| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 1925 |
tcp,udp |
discovery-port |
not scanned |
Incorrect validation vulnerability of the data entered, allowing an attacker with access to the network on which the affected device is located to use the discovery port protocol (1925/UDP) to obtain device-specific information without the need for authentication.
References: [CVE-2023-3770]
Surrogate Discovery Port (IANA official) |
| 1927 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ [Symantec-2005-012715-3315-99] (2005.01.26) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445). Opens a backdoor on one or more of these ports: 1927, 1930, 5002, 5003. |
| 1930 |
tcp |
trojan |
Premium scan |
W32.Spybot.IVQ [Symantec-2005-012715-3315-99] (2005.01.26) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445). Opens a backdoor on one or more of these ports: 1927, 1930, 5002, 5003.
IANA registered for: Drive AppServer |
| 1935 |
tcp |
rtmp |
Premium scan |
Adobe Flash Media Server connection port, Real Time Messaging Protocol (RTMP)
Playstation 4 game ports:
TCP 1935, 3478-3480
UDP 3074, 3478, 3479 |
| 1947 |
tcp,udp |
sentinelsrm |
not scanned |
Aladdin Systems uses port for HASP security.
SmartBear uses ports 6090-6092 for TestComplete software, and port 1947 tcp/udp for license manager. It also needs access to port 443 for activation.
The Sentinel LDK Run-Time Environment installer (Versions 7.6 and prior) adds a firewall rule named “Sentinel License Manager” that allows incoming connections from private networks using TCP Port 1947. While uninstalling, the uninstaller fails to close Port 1947.
References: [CVE-2021-32928]
SentinelSRM (IANA official) |
| 1948 |
udp |
games |
not scanned |
Heroes of Might and Magic III, developer: New World Computing |
| 1949 |
tcp,udp |
ismaeasdaqlive |
not scanned |
ISMA Easdaq Live |
| 1950 |
tcp,udp |
ismaeasdaqtest |
not scanned |
ISMA Easdaq Test |
| 1953 |
tcp,udp |
applications |
not scanned |
Hughes satellite modems could allow a remote attacker to bypass security restrictions, caused by the lack of authentication for telnet service (Port 1953). By using telnet client to connect port 1953, an attacker could exploit this vulnerability to bypass access restrictions and gain administrative access on the modem.
References: [CVE-2016-9497], [XFDB-122125] |
| 1956 |
tcp,udp |
applications |
not scanned |
Buffer overflow in PerlEdit allows remote attackers to cause PerlEdit to crash by establishing a Telnet connection to port 1956.
References: [BID-8006]
Port is also IANA registered for Vertel VMF DS |
| 1962 |
tcp,udp |
biap-mp |
not scanned |
Phoenix Contact ILC 131 ETH, ILC 131 ETH/XC, ILC 151 ETH, ILC 151 ETH/XC, ILC 171 ETH 2TX, ILC 191 ETH 2TX, ILC 191 ME/AN, and AXC 1050 devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories.
References: [CVE-2019-9201], [XFDB-157692]
IANA registered for: BIAP-MP |
| 1965 |
tcp,udp |
tivoli-npm |
not scanned |
Gemini protocol, a lightweight, collaboratively designed protocol, striving to fill the gap between Gopher and HTTP (TCP)
IANA registered for: Tivoli NPM |
| 1966 |
tcp |
trojan |
Premium scan |
Fake FTP trojan |
| 1967 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: For Your Eyes Only , WM FTP Server
The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka Response Time Reporter (RTR), allows remote attackers to cause a denial of service (crash) via malformed RTR packets to port 1967.
References: [CVE-2003-0305]
SNS Quote (IANA official) |
| 1967 |
udp |
applications |
not scanned |
Cisco IOS IP Service Level Agreements (IP SLAs) Control Protocol |
| 1969 |
tcp |
trojan |
Premium scan |
OpC BO trojan |
| 1970 |
tcp,udp |
applications |
not scanned |
IANA registered for: Netop Business Solutions Netop Remote Control |
| 1971 |
tcp |
trojans |
Premium scan |
Backdoor.Bifrose [Symantec-2004-101214-5358-99] - remote access trojan, affects Windows.
Faronics Deep Freeze (workstation OS protection software) uses either port 1971 or 7725.
IANA registered for: Netop Business Solutions - Netop School. |
| 1972 |
tcp,udp |
intersys-cache |
not scanned |
IANA registered for: Cache |
| 1973 |
tcp |
worm |
not scanned |
W32.Sonic.Worm [Symantec-2000-122113-0301-99] (2000.10.09) - an email worm that appears to have originated in France. The worm emails itself to addresses in the Windows address book. Once executed, the worm attempts to download additional files, including commercial .dll files that provide emailing routines and an updated version of the worm.
Backdoor.Win32.Small.bu (KGB- RAT server v0.1) / Unauthenticated Remote Command Execution - the KGB- RAT malware listens on TCP port 1973. Third-party attackers who can reach infected systems can run commands made available by the backdoor, or run the "view" command to passively read screendump information. The malware writes its screendump info to a file named "log.log".
References: [MVID-2022-0479]
Data Link Switching Remote Access Protocol (IANA official) |
| 1974 |
udp |
drp |
not scanned |
xArrow could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the server. By sending a specially-crafted packet that triggers an out-of-bounds read operation to UDP port 1974, a remote attacker could exploit this vulnerability using a malicious datagram to execute arbitrary code on the system or cause the application to crash.
References: [XFDB-73663], [BID-52307]
Multiple vulnerabilities in xArrow can cause a DoS (Denial of Service). An integer overflow error in SCADA.exe when processing certain packets can be exploited to cause a crash via a specially crafted datagram sent to UDP port 1974.
References: [CVE-2012-2426] [CVE-2012-2427] [CVE-2012-2428] [CVE-2012-2429] [SECUNIA-48276]
IANA registered for: DRP |
| 1975 |
tcp |
tcoflashagent |
not scanned |
Multiple vulnerabilities in xArrow can cause a DoS (Denial of Service). A NULL-pointer dereference error in SCADA.exe due to missing validation when allocating memory can be exploited to cause a crash via a specially crafted packet sent to TCP port 1975.
References: [CVE-2012-2426] [CVE-2012-2427] [CVE-2012-2428] [CVE-2012-2429] [SECUNIA-48276]
IANA registered for TCO Flash Agent (TCP/UDP) |
| 1978 |
udp |
worm-linux |
Premium scan |
Linux.Slapper.Worm [Symantec-2002-091311-5851-99] (2002.09.13) - family of worms that use an "OpenSSL buffer overflow exploit [CVE-2002-0656] to run a shell on a remote computer. Targets vulnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp. Opens backdoors on the following ports: 2002/udp (.A variant), 1978/udp (.B variant), 4156/udp and 1052/tcp periodically (.C variant).
WiFi Mouse 1.7.8.5 - Remote Code Execution
References: [EDB-49601] |
| 1978 |
tcp |
malware |
not scanned |
Trojan.Win32 Bankshot / Remote Stack Buffer Overflow (SEH) - the malware listens on TCP port 1978 and creates a local
Windows service running with SYSTEM integrity. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH).
|
| 1979,1980 |
tcp |
trojans |
Premium scan |
ZSpyII 0.99b (a.k.a. BackDoor-AGK, Backdoor.ZSpy) key logger |
| 1981 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: Bowl, Shockrave
Port is also IANA registered for: p2pQ |
| 1983 |
tcp |
trojan |
Premium scan |
Q-taz |
| 1984 |
tcp |
trojans |
Premium scan |
Xymon (formerly Hobbit) System and Network Monitor use this port.
Arweave mining node
Trojans: Intruzzo, Q-taz
The config method in Henrik Storner Hobbit monitor before 4.1.2p2 permits access to files outside of the intended configuration directory, which allows remote attackers to obtain sensitive information via requests to the hobbit daemon on port 1984/tcp.
References: [CVE-2006-4003], [BID-19317]
The Updater in Rackspace Openstack Windows Guest Agent for XenServer before 1.2.6.0 allows remote attackers to execute arbitrary code via a crafted serialized .NET object to TCP port 1984, which triggers the download and extraction of a ZIP file that overwrites the Agent service binary.
References: [CVE-2013-6795], [OSVDB-100191], [SECUNIA-55775]
Rackspace Windows Agent and Updater could allow a remote attacker to execute arbitary code on the system, caused by an error in the Agent and Updater services when handling Agent binaries updates for the Cloud Server guest instances. By sending a specially-crafted request using .NET serializable object to TCP port 1984 , a remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system.
References: [XFDB-89205]
Big Brother - network monitoring tool (IANA official) |
| 1985 |
tcp,udp |
hsrp |
not scanned |
Black Diver, Q-taz trojans
Cisco HSRP also uses this port (UDP)
Cisco IOS 11.1 through 12.2, when HSRP support is not enabled, allows remote attackers to cause a denial of service (CPU consumption) via randomly sized UDP packets to the Hot Standby Routing Protocol (HSRP) port 1985.
References: [CVE-2002-1768], [BID-4948]
Hot Standby Router Protocol [RFC 2281] (IANA official) |
| 1986 |
tcp |
worm |
Premium scan |
W32.Versie.A [Symantec-2007-080715-4520-99] (2007.08.07) - a worm that spreads through mapped network drives. The worm opens a back door and may download more malicious content on to the compromised computer.
Akosch4 trojan also uses this port.
Cisco License Management (IANA official) |
| 1987 |
tcp |
tr-rsrb-p1 |
Premium scan |
Backdoor.Ciadoor.B [Symantec-2003-112315-1255-99] (2003.11.23) - a trojan horse that gives unauthorized access to a compromised computer.
Cisco RSRB Priority 1 port (IANA official) |
| 1988 |
tcp,udp |
tr-rsrb-p2 |
not scanned |
Backdoor.Win32.Delf.abb / Insecure Transit - the malware listens on TCP ports 1988 and 2111 but message exchange takes place on port 1988. The backdoor uses unencrypted plaintext socket communication allowing anyone who can sniff network traffic to read any communications sent or retrieved. This can disclose information to third-party well positioned attackers.
References: [MVID-2021-0206]
Cisco RSRB Priority 2 port (IANA official) |
| 1989 |
tcp,udp |
tr-rsrb-p3 |
not scanned |
Cisco RSRB Priority 3 port (IANA official) |
| 1991 |
tcp |
trojan |
Premium scan |
PitFall |
| 1994 |
tcp,udp |
stun-port |
not scanned |
IANA registered for: cisco serial tunnel port |
| 1997 |
tcp |
applications |
not scanned |
Chizmo Networks Transfer Tool |
| 1998 |
tcp,udp |
x25-svc-port |
not scanned |
IANA registered for: Cisco X.25 service (XOT) |
| 1999 |
tcp |
tcp-id-port |
Members scan |
Cisco identification port.
Citrix Command Center Server uses ports 1099 and 2014 TCP to communicate with High Availability (HA) servers. May also use port 6011 TCP when there is a firewall between the primary and secondary servers.
Some trojans also use this port: Back Door, SubSeven, TransScout
Backdoor.Bifrose.C [Symantec-2005-051912-0450-99] (2005.05.19) - trojan that opens a backdoor on port 1999/tcp, and sends information to a remote server.
An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).
References: [CVE-1999-0453]
RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that launches a .EXE file located at an arbitrary external URL, or a "SETFIREWALL Off" command.
References: [CVE-2018-7756], [EDB-44275] |
| 2000 |
tcp |
callbook |
Members scan |
"RemoteAnywhere" installs a webserver on this port. NeWS/OpenWin (Sun's older variation of X-Windows) uses this port.
Lineage also uses this port.
A number of trojan horses/backdoors use this port: TransScout, Der Spaeher, Fear, Force, GOTHIC Intruder, Insane Network, Last 2000, Real 2000, Remote Explorer 2000, Senna Spy Trojan Generator, Singularity
Backdoor.Fearic [Symantec-2002-080710-2744-99] (2002.08.07) - remote access trojan, affects all current Windows versions, opens ports 2000, 3456, 8811.
Trojan.Esteems.D [Symantec-2005-051615-2304-99] (2005.05.16) - trojan with keylogger capabilities. Uses port 2000/tcp to communicate with a remote host and send logged information.
Dark Colony game also uses port 2000 (TCP/UDP).
Unspecified vulnerability in the Session Border Controller (SBC) before 3.0(2) for Cisco 7600 series routers allows remote attackers to cause a denial of service (SBC card reload) via crafted packets to TCP port 2000.
References: [CVE-2009-0619], [BID-33975]
Port is also IANA registered for Cisco SCCP |
| 2001 |
tcp |
vmware |
Members scan |
VMware Workspace ONE / Airwatch AWCM server uses port 2001.
Some trojans/backdoors use this port: Der Spaeher, Duddie, Glacier, Protoss, Senna Spy Trojan Generator, Singularity, Trojan Cow. Port also used by FreeBSD.Scalper.Worm [Symantec-2002-062814-5031-99] (2002.06.28) - FreeBSD Apache worm.
WellinTech KingView 6.53 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted packet to (1) TCP or (2) UDP port 2001.
References: [CVE-2012-1832]
The Panda Antivirus console on port 2001 allows local users to execute arbitrary commands without authentication via the CMD command.
References: [CVE-2000-0541] [BID-1359]
curry (IANA official) |
| 2001 |
udp |
applications |
not scanned |
CAPTAN Test Stand System |
| 2002 |
tcp |
trojans |
Members scan |
Port used by LogMeIn (also uses ports 80 and 443 TCP)
W32.Beagle.AX@mm [Symantec-2004-111612-2714-99] (2004.11.15) - mass-mailing worm, also spreads through file-sharing networks. Affects all current Windows versions. The worm opens a backdoor on port 2002/tcp, allowing the machine to be used as an open email relay. Also uses port 80 to contact "webmoney.net".
Backdoor.Singu.C [Symantec-2006-112113-2825-99] (2006.11.21) - a trojan horse that logs keystrokes and opens a back door on the compromised computer.
The CSAdmin web administration interface for Cisco Secure Access Control Server (ACS) 3.2(2) build 15 allows remote attackers to cause a denial of service (hang) via a flood of TCP connections to port 2002.
References: [CVE-2004-1458] [BID-11047] [SECUNIA-12386] [OSVDB-9182]
Some other trojans/backdoors that also use this port: Duddie, Senna Spy Trojan Generator, Sensive, TransScout |
| 2002 |
udp |
worm-linux |
Premium scan |
2002 UDP used by oughtime.cloudflare.com
Linux.Slapper.Worm [Symantec-2002-091311-5851-99] (2002.09.13) - family of worms that use an "OpenSSL buffer overflow exploit [CVE-2002-0656] to run a shell on a remote computer. Targets vulnerable Apache Web servers under various Linux distributions. The worm has distributed denial of service (DDoS) attack capabilities. It spreads by exploiting ports 80/tcp and 443/tcp. Opens backdoors on the following ports: 2002/udp (.A variant), 1978/udp (.B variant), 4156/udp and 1052/tcp periodically (.C variant). |
| 2003 |
tcp |
trojan |
Premium scan |
TransScout trojan
Lineage, MultiTheftAuto (TCP/UDP) also use this port.
Backdoor.Win32.NinjaSpy.c / Remote Command Execution - the malware listens on TCP ports 2003, 2004 and drops a DLL named "cmd.dll" under Windows dir. Connecting to port 2003, you will get back a number "9951" from the infected host. If we send the value 1000 we get a message in Portugese "Pisca Pisca Ativado" translates to "Blink Blink Activated". If we connect to port 2004 and send "abc123" we get message "Acesso negado..." translates to "Access denied". However, if you take the initial number we received earlier (9951) when connecting to port 2003 and apply some calculation we expose hidden functionality. Take the 9951 value and invert the first two digits to 66 and then add together the last two 5 + 1 to equal 6 for a final value of "666". Example, initial number (9951) 99 inverted equals 66 and 5 + 1 = 6. Enter and send the constructed value of "666" to port 2003 and TCP port 999 is opened. Connect to port 999 and you get back a remote shell.
References: [MVID-2021-0202] |
| 2003 |
udp |
applications |
not scanned |
2003 UDP used by roughtime.cloudflare.com
D-Link DAP-1160 could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access to the dccd daemon. By sending a specially-crafted D-Link Click 'n Connect (DCC) protocol request to UDP port 2003, a remote attacker could exploit this vulnerability obtain sensitive information, modify configuration settings or cause the device to reboot.
References: [XFDB-59884], [BID-41187], [BID-41222], [SECUNIA-40399]
IANA registered for: Brutus Server (TCP/UDP) |
| 2004 |
tcp |
trojans |
Premium scan |
Duddie, TransScout
Backdoor.Win32.NinjaSpy.c / Remote Command Execution - the malware listens on TCP ports 2003, 2004 and drops a DLL named "cmd.dll" under Windows dir. Connecting to port 2003, you will get back a number "9951" from the infected host. If we send the value 1000 we get a message in Portugese "Pisca Pisca Ativado" translates to "Blink Blink Activated". If we connect to port 2004 and send "abc123" we get message "Acesso negado..." translates to "Access denied". However, if you take the initial number we received earlier (9951) when connecting to port 2003 and apply some calculation we expose hidden functionality. Take the 9951 value and invert the first two digits to 66 and then add together the last two 5 + 1 to equal 6 for a final value of "666". Example, initial number (9951) 99 inverted equals 66 and 5 + 1 = 6. Enter and send the constructed value of "666" to port 2003 and TCP port 999 is opened. Connect to port 999 and you get back a remote shell.
References: [MVID-2021-0202] |
| 2005 |
tcp |
trojans |
Premium scan |
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS DCOM RPC Vulnerability ([MS03-026]) on port 135/tcp. It uses its own SMTP engine to email itself to gathered email addresses. Opens an FTP server on port 1155/tcp. Opens a proxy server on port 2005/tcp. It also attempts to perform denial of service (DDoS) attack agains known security websites on port 1052/tcp. Note: port 1052 corresponds to the dynamic DNS service.
Duddie, TransScout trojans also use port 2005 (TCP).
Backdoor.Win32.Delf.zs / Unauthenticated Remote Command Execution - Backdoor Delf.zs c0ded By Eb0La, is used to build backdoors that listen on TCP port 2005. Upon building it drops an executable named "[Shell_Me]_Server.exe." The name for the spawned backdoor defaults to "Syst32.exe" but can be customized. Third-party attackers who can reach infected systems can execute arbitrary commands by simply connecting to the backdoor which will return a remote shell to the infected host as no authentication exists.
References: [MVID-2021-0150] |
| 2007 |
udp |
raid-am |
not scanned |
raid-am |
| 2008 |
tcp |
conf |
not scanned |
Teamspeak 3 connects to accounting.teamspeak.com on port 2008 TCP for license checks and weblist.teamspeak.com on port 2010 UDP. TS3 weblist also uses ports 2011-2110 (UDP out, first available port in range). TS3 listens to ports 9987/UDP (voice), 10011/TCP (serverquery), 30033/TCP (file transfer), 41144/TCP (tsdns) by default. |
| 2009 |
tcp |
games |
not scanned |
Lineage II
Only for Jasper (TCP/UDP) |
| 2010 |
udp |
pipe-server |
not scanned |
Teamspeak 3 connects to accounting.teamspeak.com on port 2008 TCP for license checks and weblist.teamspeak.com on port 2010 UDP. TS3 weblist also uses ports 2011-2110 (UDP out, first available port in range). TS3 listens to ports 9987/UDP (voice), 10011/TCP (serverquery), 30033/TCP (file transfer), 41144/TCP (tsdns) by default. |
| 2010 |
tcp |
pipe-server |
not scanned |
Network Flight Recorder (NFR) uses port 2010 tcp.
IANA registered for: pipe server
Artemis: Spaceship Bridge Simulator also uses this port (TCP/UDP)
|
| 2012 |
tcp |
applications |
not scanned |
Remoticus Server
Backdoor.Win32.NetControl2.293 / Unauthenticated Remote Command Execution - the malware listens on TCP port 2012. Attackers who can reach infected hosts can run arbitrary OS commands using the DOSCMD command made available by the backdoor.
References: [MVID-2021-0231] |
| 2013 |
tcp |
raid-am |
not scanned |
raid-am |
| 2014 |
tcp |
citrix |
not scanned |
Citrix Command Center Server uses ports 1099 and 2014 TCP to communicate with High Availability (HA) servers. May also use port 6011 TCP when there is a firewall between the primary and secondary servers. |
| 2015 |
tcp |
malware |
not scanned |
Backdoor.Win32.Guptachar.20 / Insecure Credential Storage - the malware runs a web server on TCP port 2015 (default) and uses BASIC authentication. The credentials "hacker01:imchampgr8" get stored in a .NFO information file named "GPTCR.NFO" under Windows dir base64 encoded and hidden among many junk NULL bytes.
References: [MVID-2022-0631] |
| 2020 |
tcp |
trojans |
Premium scan |
Port used by Backdoor.Rockse [Symantec-2003-050614-4623-99] (2003.05.06) - remote access trojan. Affects all current Windows versions, opens a server on port 2020 or 2525.
The TCP-to-ODBC gateway in IBM Tivoli Provisioning Manager for OS Deployment 7.1.1.3 does not require authentication for SQL statements, which allows remote attackers to modify, create, or read database records via a session on TCP port 2020. NOTE: the vendor disputes this issue, stating that the "default Microsoft Access database is not password protected because it is intended to be used for evaluation purposes only."
References: [CVE-2010-4121]
Backdoor.Win32.Onalf / Missing Authentication - WinRemoteShell (Onalf) listens for commands on TCP port 2020. Interestingly, it will only start listening once it can connect outbound to SMTP port 25. Not much of a self respecting backdoor, as it allows anyone to logon without requiring a password.
References: [MVID-2021-0042]
GTA Rumble also uses port 2020 (TCP/UDP) |
| 2023 |
tcp |
trojans |
Premium scan |
Ripper Pro trojan (a.k.a BackDoor-AL, Backdoor.Ripper) - key logger, steals passwords |
| 2030 |
tcp,udp |
applications |
not scanned |
Oracle services for Microsoft Transaction Server |
| 2031 |
tcp,udp |
mobrien-chat |
not scanned |
IANA registered for: mobrien-chat |
| 2033 |
tcp |
games |
not scanned |
Civilization IV |
| 2037 |
tcp,udp |
applus |
not scanned |
APplus Application Server (IANA official) |
| 2040 |
tcp |
trojan |
Premium scan |
InfernoUploader |
| 2041 |
tcp |
trojan |
Premium scan |
W32.korgo.a
Mail.Ru Agent communication protocol also uses this port. |
| 2047 |
tcp,udp |
applications |
not scanned |
Bell South Home Monitoring System, Xanboo Homesight Service |
| 2048 |
udp |
applications |
not scanned |
Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS 11.2 and earlier does not use authentication, which allows remote attackers to redirect HTTP traffic to arbitrary hosts via WCCP packets to UDP port 2048.
References: [CVE-1999-1175]
Port is IANA registered for dls-monitor |
| 2048 |
tcp |
malware |
not scanned |
Backdoor.Win32.Zxman / Missing Authentication - Backdoor.Win32.Zxman by Zx-man listens on TCP port 2048 for commands. However, anyone who can reach the infected host can take control as there is no authentication in place. Not much of a self-respecting backdoor. Third party intruders or incident responders who logon will be greeted with a welcome screen and help menu allowing for a wide-range of commands.
References: [MVID-2021-0041]
Backdoor.Win32.Zxman / Unauthenticated Remote Code Execution - the malware by "Zx-man" listens on TCP port 2048. Third-party attackers who can reach an infected system can run commands made available by the backdoor.
References: [MVID-2022-0478] |
| 2049 |
tcp,udp,sctp |
NFS |
Members scan |
Network File System (NFS) - remote filesystem access [RFC 1813] [RFC5665]. A commonly scanned and exploited attack vector. Normally, port scanning is needed to find which port this service runs on, but since most installations run NFS on this port, hackers/crackers can bypass fingerprinting and try this port directly.
shilp also uses port 2049 (UDP).
FreeBSD is vulnerable to a denial of service attack. A remote attacker could send a specially-crafted NFS Mount request to TCP port 2049 to cause a kernel panic, resulting in a denial of service.
References: [CVE-2006-0900] [BID-16838]
Stack-based buffer overflow in nfsd.exe in XLink Omni-NFS Server 5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet to port 2049 (nfsd), as demonstrated by vd_xlink.pm.
References: [CVE-2006-5780] [BID-20941] [SECUNIA-22751]
Novell Netware is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the xnfs.nlm component when processing NFS requests. By sending a specially-crafted NFS RPC request to UDP port 2049, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
References: [XFDB-72199] |
| 2050 |
tcp |
trojans |
Premium scan |
PWSteal.Ldpinch.C [Symantec-2004-100416-1738-99] (2004.10.04) - password stealing trojan horse program. Affects all current Windows versions. May open a backdoor allowing shell commands on port 2050/tcp |
| 2053 |
tcp,udp |
lot105-ds-upd |
not scanned |
knetd Kerberos de-multiplexor uses port 2053 (TCP)
IANA registered for: Lot105 DSuper Updates |
| 2054 |
tcp,udp |
weblogin |
not scanned |
Emerson Process ControlWave Micro Process Automation Controller is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending specially crafted packets to Port 2054, a remote attacker could exploit this vulnerability to cause the system to change its state into halt mode.
References: [CVE-2018-5452], [XFDB-139724], [BID-103180]
IANA registered for: Weblogin Port |
| 2055 |
udp |
netflow |
not scanned |
NetFlow is a Cisco-owned network messaging standard that creates a format for notifications generated by networking equipment (routers, switches) to be picked by monitoring software for analyzis of network traffic and congestion.
NetFlow traditionally uses port 2055/udp, but can also use the following UDP ports: 2055, 2056, 4432, 4739, 9995, 9996, and 6343.
Competing non-proprietary sFlow/OpenFlow product uses port 6343/udp. |
| 2056 |
tcp |
games |
not scanned |
Civilization IV |
| 2060 |
tcp |
trojan |
Premium scan |
Protoss |
| 2062 |
udp |
skype-p2p |
Members scan |
Skype uses this as a p2p port, using super nodes and other users to communicate. |
| 2064 |
tcp,udp |
applications |
not scanned |
Distributed.Net RC5/DES |
| 2065 |
tcp,udp |
dlsrpn |
not scanned |
IANA registered for: Data Link Switch Read Port Number |
| 2066 |
|
applications |
not scanned |
DLSw
IANA registered for: AVM USB Remote Architecture |
| 2067 |
udp |
applications |
not scanned |
The data-link switching (DLSw) component in Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (device restart or memory consumption) via crafted UDP port 2067 or IP protocol 91 packets.
References: [CVE-2008-1152], [BID-28465] |
| 2067 |
tcp |
applications |
not scanned |
The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensitive credential information from process memory via a session on TCP port 2067, aka Bug ID CSCur14014.
References: [CVE-2014-7992] |
| 2070 |
tcp,udp |
ah-esp-encap |
not scanned |
In Lexmark Services Monitor 2.27.4.0.39 (running on TCP port 2070), a remote attacker can use a directory traversal technique using /../../../ or ..%2F..%2F..%2F to obtain local files on the host operating system.
References: [CVE-2019-16758]
IANA registered for: AH and ESP Encapsulated in UDP packet |
| 2074 |
tcp,udp |
vrtl-vmf-sa |
not scanned |
IRLP - Internet Radio Linking Project uses ports 2074-2093
IANA registered for: Vertel VMF SA |
| 2080 |
tcp |
trojans |
Premium scan |
Autodesk Network License Manager (FLEXlm, adskflex.exe) uses port 2080 tcp. See also ports 27000-27009 tcp.
IRLP - Internet Radio Linking Project uses port 2080/tcp.
Some versions of WinGate 3.0 contain a bug that allows the service to be crashed by connecting to this port and sending 2000 characters
Backdoor.TJServ [Symantec-2004-111117-0241-99] (2004.11.11) a.k.a. Backdoor.Curdeal - backdoor trojan, affect Windows, notifies websites on the domain currentdeal.biz on port 2080/tcp, and opens a random port to listen for remote commands.
WinHole trojan horse also uses port 2080/tcp |
| 2082 |
tcp,udp |
infowave |
not scanned |
CPanel default uses port 2082 (TCP)
IANA registered for: Infowave Mobility Server |
| 2083 |
tcp,udp |
radsec |
not scanned |
Secure Radius Service [IESG] [RFC 6614] (IANA official)
CPanel default SSL (unofficial)
IRLP (Internet Radio Linking Project) also uses ports 2074-2093 udp. |
| 2084 |
tcp,udp |
sunclustergeo |
not scanned |
IANA registered for: SunCluster Geographic |
| 2086 |
tcp |
trojans |
Premium scan |
Corba exploit, Netscape exploit, WebHost Manager default port
Port is IANA registered for GNUnet (TCP/UDP). |
| 2087 |
tcp,udp |
eli |
not scanned |
WebHost Manager default SSL uses port 2087 (TCP).
IANA registered for: ELI - Event Logging Integration |
| 2090 |
tcp |
trojans |
Premium scan |
Backdoor.Expjan [Symantec-2002-082614-3947-99] (2002.08.26) - remote access trojan. Affects all current Windows versions.
Load Report Protocol (IANA official) |
| 2090 |
udp |
malware |
not scanned |
Backdoor.Win32.Zetronic / Remote DoS - Zetronic listens on UDP port 2090, sending a large datagram packet of junk results in denial of service of the backdoor.
References: [MVID-2021-0057] |
| 2091 |
tcp,udp |
applications |
not scanned |
Go2Call, PalTalk |
| 2092 |
udp |
games |
not scanned |
Descent 3 |
| 2093 |
|
applications |
not scanned |
IRLP - Internet Radio Linking Project uses ports 2074-2093 |
| 2094 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm [Symantec-2005-061910-3159-99] (2005.06.19) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp.
W32.Opanki.C [Symantec-2005-070409-5849-99] (2005.07.04) - an IRC worm that may spread through AOL Instant Messenger.
Port is also IANA registered for NBX AU |
| 2095 |
tcp,udp |
nbx-ser |
not scanned |
PalTalk, CPanel default Web mail (TCP)
IANA registered for: NBX SER |
| 2096 |
tcp,udp |
nbx-dir |
not scanned |
CPanel default SSL Web mail (TCP)
IANA registered for: NBX DIR |
| 2099 |
tcp |
games |
Premium scan |
League of Legends game uses the following ports:
5000 - 5500 UDP - League of Legends Game Client
8393 - 8400 TCP - Patcher and Maestro
2099 TCP - PVP.Net
5222 TCP - PVP.Net
5223 TCP - PVP.Net
80 TCP - HTTP Connections
443 TCP - HTTPS Connections
H.225.0 Annex G Signalling (IANA official) |
| 2100 |
tcp,udp |
applications |
not scanned |
Warzone 2100
Amiga Network Filesystem (IANA official) |
| 2101 |
tcp |
msmq |
Premium scan |
Microsoft Message Queuing (MSMQ) uses the following ports:
1801 TCP/UDP
2101, 2103, 2105 (RPC over TCP)
3527 UDP
Trojan using this port: SweetHeart |
| 2102 |
tcp,udp |
zephyr-srv |
not scanned |
IANA registered for: Zephyr server |
