SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.

php

Search site

Home » Security Scan » Ports » Scanned Ports

Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security
Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel
we should add other port(s) to the list or modify their descriptions, please email us. Any feedback and
suggestions can also be posted to our Security forum.

1 | 2 | 3 | 4 | 5 | 6 |....| 55

Port(s) Protocol Service Scan level Description

0 tcp,udp not scanned
Port 0 is reserved by IANA, it is technically invalid to use, but possible. It
is sometimes used to fingerprint machines, because different operating
systems respond to this port in different ways. Some ISPs may block it
because of exploits. Port 0 can be used by applications when calling the
bind() command to request the next available dynamically allocated
source port number.
1 udp tcpmux not scanned
TCP Port Service Multiplexer (IANA registered)

Sockets des Troie remote access trojan uses this port (a.k.a.
Backdoor.Sockets23, Lame, Backdoor.Kamikaze, IRC_trojan,
TROJ_Backdoor, W32/Cheval.gen, coded in Delphi 3, 06.1998). It might
also use ports 1/udp, 5000, 5001, 30303, 50505, 60000 and 65000.
1 tcp tcpmux Premium scan
Scans against this port are commonly used to test if a machine runs SGI
Irix (as SGI is the only system that typically has this enabled). This
service is almost never used in practice.

RFC1078 - TCPMUX acts much like Sun's portmapper, or Microsoft's

1 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

end-point mapper in that it allows services to run on arbitrary ports. In

the case of TCPMUX, however, after the "lookup" phase, all further
communication continues to run over that port.

builtins.c in Xinetd before 2.3.15 does not check the service type when
the tcpmux-server service is enabled, which exposes all enabled
services and allows remote attackers to bypass intended access
restrictions via a request to tcpmux port 1 (TCP/UDP).
References: [CVE-2012-0862] [BID-53720] [OSVDB-81774]

Trojans that use this port: Breach.2001, SocketsDeTroie

Also see: CERT: CA-95.15.SGI.lp.vul

2 tcp compressnet Premium scan
trojans that use this port: Death remote access trojan (coded in VB,
afects Windows 9x), port can be changed. Files: death.exe, config.cfg

America's Army, Operation Flashpoint also use this port.

Port 2 is also registered with IANA for compressnet management utility.

3 tcp,udp compressnet not scanned
Delta Force uses port 3 (TCP)
Midnight Commander
SynDrop trojan

Backdoor.Win32.Quux / Weak Hardcoded Credentials - the malware

listens on TCP port 3. Authentication is required, however the password
"Faraon" translated from Romanian as "Pharaoh" is weak and
hardcoded in cleartext within the PE file. Third-party adversaries who
can reach an infected host can call commands made available by the
backdoor. Commands include uploading files and code execution.
Theres a need to code a custom client to communicate with the infected
host as nc64.exe and telnet send LF characters and will fail
authentication when sending credentials containing "\n" etc. Once
Login connected if we send any files they will be written to Windows\System
Please Login unless calling the "SetCurrDir" commmand.
References: [MVID-2022-0656]
Shortcuts
Compression Process (IANA official)
5000+ Routers
65535 Ports 4 tcp sfs Basic scan
Self-Certifying File System(SFS) sfssd acceps connections on TCP port
4 and passes them to the appropriate SFS daemon. SFS is a secure,

2 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

FAQs global file system with completely decentralized control. SFS uses NFS
Glossary 3 as the underlying protocol for file access.
SG Broadband Tools
SG IP Locator America's Army also uses this port.
SG Network Tools
Midnight Commander sometimes uses port 4/tcp as well.
SG Security Scan
SG Speed Test 5 tcp trojans Premium scan
Incoming Routing Redirect Bomb, yoyo
TCP/IP Analyzer 7 tcp Echo Members scan
Echo Service, somewhat outdated by ICMP echo. Port just echoes
TCP/IP Optimizer whatever is sent to it. This feature can be used in many attacks, such as
Smurf/Fraggle.

See also: [RFC862]

ICP - Internet Caching Protocol - This protocol is used by HTTP caching
proxies in order to coordinate working together in a cluster. Part of this
implementation includes bouncing packets off the echo port in order to
test if the peers are alive.

Act P202S VoIP WiFi phone undocumented open port, multiple

vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288]
7 udp wol not scanned
WOL (Wake on LAN) typically uses UDP port 7 or 9. LANDESK
Management Suite uses port 0 for WOL.
8 tcp trojan Premium scan
Ping Attack
9 tcp,udp,sctp Discard Members scan
Discard server - this protocol is only installed on machines for test
purposes. The service listening at this port (both TCP and UDP) simply
discards any input.

WOL (Wake on LAN) typically uses UDP port 7 or 9 (LANDESK uses

port 0).

Railroad Tycoon 3 also uses this port (TCP).

See also [RFC 863], [RFC 4960], [CVE-1999-0060]

Intrusions: Ascend kill

This exploit kills Ascend routers by sending them a specially formatted
malformed TCP packet. On certain versions of the Ascend operating
system, the router can be forced to cause an internal error, resulting in

3 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

the router rebooting.

10 tcp misc Premium scan
AT&T 5268ac router may listen on port 10 TCP
11 tcp,udp systat Premium scan
system / active users information.

On some UNIX machines, creating a TCP connection to this port will

dump the active processes and who launched them. The original intent
for this was to make remote management of UNIX easier. However,
intruders will query the systat information in order to map out the
system.
This service is rarely available anymore because of these security
concerns.
On UNIX, there are also local commands that show this information,
such as systat or ps.

Skun trojan also uses this port.

See also: [RFC866]

12 tcp games not scanned
Dark Ages of Camelot
13 tcp,udp Daytime Members scan
Daytime service [RFC 867] - responds with the current time of day.
Different machines respond with slightly different date/time format, so
port can be used to fingerprint machines.

Dark and Light also uses this port.

Backdoor.Win32.Infexor.b / Remote Buffer Overflow - remote SEH Stack

Buffer Overflow on HTTP server response when connecting to TCP Port
13.
References: [MVID-2021-0010]
15 tcp,udp netstat Premium scan
Port used by netstat (a variant of systat, see port 11). Rarely available
because of security concerns. It can be used to list active processes and
who launched them on some UNIX machines.

Port also used by B2 trojan.

16 tcp trojan Premium scan
Skun
16 udp applications not scanned
Observer is vulnerable to a denial of service, caused by a NULL pointer
dereference when copying an octet string from a variable binding list. By
sending a specially-crafted SNMP SetRequest PDU sent to UDP port

4 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

16, a remote attacker could exploit this vulnerability to cause the

application to crash.
References: [XFDB-73909], [BID-52409]
17 tcp,udp qotd not scanned
Responds with Quote of the Day. See [RFC 865]

Skun trojan also uses this port.

18 tcp,udp msp not scanned
Message Send Protocol
Also: Remote Write Protocol (RWP)
Related RFCs: [RFC 1159] [RFC 1312] [RFC 1756]

Skun trojan also uses this port.

19 tcp,udp Chargen Members scan
Generates and replies with a stream of characters (TCP) or a packet
containing characters (UDP). Should be disabled if there is no specific
need for it, source for potential attacks. [RFC 864]

Skun trojan also uses this port.

20 tcp,udp,sctp FTP - data Basic scan
File Transfer Protocol - Data
See also [RFC 4960]

The default configuration of BenHur Firewall release 3 update 066 fix 2

allows remote attackers to access arbitrary services by connecting from
source port 20.
References: [CVE-2002-2307] [BID-5279]

Some trojans also use this port: Amanda, Senna Spy FTP server.
21 tcp FTP Basic scan
File Transfer Protocol [RFC 959] - some network devices may be
listening on this port, such as NAT routers for remote access/private
cloud storage and network attached multi-function printers (scan to ftp
feature).

Asus RT routers may open an internet accessible FTP server for USB-
attached storage, configurable in administration panel under "USB
Application > Servers Center > FTP Share"

Trojan horses/backdoors that also use this port: 7tp trojan, MBT, Back
Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP,
Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Nerte
7.8.1, Net Administrator, Ramen, Senna Spy FTP server, The Flu,

5 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

Traitor 21, WebEx, WinCrash, W32.Mytob.AE@mm

[Symantec-2005-040915-5504-99], W32.Sober.N@mm
[Symantec-2005-041910-4132-99], W32.Bobax.AF@mm
[Symantec-2005-081611-4121-99] - a mass-mailing worm that opens a
backdoor and lowers security settings on the compromised computer. It
exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security
Bulletin [MS05-039]) on port 21/tcp., and by sending copies of itself to
gathered email addresses. Also opens a backdoor on a random tcp port
and/or port 80/udp.

W32.Loxbot.C [Symantec-2006-010515-3159-99] (2006-01-05)

FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote

attackers to cause a denial of service (network connectivity loss) via a
connection to port 21 with a large amount of random data.
References: [CVE-2002-0779]

TURCK BL20 / BL67 could allow a remote attacker to bypass security

restrictions, caused by the use of hardcoded credentials for the FTP
service. An attacker could exploit this vulnerability using TCP port 21 to
gain administrative access to the device.
References: [CVE-2012-4697], [XFDB-84351]

The FTP service in QNAP iArtist Lite before 1.4.54, as distributed with
QNAP Signage Station before 2.0.1, has hardcoded credentials, which
makes it easier for remote attackers to obtain access via a session on
TCP port 21.
References: [CVE-2015-7261]

The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices
has a default password, which makes it easier for remote attackers to
read or write to files via a session on TCP port 21.
References: [CVE-2015-3968]

A vulnerability was discovered in Siemens OZW672 (all versions) and

OZW772 (all versions) that could allow an attacker with access to port
21/tcp to access or alter historical measurement data stored on the
device.
References: [CVE-2017-6872], [BID-99473]

6 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

A vulnerability has been identified in SiNVR 3 Central Control Server

(CCS) (all versions), SiNVR 3 Video Server (all versions). The two FTP
services (default ports 21/tcp and 5411/tcp) of the SiNVR 3 Video Server
contain a path traversal vulnerability that could allow an authenticated
remote attacker to access and download arbitrary files from the server, if
the FTP services are enabled.
References: [CVE-2019-19296]

Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware

listens on TCP port 21 and TCP ports 14920 to 14923. Third-party
attackers who can reach the system can logon using any username/
password combination. Attackers may then upload executables using ftp
PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]

ReverseTrojan by satan_addict listens on TCP ports, 12000 and 21. The

malware accepts empty credentials for authentication as the default
settings are set to blank. Third-party attackers who can reach an
infected host can potentially gain access to the machine before or if no
password is set.
References: [MVID-2021-0256]

Backdoor.Win32.Wollf.16 / Authentication Bypass - the malware listens

on TCP port 1015 and has an FTPD feature that when enabled listens
on TCP port 21. Third-party attackers who can reach an infected system
can logon using any username/password combination.
References: [MVID-2022-0462]

Backdoor.Win32.Hellza.120 / Unauthorized Remote Command

Execution - the malware listens on TCP ports 12122, 21. Third-party
adversarys who can reach infected systems can issue commands made
available by the backdoor.
References: [MVID-2022-0641]
21 udp FSP Basic scan
FSP/FTP [RFC959]
22 udp ssh Basic scan
The Secure Shell (SSH) Protocol [RFC 4251]

Old verson of pcAnywhere uses port 22/udp (no relation to ssh and port
22/tcp).
The real pcAnywhere port is 5632. The value 0x0016 (hex) is 22

7 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

decimal; the value of 0x1600 (hex) is 5632 decimal. Some say that
pcAnywhere had a byte-swapping bug that led to its incorrect use of port
22.
22 tcp,sctp SSH Basic scan
Secure Shell - most common use is command line access, secure
replacement of Telnet. Could also be used as an encrypted tunnel for
secure communication of virtually any service [RFC 4251], [RFC 4960]

freeSSHd 1.2 and earlier allows remote attackers to cause a denial of

service (crash) via a SSH2_MSG_NEWKEYS packet to TCP port 22,
which triggers a NULL pointer dereference.
References: [CVE-2008-0852] [BID-27845] [SECUNIA-29002]

The SSH service on Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48,

and 5324 2.0.1.4 switches allows remote attackers to cause a denial of
service (device reset) or possibly execute arbitrary code by sending
many packets to TCP port 22.
References: [CVE-2013-3594], [XFDB-90595], [BID-65070]

RUCKUS could allow a remote attacker to bypass security restrictions.

An unauthenticated remote attacker with network access to port 22 can
tunnel random TCP traffic to other hosts on the network via Ruckus
devices. A remote attacker could exploit this vulnerability to bypass
security restrictions and gain unauthorized access to the vulnerable
application.
References: [XFDB-84626]

360 Systems contains a default hard-coded password in the image

server series. By logging into the device via TCP port 22, a remote
attacker could gain root privileges on the system to modify or upload
video to play immediately and affect the emergency broadcast system in
the United States.
References: [XFDB-82650], [BID-58338], [CVE-2012-4702]

Improper checks for unusual or exceptional conditions in Brocade

NetIron 05.8.00 and later releases up to and including 06.1.00, when the
Management Module is continuously scanned on port 22, may allow
attackers to cause a denial of service (crash and reload) of the
management module.
References: [CVE-2016-8209], [XFDB-125665]

8 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

A privilege escalation vulnerability in the Secure Shell (SSH) subsystem

in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500
Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core
could allow an authenticated, remote attacker to gain unrestricted, root
shell access. The vulnerability is due to missing input validation of
parameters passed during SSH or SFTP login. An attacker could exploit
this vulnerability by providing crafted user input to the SSH or SFTP
command-line interface (CLI) during SSH or SFTP login. An exploit
could allow an authenticated attacker to gain root privileges access on
the router. Note: Only traffic directed to the affected system can be used
to exploit this vulnerability. This vulnerability can be triggered via both
IPv4 and IPv6 traffic. An established TCP connection toward port 22, the
SSH default port, is needed to perform the attack. The attacker must
have valid credentials to login to the system via SSH or SFTP. The
following products have been confirmed to be vulnerable: Cisco ASR
5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to
18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco
Virtualized Packet Core - Single Instance (VPC-SI) and Distributed
Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and
N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs:
CSCva65853.
References: [CVE-2017-3819], [BID-96913]

Including port 22 in the list of allowed FTP ports in Networking in Google

Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially
enumerate internal host services via a crafted HTML page.
References: [CVE-2018-6082], [BID-103297]

A vulnerability has been identified in ROX II (All versions < V2.12.1). An

authenticated attacker with a high-privileged user account access via
SSH could circumvent restrictions in place and execute arbitrary
operating system commands. Successful exploitation requires that the
attacker has network access to the SSH interface in on port 22/tcp. The
attacker must be authenticated to exploit the vulnerability. The
vulnerability could allow an attacker to execute arbitrary code on the
device.
References: [CVE-2018-13802], [BID-105545]

A vulnerability has been identified in ROX II (All versions < V2.12.1). An

9 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

attacker with network access to port 22/tcp and valid low-privileged user
credentials for the target device could perform a privilege escalation and
gain root privileges. Successful exploitation requires user privileges of a
low-privileged user but no user interaction. The vulnerability could allow
an attacker to compromise confidentiality, integrity and availability of the
system.
References: [CVE-2018-13801], [BID-105545]

The Auto-Maskin DCU 210E firmware contains an undocumented

Dropbear SSH server, v2015.55, configured to listen on Port 22 while
the DCU is running. The Dropbear server is configured with a hard-
coded user name and password combination of root / amroot. The
server is configured to use password only authentication not
cryptographic keys, however the firmware image contains an RSA host-
key for the server. An attacker can exploit this vulnerability to gain root
access to the Angstrom Linux operating system and modify any binaries
or configuration files in the firmware. Affected releases are Auto-Maskin
DCU-210E RP-210E: Versions prior to 3.7 on ARMv7.
References: [CVE-2018-5399]

An issue was discovered in Valve Steam Link build 643. When the SSH
daemon is enabled for local development, the device is publicly available
via IPv6 TCP port 22 over the internet (with stateless address
autoconfiguration) by default, which makes it easier for remote attackers
to obtain access by guessing 24 bits of the MAC address and attempting
a root login. This can be exploited in conjunction with CVE-2017-17878.
References: [CVE-2017-17877]

A vulnerability has been identified in SCALANCE SC-600 (V2.0). An

authenticated attacker with access to port 22/tcp as well as physical
access to an affected device may trigger the device to allow execution of
arbitrary commands. The security vulnerability could be exploited by an
authenticated attacker with physical access to the affected device. No
user interaction is required to exploit this vulnerability. The vulnerability
impacts the confidentiality, integrity and availability of the affected
device.
References: [CVE-2019-10928]

Honeywell ControlEdge through R151.1 uses Hard-coded Credentials.

According to FSCT-2022-0056, there is a Honeywell ControlEdge

10 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

hardcoded credentials issue. The affected components are

characterized as: SSH. The potential impact is: Remote code execution,
manipulate configuration, denial of service. The Honeywell ControlEdge
PLC and RTU product line exposes an SSH service on port 22/TCP.
Login as root to this service is permitted and credentials for the root user
are hardcoded without automatically changing them upon first
commissioning. The credentials for the SSH service are hardcoded in
the firmware. The credentials grant an attacker access to a root shell on
the PLC/RTU, allowing for remote code execution, configuration
manipulation and denial of service.
References: [CVE-2022-30318]

Backdoor.Win32.Bingle.b / Weak Hardcoded Credentials - the malware

is packed using ASPack 2.11, listens on TCP port 22 and requires
authentication. However, the password "let me in" is weak and
hardcoded within the PE file. Unpacking the executable, easily reveals
the cleartext password.
References: [MVID-2022-0643]

Some trojans also use this port: InCommand, Shaft, Skun

23 tcp telnet Basic scan
Telnet is one of the oldest Internet protocols and the most popular
program for remote access to Unix machines. It has numerous security
vulnerabilities [RFC 854]

Trojans that also use this port: Prosiak, Wingate, ADM worm, Aphex's
Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own
trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl,
Backdoor.Delf variants [Symantec-2003-050207-0707-99],
Backdoor.Dagonit [Symantec-2005-092616-0858-99] (2005.09.26)

Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and

earlier allows remote authenticated users to execute arbitrary code via a
long string to TCP port 23.
References: [CVE-2012-1222], [BID-52061]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through

10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and
11.x through 11.3.1 allow remote attackers to cause a denial of service
(device restart) via a crafted packet on (1) TCP port 23, (2) UDP port

11 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

161, or (3) TCP port 513.

References: [CVE-2012-4703]

Buffer overflow in the Remote command server (Rcmd.bat) in IpTools

(aka Tiny TCP/IP server) 0.1.4 allows remote attackers to cause a denial
of service (crash) via a long string to TCP port 23.
References: [CVE-2012-5345]

Hospira Lifecare PCA infusion pump running "SW ver 412" does not
require authentication for Telnet sessions, which allows remote attackers
to gain root privileges via TCP port 23.
References: [CVE-2015-3459]

Zhuhai RaySharp firmware has a hardcoded root password, which

makes it easier for remote attackers to obtain access via a session on
TCP port 23 or 9000.
References [CVE-2015-8286]

Hughes satellite modems contains default telnet service (port 23)

account credentials. A remote attacker could exploit this vulnerability to
gain administrative access on affected devices.
References: [CVE-2016-9495], [XFDB-122123]

An issue was discovered in Cloud Media Popcorn A-200

03-05-130708-21-POP-411-000 firmware. It is configured to provide
TELNET remote access (without a password) that pops a shell as root. If
an attacker can connect to port 23 on the device, he can completely
compromise it.
References: [CVE-2018-12072]

Telestar Digital GmbH Imperial and Dabman Series I and D could allow
a remote attacker to gain elevated privileges on the system, caused by
the use of weak passwords with hardcoded credentials in an
undocumented Telnet service (Telnetd) that connects to Port 23. A
remote attacker could exploit this vulnerability to gain root access to the
gadgets' embedded Linux BusyBox operating system.
References: [CVE-2019-13473], [XFDB-166724]

Multiple C-Data OLT devices are vulnerable to a denial of service,

caused by a shawarma attack. By sending random bytes to the telnet

12 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

server on port 23, a remote attacker could exploit this vulnerability to

cause the device to reboot.
References: [CVE-2020-29057], [XFDB-192290]

An issue was discovered on FiberHome HG6245D devices through

RP2613. The telnet daemon on port 23/tcp can be abused with the
gpon/gpon credentials.
References: [CVE-2021-27165]

TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell

as root/superuser, a related issue to CVE-2019-16734. To connect, the
telnet service is used on port 23 with the default password of 059AnkJ
for the root account. The user can then download the filesystem through
preinstalled BusyBox utilities (e.g., tar and nc).
References: [CVE-2021-37555]

Backdoor.Win32.Agent.oj / Unauthenticated Remote Command

Execution - unauthenticated Remote Command Execution Description:
The malware listens on TCP port 23, upon connection to an infected
host third-party attackers get handed a remote shell.
References: [MVID-2021-0197]

Backdoor.Win32.Cafeini.b / Weak Hardcoded Credentials - the malware

listens on TCP port 23. Authentication is required, however the
credentials test:test are weak and hardcoded within the PE file.
References: [MVID-2022-0568]
23 udp games not scanned
Dungeon Siege II
24 tcp priv-mail not scanned
Port used by any private mail system.
Also used by the Back Orifice 2000 (BO2K) trojan as Control Port
25 tcp SMTP Basic scan
SMTP (Simple Mail Transfer Protocol). Many worms contain their own
SMTP engine and use it to propagate by mass-mailing the payload,
often also spoofing the "From: ..." field in emails. If you are not running a
mail server that you're aware of, there is a possibility your system is
infected.

Integer overflow in Apple Safari [CVE-2010-1099], Arora

[CVE-2010-1100], Alexander Clauss iCab [CVE-2010-1101], OmniWeb
[CVE-2010-1102], Stainless [CVE-2010-1103] allows remote attackers to
bypass intended port restrictions on outbound TCP connections via a

13 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

port number outside the range of the unsigned short data type, as
demonstrated by a value of 65561 for TCP port 25.

List of some trojan horses/backdoors that use this port: Ajan, Antigen,
Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99,
Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail
Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail
trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy, Aji, Email
Worms, Haebu Coceda, Loveletter, Neabi, Shtrilitz.
W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) -
mass-mailing worm that uses its own SMTP engine. Affects all current
Windows versions. Checks network connectivity by contacting a NTP
server on port 37/tcp.
Trojan.Mitglieder.R [Symantec-2005-070117-2559-99] (2005.07.01) -
trojan with backdoor capabilities. It runs a SOCKS4 proxy server and
periodically contacts websites with information about the compromised
computer. Attempts to open a back door on port 9040/tcp. Might also
initiate a SMTP spam relay server on port 25/tcp.
W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.15) -
mass-mailing worm that uses its own SMTP engine to spread
Trojan.Lodear.E [Symantec-2005-110111-3344-99]. Also opens a
backdoor on port 80/tcp and lowers security settings on the
compromised computer.
Backdoor.Rustock [Symantec-2006-060111-5747-99] (2006.06.01) -
backdoor program that allows the compromised computer to be used as
a proxy, uses rootkit techniques to hide its files and registry entries.

NJStar Communicator is vulnerable to a stack-based buffer overflow,

caused by improper bounds checking by the MiniSMTP server when
processing packets. By sending a specially-crafted request to TCP port
25, a remote attacker could overflow a buffer and execute arbitrary code
on the system or cause the application to crash.
References: [CVE-2011-4040], [XFDB-71086], [BID-50452]

Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148,

3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port
25 in some cases where encryption on port 465 was intended.
References: [CVE-2021-43270]

Trojan.Win32.Barjac / Remote Stack Buffer Overflow -

14 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

Trojan.Win32.Barjac makes SMTP connection to Port 25, upon

processing the server response we control, we overwrite instruction
pointer (EIP), undermining the integrity of the trojan.
References: [MVID-2021-0011]
25 udp games not scanned
Final Fantasy XI
26 tcp rsftp Members scan
Port used by RSFTP - a simple FTP-like protocol.

Sometimes also used as an alternate to port 25 SMTP (Simple Mail

Transfer Protocol).

An issue was discovered on FiberHome HG6245D devices through

RP2613. It is possible to start a Linux telnetd as root on port 26/tcp by
using the CLI interface commands of ddd and shell (or tshell).
References: [CVE-2021-27171]
26 udp games not scanned
Dungeon Siege II
27 tcp trojan Premium scan
Assasin

Backdoor.Amitis [Symantec-2003-010717-1940-99] (2003.01.07)

Windows remote access trojan. Listens on ports 27, 551. Other variants
of Backdoor.Amitis also use ports 3547, 7823, 12345, 13173, 44280,
44390, 47387, 64429.
28 tcp Premium scan
Palo Alto Networks Panorama HA (High Availability) uses these ports:
28/tcp - HA1 control link for SSH over TCP encrypted communication
28260/tcp, 28769/tcp - used for HA1 control link for clear text
communication between HA peer firewalls
28770/tcp - Panorama HA1 backup sync port
28771/tcp - heartbeat backups
29781/udp - HA2 link to synchronize sessions, table forwarding, IPSec,
ARP tables

AltaVista Firewall97 accepts connections on ports 26,27,28 and 29, this

can be used to fingerprint the type of firewall in use.

Amanda trojan uses port 28/tcp.

30 tcp trojans Premium scan
Agent 40421 trojan. Also uses port 40421/tcp

ATC Battlefield 1942 (TCP/UDP), ATC Ghost Recon 2 (TCP/UDP), ATC

Splinter Cell Chaos Theory (TCP/UDP), developer: Foolish

15 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

Entertainment
31 tcp msg-auth Members scan
MSG Authentication

Delta Force also uses this port.

The following trojand/backdoors also use this port: Agent 31, Agent
40421, Hackers Paradise (ports 31, 456), Masters Paradise, Skun
34 tcp,udp remote not scanned
Remote File (RF) - used for file transfer between machines
35 udp games not scanned
Delta Force
37 tcp worm Basic scan
Officially assigned for use by TIME protocol [RFC 868] [RFC 956]
TIME (port 37/tcp) can pose a DOS subnet threat because it has
embedded functions used for the identification of critical processing time
intervals and the ability to re-issue its output to port 7.

W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) -

mass-mailing worm that uses its own SMTP engine. Affects all current
Windows versions. Checks network connectivity by contacting a NTP
server on port 37/tcp.
W32.Sober.J@mm [Symantec-2005-013110-1026-99] (2005.01.30)
W32.Sober.O@mm [Symantec-2005-050210-2339-99] (2005.05.02)
W32.Sober.X@mm [Symantec-2005-111915-0848-99] (2005.11.19)
38 tcp,udp rap not scanned
Route Access Protocol (IANA official)
39 tcp trojan Premium scan
SubSARI
41 tcp trojans Members scan
Some trojans use this port: Deep Throat, Foreplay

Graphics (TCP/UDP) (IANA official)

42 tcp,udp WINS Members scan
Port used by WINS (Windows Internet Naming Service). Worms can
exploit a buffer overflow vulnerability within WINS using this port. See:
MSKB 890710

The WINS service (wins.exe) on Microsoft Windows NT Server,

Windows 2000 Server, and Windows Server 2003 allows remote
attackers to write to arbitrary memory locations and possibly execute
arbitrary code via a modified memory pointer in a WINS replication
packet to TCP port 42, aka the "Association Context Vulnerability."
References: [CVE-2004-1080] [BID-11763] [OSVDB-12378]
[SECUNIA-13328]

16 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

W32.Dasher.D [Symantec-2005-121915-1543-99] (2005.12.19) - a worm

that exploits the following MS vulnerabilities: [MS05-051] (on port 53/tcp)
and [MS04-045] (on port 42/tcp). Listens for remote commands on port
53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems
vulnerable to the [MS05-051] exploit on port 1025/tcp.

Backdoor.Win32.Ncx.bt / Remote Stack Buffer Overflow - the malware

listens on TCP port 42, sending a single HTTP GET request with a
packet size of 10140 bytes, will trigger the buffer overflow overwriting
both EIP and structured exception handler (SEH)
References: [MVID-2021-0026]

City of Heroes also uses this port (TCP).

Port was originally assigned to the obsolete ARPA Host name server
protocol (pre-DNS).
43 tcp,udp whois not scanned
WHOIS protocol
44 tcp trojan Premium scan
Arctic

MPM FLAGS Protocol (TCP/UDP) (IANA official)

45 tcp,udp mpm not scanned
Message Processing Module (receive) (IANA official)
46 tcp,udp mpm-snd not scanned
MPM [default send] (IANA official)
48 tcp auditd Premium scan
DRAT remote access trojan (11-1999) uses ports 48,50.

Port is also IANA assigned for: Digital Audit Daemon

49 tcp,udp TACACS Members scan
TACACS Login Host Protocol

Terminal Access Controller Access-Control System (TACACS) is a

remote authentication protocol that is used to communicate with an
authentication server commonly used in UNIX networks. TACACS
allows a remote access server to communicate with an authentication
server in order to determine if the user has access to the network.
50 tcp re-mail-ck Members scan
Some trojans that also use this port: DRAT remote access trojan
(11-1999). Uses ports 48,50.

Dark Ages of Camelot, Vodafone Sure Signal use this port.

17 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

51 tcp vpn Premium scan

IANA reserved: IMP Logical Address Maintenance (removed
2013-05-24)

F**k Lamers Backdoor uses this port.

52 tcp trojan Premium scan
MuSka52, Skun
53 tcp,udp DNS Basic scan
DNS (Domain Name Service) used for domain name resolution. There
are some attacks that target vulnerabilities within DNS servers.

Cisco Webex Teams services uses these ports:

443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls)

Xbox 360 (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP

Xbox One (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP,
500 UDP, 3544 UDP, 4500 UDP

Apple MacDNS, FaceTime also use this port.

Some trojans also use this port: ADM worm, Bonk (DoS) trojan, li0n,
MscanWorm, MuSka52, Trojan.Esteems.C
[Symantec-2005-051212-1727-99] (2005.05.12), W32.Spybot.ABDO
[Symantec-2005-121014-3510-99] (2005.12.10).

W32.Dasher.B [Symantec-2005-121610-5037-99] (2005.12.16) - a worm

that exploits the MS Distributed Transaction Coordinator Remote exploit
(MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server
on port 21211/tcp. Scans for systems vulnerable to the [MS05-051]
exploit on port 1025/tcp.

Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept

incoming packets from DNS (UDP port 53), which allows remote
attackers to bypass the firewall filters via packets with a source port of
53.
References: [CVE-2003-1491] [BID-7436]

Stack-based buffer overflow in the dns_decode_reverse_name function

in dns_decode.c in dproxy-nexgen allows remote attackers to execute
arbitrary code by sending a crafted packet to port 53/udp, a different

18 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

issue than [CVE-2007-1465].

References: [CVE-2007-1866] [SECUNIA-24688]

Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly

other versions, allows remote attackers to cause a denial of service
(device restart and loss of configuration) by connecting to TCP port 53,
then closing the connection.
References: [CVE-2009-1152] [BID-34220]

Cisco IOS is vulnerable to a denial of service, caused by an error in NAT

of DNS. By sending specially-crafted DNS packets to TCP port 53, a
remote attacker could exploit this vulnerability to cause the device to
reload.
References: [CVE-2013-5479], [XFDB-87455]

haneWIN DNS Server is vulnerable to a denial of service attack. A

remote attacker could send a large amount of data to port 53 and cause
the server to crash.
References: [XFDB-90583], [BID-65024], [EDB-31014]

named in ISC BIND 9.x (before 9.9.7-P2 and 9.10.x before 9.10.2.-P3)
allows remote attackers to cause denial of service (DoS) via TKEY
queries. A constructed packet can use this vulnerability to trigger a
REQUIRE assertion failure, causing the BIND daemon to exit. Both
recursive and authoritative servers are vulnerable. The exploit occurs
early in the packet handling, before checks enforcing ACLs or
configuration options that limit/deny service.
See: [CVE-2015-5477]

Tftpd32 is vulnerable to a denial of service, caused by an error when

processing requests. If the DNS server is enabled, a remote attacker
could send a specially-crafted request to UDP port 53 to cause the
server to crash.
References: [XFDB-75884] [BID-53704] [SECUNIA-49301]

TP-Link TL-WR886N 7.0 1.1.0 devices allow remote attackers to cause

a denial of service (Tlb Load Exception) via crafted DNS packets to port
53/udp.
References: [CVE-2018-19528]

19 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated

remote attacker to cause a denial of service by connecting to TCP port
53 and sending data that begins with many '\0' characters, possibly
related to DNS.
References: [CVE-2017-17537], [EDB-43200]
54 tcp,udp xns-ch Premium scan
Port is officially assigned to XNS (Xerox Network Services)
Clearinghouse.

Port is also used by the MuSka52 trojan.

Unspecified vulnerability in SLMail.exe in SLMail Pro 6.3.1.0 and earlier

allows remote attackers to cause a denial of service (UDP service
outage) via a large packet to UDP port 54.
References: [CVE-2008-1691], [BID-28505]
57 tcp,udp applications not scanned
AudioReQuest
58 tcp trojan Premium scan
DMSetup trojan
59 tcp trojans Premium scan
Backdoor.Sdbot.AJ [Symantec-2005-011009-1754-99] (2005.01.10) -
network aware worm with backdoor capabilities. Spreads via network
shares. Opens a backdoor and listens for remote commands by
connecting to IRC servers on port 59/tcp.

DMSetup trojan also uses port 59.

any private file service (IANA official)

61 tcp,udp ni-mail not scanned
NI Mail
62 tcp,udp acas not scanned
ACA Services (IANA official)
63 tcp,udp whoispp not scanned
whois++ (IANA official)
65 tcp,udp tacacs-ds not scanned
TACACS-Database Service (IANA official)
66 tcp oracle Premium scan
AL-Bareki trojan

EmuLive Server4 Commerce Edition Build 7560 allows remote attackers

to cause a denial of service (application crash) via a sequence of
carriage returns sent to TCP port 66.
References: [CVE-2004-1696], [BID-11226]

Oracle SQL*NET (TCP/UDP) (IANA official)

20 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

67 udp bootp server Basic scan

Bootstrap protocol server. Used by DHCP servers to communicate
addressing information to remote DHCP clients [RFC 951]

NCP Secure Enterprise Client (aka VPN/PKI client) 8.30 Build 59, and
possibly earlier versions, when the Link Firewall and Personal Firewall
are both configured to block all inbound and outbound network traffic,
allows context-dependent attackers to send inbound UDP traffic with
source port 67 and destination port 68, and outbound UDP traffic with
source port 68 and destination port 67.
References: [CVE-2006-3551]

ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source
port of 67, which allows remote attackers to bypass the firewall rules.
References: [CVE-2000-0339] [BID-1137] [OSVDB-1294]

Apple NetBoot also uses this port.

67 tcp applications not scanned
Falco LX-4PRO
68 udp bootp client Basic scan
Bootstrap protocol client. Used by client machines to obtain dynamic IP
addressing information from a DHCP server.

The Avaya 4602 SW IP Phone (Model 4602D02A) with 2.2.2 and earlier
SIP firmware allows remote attackers to cause a denial of service
(device reboot) via a flood of packets to the BOOTP port (68/udp).
References: [CVE-2007-3321] [SECUNIA-25747] [OSVDB-38117]

NCP Secure Enterprise Client (aka VPN/PKI client) 8.30 Build 59, and
possibly earlier versions, when the Link Firewall and Personal Firewall
are both configured to block all inbound and outbound network traffic,
allows context-dependent attackers to send inbound UDP traffic with
source port 67 and destination port 68, and outbound UDP traffic with
source port 68 and destination port 67.
References: [CVE-2006-3551]

Apple NetBoot also uses this port.

68 tcp trojan Premium scan
Backdoor.SubSeven [Symantec-2001-020114-5445-99] (1999.06.06)
Falco LX-4PRO also uses this port.
69 udp TFTP Basic scan
Trivial File Transfer Protocol - A less secure version of FTP, generally
used in maintaining and updating systems, for configuration file transfers

21 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

between LAN systems, firmware updates on routers, etc.

Many trojans also use this port: BackGate Kit, Nimda, Pasana, Storm,
Storm worm, Theef...
W32.Blaster.Worm [Symantec-2003-081113-0229-99] is a widely spread
worm that exploits the MS DCOM RPC vulnerability described in MS
Security Bulletin [MS03-026]. The worm allows remote access to an
infected computer via ports 4444/tcp and 69/UDP, and spreads through
port 135/tcp. To avoid being infected consider closing those ports.
W32.Welchia.Worm [Symantec-2003-081815-2308-99] - a wildly spread
worm that removes the W32.Blaster.Worm and installs a TFTP server.
W32.Cycle [Symantec-2004-051015-4731-99] (2004.05.10). Exploits a
MS vulnerability on port 445, Listens on ports 3332/tcp and 69/udp.
W32.Zotob.E [Symantec-2005-081615-4443-99] (2005.08.16) - a worm
that opens a backdoor and exploits the MS Plug and Play Buffer
Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp.
It runs and spreads using all current Windows versions, but only infects
Windows 2000.
The worm connects to IRC servers and listens for remote commands on
port 8080/tcp. It opens port 69/udp to initiate TFTP transfers. It also
opens a bacdoor on remote compromised computers on port 8594/tcp.
Port 69/udp also used by the W32.Zotob.H
[Symantec-2005-081717-2017-99] variant of the worm.
W32.Evala.Worm [Symantec-2002-071017-5735-99] (2002.07.10) -
backdoor trojan. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69
and 70.

Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows

2000 SP4 allows remote attackers to execute arbitrary code via a long
request on UDP port 69. NOTE: this issue might overlap
[CVE-2006-4781] or [CVE-2005-1812].
References: [CVE-2007-1645]

The Arecont Vision AV1355DN MegaDome camera allows remote

attackers to cause a denial of service (video-capture outage) via a
packet to UDP port 69.
References: [CVE-2013-0139]

Hillstone Software HS TFTP Server is vulnerable to a denial of service,

caused by an error when processing TFTP requests. By sending a

22 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

specially-crafted READ/WRITE request packet containing an overly long

filename to UDP port 69, a remote attacker could exploit this
vulnerability to cause the TFTP service to crash.
References: [XFDB-71609], [BID-50886], [EDB-18188]

SolarWinds TFTP (Trivial File Transfer Protocol) Server is vulnerable to

a denial of service, caused by an error when handling Read Request
requests. By sending a specially-crafted Read Request to UDP port 69,
a remote attacker could exploit this vulnerability to cause the server
process to crash.
References: [CVE-2010-2115], [XFDB-58782], [BID-40333]

The Spiceworks TFTP Server, as distributed with Spiceworks Inventory

7.5, allows remote attackers to access the Spiceworks
data\configurations directory by leveraging the unauthenticated nature of
the TFTP service for all clients who can reach UDP port 69, as
demonstrated by a WRQ (aka Write request) operation for a
configuration file or an executable file.
References: [CVE-2017-7237], [EDB-41825]

MobaXterm Personal Edition could allow a remote attacker to traverse

directories on the system. An attacker could send a specially-crafted
request to the TFTP server port 69 containing "dot dot" sequences (/../)
in the request to retrieve arbitrary files on the system.
References: [CVE-2017-6805], [XFDB-123199]

A vulnerability has been identified in SICLOCK TC100 (All versions) and

SICLOCK TC400 (All versions). An attacker with network access to port
69/udp could modify the administrative client stored on the device. If a
legitimate user downloads and executes the modified client from the
affected device, then he/she could obtain code execution on the client
system.
References: [CVE-2018-4854], [BID-104672]

A vulnerability has been identified in SICLOCK TC100 (All versions) and

SICLOCK TC400 (All versions). An attacker with network access to port
69/udp could modify the firmware of the device.
References: [CVE-2018-4853], [BID-104672]

23 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

69 tcp malware not scanned

Backdoor.Win32.Psychward.03.a / Weak Hardcoded Password - the
malware listens in TCP port 69. The password "tyme" is
weak and stored in plaintext with the executable.
References: [MVID-2022-0548]
70 tcp trojans Members scan
W32.Evala.Worm [Symantec-2002-071017-5735-99] (2002.07.10) -
backdoor trojan. Affects Windows 9x/Me/NT/2k/XP, listens on ports 69
and 70.
Other trojans that use these ports: ADM worm, BackGate Kit, Nimda,
Pasana, Storm, Theef

Note: port 69/udp is used by TFTP.

73 udp games not scanned
Dungeon Siege II
75 tcp,udp priv-dial not scanned
any private dial out service
76 tcp,udp deos not scanned
Distributed External Object Store (IANA official)
77 tcp,udp priv-rje not scanned
IANA assigned for any private RJE service, netjrs.

The error message "TK_SPACE undeclared" is common to this port.

This occurs when installed ports keep bombing out on sqlite3.
78 tcp,udp vettcp not scanned
vettcp (IANA official)
79 tcp,udp Finger Members scan
Finger

Finger Security Concerns: Provides key host info to attacker - Fingered

host can be DOSd if hit with a recursive finger script till its memory and
swap space fill. - Fingering clients can be DOSd if they finger a
maliciously configured host (returns data overload - causing client to
beep continually - etc.). - If fingering clients allow programmable keys - a
maliciously configured host can return a finger response that maps a key
to rm -rf /-. Disable on all host unless finger service is stubbed to only
provide scripted data response (eg: system admin contact info - etc.).

Trojans that also use this port: ADM worm, Back Orifice 2000 (BO2K),
CDK trojan (ports 79, 15858), Firehotcker (ports 79, 5321)

The legacy finger service (TCP port 79) is enabled by default on various
older Lexmark devices.
References: [CVE-2019-10059]

24 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

80 udp trojans Members scan

W32.Beagle.AO@mm [Symantec-2004-080911-3251-99] - mass-mailing
worm with backdoor functionality. Uses its own SMTP engine,
discovered 08.09.2004. Opens port 80 tcp & udp.

W32.Bobax.AF@mm [Symantec-2005-081611-4121-99] (2005.08.15) -

a mass-mailing worm that opens a backdoor and lowers security
settings on the compromised computer. It exploits the MS Plug and Play
Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port
21/tcp., and by sending copies of itself to gathered email addresses.
Also opens a backdoor on a random tcp port and/or port 80/udp.

Siemens SINEMA Server before 12 SP1 allows remote attackers to

cause a denial of service (web-interface outage) via crafted HTTP
requests to port 80 (TCP/UDP).
References: [CVE-2014-2733]

Multiple directory traversal vulnerabilities in the integrated web server in

Siemens SINEMA Server before 12 SP1 allow remote attackers to
access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80.
References: [CVE-2014-2732]

Multiple directory traversal vulnerabilities in the integrated web server in

Siemens SINEMA Server before 12 SP1 allow remote attackers to
access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80.
Reference: [CVE-2014-2731]

Port 80 udp is also used by some games, like Alien vs Predator

(Activision).
80 tcp http Basic scan
Hyper Text Transfer Protocol (HTTP) - port used for web traffic.

Some broadband routers run a web server on port 80 or 8080 for remote
management. WAN Administration can (and should, in most cases) be
disabled using the Web Admin interface.

AnyDesk remote desktop software uses TCP ports 80, 443, 6568, 7070
(direct line connection)

If you're not running web services, keep in mind that a number of

trojans/worms/backdoors propagate via TCP port 80 (HTTP):

25 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

Code Red, Nimda, 711 trojan (Seven Eleven), AckCmd, Back End, Back
Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message,
God Message Creator, Hooker, IISworm, MTX, NCX, Nerte 7.8.1,
Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web
Server CT, WebDownloader
Trojan.Webus.C [Symantec-2004-101212-0903-99]
W32.Beagle.AO@mm [Symantec-2004-080911-3251-99] - mass-mailing
worm with backdoor functionality. Uses its own SMTP engine,
discovered 08.09.2004. Opens port 80 tcp & udp.
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-
mailing worm that opens a backdoor into the system. The backdoor
makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
Backdoor.Ranky.S [Symantec-2005-013015-4228-99] (2005.01.30) -
runs proxy on port 80.
W32.Crowt.A@mm [Symantec-2005-012310-2158-99] (2005.01.23) -
mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80
and 137.
Backdoor.Darkmoon.B [Symantec-2005-102115-3914-99] (2005.10.21) -
a backdoor trojan with keylogger capabilities. Opens a backdoor and
listens for remote commands on port 80/tcp.
W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.16) -
mass-mailing worm that uses its own SMTP engine to spread
Trojan.Lodear.E [Symantec-2005-121516-1510-99]. Also opens a
backdoor on port 80/tcp and lowers security settings on the
compromised computer.
Trojan.Lodear.F [Symantec-2005-121513-5818-99] (2005.12.18) - trojan
that attempts to download remote files.
W32.Feebs [Symantec-2006-013122-5631-99] (2006.01.07)

Xbox 360 (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP

Xbox One (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP,
500 UDP, 3544 UDP, 4500 UDP

Some Apple applications also use port 80 (TCP): MobileMe, Sherlock,

QuickTime Installer, iTunes Store and Radio, Software Update, RAID
Admin, Backup, iCal calendar publishing, iWeb, MobileMe Web Gallery
Publishing, WebDAV (iDisk), Final Cut Server.

Siemens SIPROTEC 4 and SIPROTEC Compact is vulnerable to a

denial of service, caused by an error in the EN100 Ethernet module. By

26 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

sending specially-crafted HTTP packets to TCP port 80, a remote

attacker could exploit this vulnerability to cause the device to go into
defect mode.
References: [CVE-2016-7113] [XFDB-116647]

A vulnerability was discovered in Siemens ViewPort for Web Office

Portal before revision number 1453 that could allow an unauthenticated
remote user to upload arbitrary code and execute it with the permissions
of the operating-system user running the web server by sending
specially crafted network packets to port 443/TCP or port 80/TCP.
References: [CVE-2017-6869], [BID-99343]
81 udp trojans Premium scan
W32.Beagle.AR@mm [Symantec-2004-092811-5825-99] (2004.9.28) -
mass mailing worm with backdoor functionality on port 81/tcp & udp.
Affects all current Windows versions.
81 tcp http Basic scan
Hyper Text Transfer Protocol (HTTP) - ports used for web traffic. See
also TCP ports 80, 8080, 8081.

Some common uses for port 81/tcp include web administration (cobalt
cube), web proxy servers, McAfee Framework Service, TigerVPN
(servers speed check), etc.

If you're not running web services on this port, keep in mind it is also
used by some trojans:
Backdoor.Asylum [Symantec-2000-121815-0609-99] (2000.05.02) -
remote access trojan, uses ports 81, 2343, 23432 by default.
W32.Beagle.AR@mm [Symantec-2004-092811-5825-99] (2004.09.28) -
port 81.

Stack-based buffer overflow in the RespondeHTTPPendiente function in

the HTTP server for SUMUS 0.2.2 allows remote attackers to execute
arbitrary code via a large packet sent to TCP port 81.
References: [CVE-2005-1110]

RemoConChubo trojan and Blue Iris also use this port.

82 tcp trojans Members scan
W32.Netsky.X@mm [Symantec-2004-042010-3056-99] (2004.04.20) - a
Netsky variant that uses its own SMTP engine to email itself. Listens on
port 82/tcp to receive and execute a file from an attacker.

The W32.Netsky.Y@mm [Symantec-2004-042011-2621-99] variant also

27 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

opens port 82/tcp.

ET TROJAN LD Pinch Checkin uses port 82/udp.
83 tcp,udp mit-ml-dev not scanned
MIT ML Device (IANA official)
84 tcp,udp ctf not scanned
Common Trace Facility (IANA official)
85 tcp trojan Premium scan
Common Port for phishing scam sites

Multiple directory traversal vulnerabilities in src/acloglogin.php in

Wangkongbao CNS-1000 and 1100 allow remote attackers to read
arbitrary files via a .. (dot dot) in the (1) lang or (2) langid cookie to port
85.
References: [CVE-2012-4031] [BID-54267] [SECUNIA-49776]
[OSVDB-83636]

An issue was discovered in INNEO Startup TOOLS 2017 M021

12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web
application (served on TCP port 85) includes user input into a filesystem
access without any further validation. This might allow an
unauthenticated attacker to read files on the server via Directory
Traversal, or possibly have unspecified other impact.
References: [CVE-2020-15492]

MIT ML Device (IANA official)

86 tcp applications not scanned
BroadCam Video Streaming Server

Micro Focus Cobol (TCP/UDP) (IANA official)

87 tcp terminal link Members scan
terminal link - a talk/chat style protocol. Port commonly used by intruders

Backdoor.Win32.Agent.ad / Insecure Credential Storage - the malware

listens on TCP port 87, its default password "hoanggia" is stored in the
Windows registry in cleartext under "clrprv.oo" in
"HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\System\NPP".
The password is also set as cookie value "Cookie: pass=hoanggia;
day=14; month=11; year=2021", which also gets sent over the network
in plaintext. Third party attackers who can access the system or sniff
traffic can grab the password, then execute any programs and or run
commands made available by the backdoor.
References: [MVID-2021-0406]

28 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

88 udp Kerberos Premium scan

KDC (Kerberos key distribution center) server.
Related ports: 464,543,544,749,751

Xbox 360 (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP

Xbox One (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP,
500 UDP, 3544 UDP, 4500 UDP
88 tcp trojan Premium scan
Pwsteal.likmet.a, BackDoor-AXC

BroadWave Streaming Audio Server also uses this port

89 tcp,udp su-mit-tg not scanned
SU/MIT Telnet Gateway (IANA official)
90 tcp trojan Premium scan
Hidden Port 2.0
91 tcp,udp mit-dov not scanned
MIT Dover Spooler (IANA official)
92 tcp,udp npp not scanned
Network Printing Protocol (IANA official)
93 tcp,udp dcp not scanned
Device Control Protocol (IANA official)
94 tcp,udp objcall not scanned
Tivoli Object Dispatcher (IANA official)
95 tcp,udp supdup not scanned
SUPDUP (IANA official)
96 tcp,udp dixie not scanned
Express Invoice

DIXIE Protocol Specification (IANA official)

97 tcp,udp swift-rvf not scanned
Inventoria Stock Manager

Swift Remote Virtual File Protocol (IANA official)

98 tcp applications not scanned
This signature detects TCP port probes directed at port 98, which may
indicate that an attacker is scanning to determine if the Linux remote
configuration service is available on the system.

TAC News (IANA registered)

99 udp metagram Members scan
Metagram Relay, gnutella

Seapine Software TestTrack server allows a remote attacker to cause a

denial of service (high CPU) via (1) TestTrackWeb.exe and (2) ttcgi.exe
by connecting to port 99 and disconnecting without sending any data.
References: [CVE-1999-1567]
99 tcp trojans Premium scan
Hidden Port, Mandragore, NCX trojans

29 of 30 12/10/2024, 4:21 PM
SpeedGuide.net :: Ports to Scan https://www.speedguide.net/ports_sg.php

Backdoor.Win32.Ncx.b / Remote Stack Buffer Overflow - the malware

listens on TCP port 99. Third-party attackers who can reach an infected
system can send a large junk payload and trigger a classic stack buffer
overflow overwriting the EIP, ECX registers and structured exception
handler (SEH).
References: [MVID-2021-0388]

Backdoor.Win32.Ncx.b / Unauthenticated Remote Command Execution -

the malware listens on TCP port 99. Third-party attackers who can reach
an infected system can execute OS commands further compromising
the host.
References: [MVID-2021-0389]

Vulnerabilities listed: 100 (some use multiple ports)

1 | 2 | 3 | 4 | 5 | 6 |....| 55

Related Links:
SG Ports Database » Vulnerable Ports
SG Security Scan » Scanned Ports » Commonly Open Ports
SG Broadband Tools

Copyright © 1999-2024 Speed Guide, Inc. All rights reserved.

About · Terms of Use · Privacy Policy ·

30 of 30 12/10/2024, 4:21 PM