caldera WebSpyder.
Backdoor.Win32.MiniBlackLash / Remote DoS - MiniBlackLash listens on both TCP port 6711 and UDP port 60000. Sending a large HTTP request string of junk chars to UDP port 60000 will crash this backdoor.
References: [MVID-2021-0060] |
| 60001 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Entitee trojan, Trinity trojan (DoS) |
| 60001 |
udp |
nat-traverse |
not scanned |
nat-traverse, Vorsis
The nat-traverse application utilizes UDP port 60001 to pass through NAT gateways to generate links between nodes located behind these gateways.
Vorsis audio processors employ UDP and TCP port 60001 to communicate with their host. |
| 60005 |
tcp |
applications |
not scanned |
Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bently Nevada Monitor Configuration (BNMC) software. These protocols provide configuration management and historical data related functionality. Neither protocol has any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
References: [CVE-2022-29952] |
| 60006 |
tcp |
trojan |
Premium scan |
Trojan.Fulamer.25 |
| 60007 |
tcp |
applications |
not scanned |
Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bently Nevada Monitor Configuration (BNMC) software. These protocols provide configuration management and historical data related functionality. Neither protocol has any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
References: [CVE-2022-29952] |
| 60008 |
tcp |
trojans |
Premium scan |
T0rn Rootkit trojan
Lion trojan - exploits Linux Bind servers' TSIG vulnerability |
| 60023 |
tcp |
applications |
not scanned |
Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone running firmware 1.1.12 (051129) and CP-100E VoIP 802.11b Wireless Phone running firmware 1.1.60 allows remote attackers to gain unauthorized access via the debug service on TCP port 60023.
References: [CVE-2006-0305], [BID-16289] |
| 60068 |
tcp |
trojans |
Premium scan |
Xzip trojan, T0rn rootkit |
| 60099 |
tcp |
vmware |
not scanned |
VMware vCenter Server Web Service change service notification port |
| 60101 |
tcp |
trojans |
Premium scan |
Backdoor.Stealer [Symantec-2003-070415-5712-99] (2003.07.04) a.k.a. Trojan.Spy.MSNLogThief [KAV], MSNLogThief [McAfee] - a trojan that gives its creator full control over the infected computer, uses ports 16999,60101. |
| 60411 |
tcp |
trojan |
Premium scan |
Connection.100, Connection.130 trojan |
| 60412 |
tcp |
trojan |
not scanned |
Connection.130 trojan |
| 60551 |
tcp |
trojan |
Premium scan |
R0xr4t [Symantec-2002-082915-1621-99], a.k.a. RoxRat backdoor, BD R0xr4t 1.0. Uses ports 5050,50551,50552,60551,60552. |
| 60552 |
tcp |
trojan |
Premium scan |
R0xr4t [Symantec-2002-082915-1621-99], a.k.a. RoxRat backdoor, BD R0xr4t 1.0. Uses ports 5050,50551,50552,60551,60552. |
| 60666 |
tcp |
trojan |
Premium scan |
Basic Hell trojan |
| 61000 |
tcp |
trojans |
Premium scan |
Backdoor.Mite [Symantec-2002-090309-2255-99] - remote access trojan with password-stealing capabilities, affects Windows. Opens a backdoor on port 61000/tcp. BD Windows Mite 1.0 variant listens on port 65530/tcp. |
| 61001 |
tcp |
applications |
not scanned |
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589, NVG599, and unspecified other devices, when IP Passthrough mode is not used, configures an sbdc.ha WAN TCP service on port 61001 with the bdctest account and the bdctest password, which allows remote attackers to obtain sensitive information (such as the Wi-Fi password) by leveraging knowledge of a hardware identifier, related to the Bulk Data Collection (BDC) mechanism defined in Broadband Forum technical reports.
References: [CVE-2017-10793], [BID-100585] |
| 61115 |
tcp |
trojan |
Premium scan |
Protoss trojan |
| 61183 |
tcp |
worm |
not scanned |
W32.Quadrule.A [Symantec-2007-052815-0455-99] (2007.05.28) - a worm that spreads through network and removable drives. It also opens a back door on port 61183. |
| 61282 |
tcp |
worm |
not scanned |
W32.Pandem.B.Worm [Symantec-2003-081913-3715-99] (2003.08.19) - a worm coded in C++ and is packed with PEBundle, listens on port 61282/tcp. |
| 61337 |
tcp |
trojan |
Premium scan |
Nota trojan [Symantec-2002-061211-0415-99] |
| 61348 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 61427 |
tcp |
applications |
not scanned |
Desktop Rover 3.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a crafted packet to TCP port 61427, which causes an invalid memory access.
References: [CVE-2005-1204] |
| 61440 |
tcp |
trojan |
Premium scan |
Orion trojan |
| 61441 |
tcp |
netprowler |
not scanned |
Axent NetProwler sensor
Cisco TelePresence Endpoint could allow a remote attacker to execute arbitrary commands on the system, caused by an error in XML-RPC. By initiating a three-way handshake, a remote attacker could send a specially-crafted request to TCP port 61441 or TCP port 61445 to inject and execute arbitrary commands on the system.
References: [BID-46517], [CVE-2011-0378], [XFDB-65617] |
| 61445 |
tcp |
applications |
not scanned |
Cisco TelePresence Endpoint could allow a remote attacker to execute arbitrary commands on the system, caused by an error in XML-RPC. By initiating a three-way handshake, a remote attacker could send a specially-crafted request to TCP port 61441 or TCP port 61445 to inject and execute arbitrary commands on the system.
References: [BID-46517], [CVE-2011-0378], [XFDB-65617] |
| 61460 |
tcp |
|
not scanned |
An unspecified API on Cisco TelePresence Immersive Endpoint Devices before 1.9.1 allows remote attackers to execute arbitrary commands by leveraging certain adjacency and sending a malformed request on TCP port 61460, aka Bug ID CSCtz38382.
References: [CVE-2012-3074] |
| 61466 |
tcp |
trojans |
Premium scan |
TeleCommando trojan |
| 61603 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 61613 |
tcp |
stomp |
not scanned |
Default listening port used by STOMP (Simple Text Oriented Messaging Protocol), see GitHub.
Port 61613 is also used as the listener for MCollective in puppet. |
| 61615 |
tcp |
applications |
not scanned |
Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets to port (1) 61615 or (2) 61616, aka Bug ID CSCtz90114.
References: [CVE-2013-3389] |
| 61616 |
tcp,udp |
activemq |
not scanned |
Apache ActiveMQ, Java Message Service (JMS)
Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets to port (1) 61615 or (2) 61616, aka Bug ID CSCtz90114.
References: [CVE-2013-3389] |
| 61695 |
tcp,udp |
surfcontrol |
not scanned |
SurfControl Web Filter - uses port 61695 to establish communication with Juniper Networks Security Devices |
| 61746 |
tcp,udp |
trojan |
not scanned |
KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718. |
| 61747 |
tcp,udp |
trojan |
not scanned |
KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718. |
| 61748 |
udp |
trojan |
not scanned |
KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718. |
| 61979 |
tcp |
trojan |
Premium scan |
Cool Remote Control trojan horse |
| 62011 |
tcp |
trojan |
Premium scan |
Ducktoy trojan |
| 62078 |
tcp,udp |
upnp |
not scanned |
UPnP (Universal Plug and Play), iTunes
Port used by UPnP for multimedia files sharing, also used for synchronizing iTunes files between devices. |
| 62514 |
udp |
vpn |
not scanned |
Cisco VPN Service to Cisco Systems IPSec Driver
Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long request to UDP port 62514.
References: [CVE-2009-1943], [BID-35154] |
| 62515 |
udp |
vpn |
not scanned |
Cisco VPN Client - also employs Network Admission Control (NAC) |
| 62516 |
udp |
ireike |
not scanned |
IREIKE, SonicWall VPN, NetScreen Remote Client
Port 62516 is used for communications between the IKE service and driver for interface detection. The IKE service sends a broadcast, and it should be blocked by the driver. But if DNE (Deterministic NDIS) is not bound to an interface, this broadcast will be sent out. |
| 62884 |
tcp |
malware |
not scanned |
Trojan.Win32.RASFlooder.b / Hardcoded Plaintext Password - the malware lets you create a backdoor server that will listen on TCP port 62884. Theres an option to specify a password if you choose. However, the malware allows weak passwords consisting of one character and stores user specified passwords in cleartext within the executable. The password is easily recoverable using strings util.
References: [MVID-2021-0287] |
| 62976 |
udp |
applications |
not scanned |
D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet.
References: [CVE-2004-1650], [BID-11072], [SECUNIA-12425] |
| 63000 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX [Symantec-2004-042412-3100-99] (2004.04.24) - Windows worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. Listens on these TCP ports: 63000 (HTTP), 63001 (HTTPS), 30001 (SOCKS proxy), and a FTP server on a random port. |
| 63001 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX [Symantec-2004-042412-3100-99] (2004.04.24) - Windows worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. Listens on these TCP ports: 63000 (HTTP), 63001 (HTTPS), 30001 (SOCKS proxy), and a FTP server on a random port. |
| 63148 |
tcp |
applications |
not scanned |
Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a denial of service via repeatedly sending large (> 10Kb) amounts of data to the DIIOP - CORBA service on TCP port 63148.
References: [CVE-2001-0603] |
| 63235 |
tcp |
arx |
not scanned |
Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235) |
| 63333 |
tcp |
TrippLite |
not scanned |
Tripp Lite PowerAlert UPS |
| 63392 |
tcp,udp |
applications |
not scanned |
Live For Speed Server |
| 63485 |
tcp |
trojans |
Premium scan |
Bunker-Hill trojan. Uses ports 61348, 61603, 63485 |
| 63536 |
tcp |
trojan |
not scanned |
InsaneNetwork.500 trojan |
| 63808 |
tcp |
trojan |
Premium scan |
Phatbot |
| 63809 |
tcp |
trojans |
Premium scan |
Phatbot
W32.hllw.gaobot.dk worm [Symantec-2003-120514-4926-99] |
| 63878 |
tcp |
trojan |
not scanned |
AphexFTP.100 trojan |
| 63879 |
tcp |
trojan |
not scanned |
AphexFTP.100 trojan |
| 64064 |
tcp,udp |
applications |
not scanned |
Gizmo Project |
| 64087 |
udp |
games |
not scanned |
Crysis game uses this port.
The ports for Crysis are as follows:
TCP 29900, 29901, 28910, 6667
UDP 64087
When hosting a server the following ports are used:
TCP 29900, 29901, 28910, 443, 80
UDP 64087, 29910, 27900, 27901 |
| 64100-64299 |
udp |
warface |
not scanned |
Warface game ports: 5222 TCP, 64100-64299 UDP |
| 64101 |
tcp |
trojans |
Premium scan |
Taskman trojan |
| 64320 |
tcp,udp |
activepdf |
not scanned |
Port used by ActivePDF software - automates PDF generation process from different sources, such as a website
ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541 |
| 64429 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 64444 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AM [Symantec-2005-012716-1902-99] (2005.01.27) - worm with backdoor and denial of service capabilities. Spreads via network shares. Connects via IRC and listens on port 64444/tcp. |
| 64554 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.wr / Authentication Bypass RCE - the CrazyInvadres Group⌐ bY SMURF_NS malware runs an FTP server on TCP port 64554. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0326]
Backdoor.Win32.Delf.wr / Port Bounce Scan - the CrazyInvadres Group⌐ bY SMURF_NS malware runs an FTP server on TCP port 64554 and accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0327] |
| 64738 |
tcp,udp |
voip |
not scanned |
Mumble VoIP server uses port 64738 TCP and UDP by default. 64738 UDP is the default connection port to Mumble servers (VoIP software for PC gamers).
|
| 64969 |
tcp |
trojan |
not scanned |
Lithium.100 trojan |
| 64999 |
udp |
applications |
not scanned |
Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash".
References: [CVE-2006-6011]
Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999.
References: [CVE-2006-5785] [SECUNIA-22677] [BID-20873] |
| 65000 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Devil 13, Sockets des Troie, Stacheldraht (DDoS)
|
| 65000 |
udp |
trojans |
not scanned |
Devil trojan horse 1.03
Backdoor.Win32.Whgrx / Remote Host Header Stack Buffer Overflow - the specimen listens on datagram UDP port 65000, by sending a specially crafted HTTP PUT request and specifying a large string of characters for the HOST header we trigger the buffer overflow overwriting stack registers. Upon running the malware it may display a "Cannot load shared library wsocx.dll" message but still runs normally. The exploit payload specifies both 41414141 and 42424242 pattern with 42424242 overwriting SEH and ECX register, the 42424242 pattern was target the HTTP HOST header.
References: [MVID-2021-0030] |
| 65001 |
tcp,udp |
hdhomerun |
not scanned |
HDHomeRun DVR from SiliconDust uses this port. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.
List of all used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000 |
| 65002 |
tcp,udp |
applications |
not scanned |
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials.
References: [CVE-2020-9275] |
| 65100 |
tcp,udp |
applications |
not scanned |
Port used by the Sage Act! customer and contact manager. Port 65100 serves Act! as a link that offers remote access to information in the enterprise network. Act! can also be integrated into business programs such as accounting tools and MS Office. |
