Port No. | Protocol | Service | Description |
10000 | tcp/udp | ndmp | Network Data Management Protocol |
10000 |
tcp |
# |
OpwinTRojan, W32.Dumaru, Nibu |
10000 |
udp |
# |
Cisco Systems |
10001 | tcp/udp | scp-config | SCP Configuration Port |
10001-10002 |
tcp/udp |
# |
Zdemon |
10002-10006 | tcp/udp | # | Unassigned |
10005 |
tcp |
# |
OpwinTRojan |
10007 | tcp/udp | mvs-capacity | MVS Capacity |
10008 | tcp/udp | octopus | Octopus Multiplexer |
10008 |
tcp/udp |
# |
cheese worm
In early year 2001, many exploit scripts
for DNS TSIG name overflow would place
a root shell on this port.
In mid-2001, a worm was created that
enters the system via this port (left behind
by some other attacker), then starts
scanning other machines from this port. |
10008-10079 | tcp/udp | # | Unassigned |
10027 |
udp |
# |
W32.Mytob |
10067 |
udp |
# |
Portal of Doom |
10080 | tcp/udp | amanda | Amanda |
10080 |
tcp |
# |
Mydoom |
10081 | tcp/udp | famdc | FAM Archive Server |
10082-10049 | tcp/udp | # | Unassigned |
10082 |
tcp |
# |
W32.Mytob |
10050 | tcp/udp | zabbix-agent | Zabbix Agent |
10051 | tcp/udp | zabbix-trapper | Zabbix Trapper |
10052-10099 | tcp/udp | # | Unassigned |
10085-10086 |
tcp |
# |
Syphillis |
10086-10087 |
tcp |
# |
W32.Mytob |
10089 |
tcp |
# |
W32.Mytob |
10100 | tcp/udp | itap-ddtp | VERITAS ITAP DDTP |
10100 |
tcp |
# |
Control Total, Gift trojan, Ranky |
10100 |
udp |
# |
Trojan.Dasda |
10101 | tcp/udp | ezmeeting-2 | eZproxy |
10101 |
tcp |
# |
BrainSpy, Silencer |
10102 | tcp/udp | ezproxy-2 | eZmeeting |
10102 |
tcp |
# |
Staprew |
10103 | tcp/udp | ezrelay | eZrelay |
10103 |
tcp |
# |
Tuimer |
10104-10106 | tcp/udp | # | Unassigned |
10104 |
udp |
# |
Lowtaper, Ranky |
10107 | tcp/udp | bctp-server | VERITAS BCTP, server |
10108-10112 | tcp/udp | # | Unassigned |
10113 | tcp/udp | netiq-endpoint | NetIQ Endpoint |
10113 |
tcp |
# |
Ranky |
10114 | tcp/udp | netiq-qcheck | NetIQ Qcheck |
10115 | tcp/udp | netiq-endpt | NetIQ Endpoint |
10116 | tcp/udp | netiq-voipa | NetIQ VoIP Assessor |
10117-10127 | tcp/udp | # | Unassigned |
10128 | tcp/udp | bmc-perf-sd | BMC-PERFORM-SERVICE DAEMON |
10129-10159 | tcp/udp | # | Unassigned |
10160 | tcp/udp | qb-db-server | QB Database Server |
10161-10251 | tcp/udp | # | Unassigned |
10167 |
udp |
# |
Portal of Doom |
10168 |
tcp/udp |
# |
Lovgate |
10252 | tcp/udp | apollo-relay | Apollo Relay Port |
10253-10259 | tcp/udp | # | Unassigned |
10260 | tcp/udp | axis-wimp-port | Axis WIMP Port |
10261-10287 | tcp/udp | # | Unassigned |
10288 | tcp/udp | blocks | Blocks |
10289-10804 | tcp/udp | # | Unassigned |
10500 |
tcp |
# |
W32.Linkbot |
10520 |
tcp |
# |
Acid Shivers |
10528 |
tcp |
# |
Host Control |
10607 |
tcp |
# |
Coma |
10666 |
udp |
# |
Ambush, Roxrat |
10752 |
tcp/udp |
# |
Backdoor. One of the many Linux
mountd (port 635) exploits installs
its backdoor at this port. Origin???
10751 = 0x2a00, where 0x2a = 42
(proposed by Darren Reed)
The bx.c IRC exploit puts a root shell
backdoor listening at this port.
The ADM named v3 attack puts a
shell at this port. |
10805 | tcp/udp | lpdg | LUCIA Pareja Data Group |
10806-10989 | tcp/udp | # | Unassigned |
10888 |
udp |
# |
Webus |
10990 | tcp/udp | rmiaux | Auxiliary RMI Port |
10991-10999 | tcp/udp | # | Unassigned |
11000 | tcp/udp | irisa | IRISA |
11000 |
tcp |
# |
Senna Spy Trojan Generator |
11001 | tcp/udp | metasys | Metasys |
11002-11110 | tcp/udp | # | Unassigned |
11050-11051 |
tcp |
# |
Host Control |
11111 | tcp/udp | vce | Viral Computing Environment (VCE) |
11112 | tcp/udp | dicom | DICOM |
11113-11160 | tcp/udp | # | Unassigned |
11142 |
tcp |
# |
SubSeven |
11161 | tcp/udp | suncacao-snmp | sun cacao snmp access point |
11162 | tcp/udp | suncacao-jmxmp | sun cacao JMX-remoting access point |
11163 | tcp/udp | suncacao-rmi | sun cacao rmi registry access point |
11164 | tcp/udp | suncacao-csa | sun cacao command-streaming access point |
11165 | tcp/udp | suncacao-websvc | sun cacao web service access point |
11166-11200 | tcp/udp | # | Unassigned |
11201 | tcp/udp | smsqp | smsqp |
11202-11318 | tcp/udp | # | Unassigned |
11223 |
tcp |
# |
Progenic trojan, Secret Agent |
11311 |
tcp |
# |
Carufax |
11319 | tcp/udp | imip | IMIP |
11320 | tcp/udp | imip-channels | IMIP Channels Port |
11321 | tcp/udp | arena-server | Arena Server Listen |
11322-11366 | tcp/udp | # | Unassigned |
11367 | tcp/udp | atm-uhas | ATM UHAS |
11368-11370 | tcp/udp | # | Unassigned |
11371 | tcp/udp | hkp | OpenPGP HTTP Keyserver |
11372-11599 | tcp/udp | # | Unassigned |
11600 | tcp/udp | tempest-port | Tempest Protocol Port |
11601-11719 | tcp/udp | # | Unassigned |
11720 | tcp/udp | h323callsigalt | h323 Call Signal Alternate |
11721-11750 | tcp/udp | # | Unassigned |
11751 | tcp/udp | intrepid-ssl | Intrepid SSL |
11752-11966 | tcp/udp | # | Unassigned |
11831 |
tcp/udp |
# |
Antilam |
11967 | tcp/udp | sysinfo-sp | SysInfo Service Protocol |
11968-11996 | tcp/udp | # | Unassigned |
11997 | sctp | wmereceiving | WorldMailExpress |
11998 | sctp | wmedistribution | WorldMailExpress |
11999 | sctp | wmereporting | WorldMailExpress |
12000 | tcp/udp | entextxid | IBM Enterprise Extender SNA
XID Exchange |
12000 |
tcp |
# |
W32.Mytob |
12001 | tcp/udp | entextnetwk | IBM Enterprise Extender SNA
COS Network Priority |
12002 | tcp/udp | entexthigh | IBM Enterprise Extender SNA
COS High Priority |
12003 | tcp/udp | entextmed | IBM Enterprise Extender SNA
COS Medium Priority |
12004 | tcp/udp | entextlow | IBM Enterprise Extender SNA
COS Low Priority |
12005 | tcp/udp | dbisamserver1 | DBISAM Database Server - Regular |
12006 | tcp/udp | dbisamserver2 | DBISAM Database Server - Admin |
12007 | tcp/udp | accuracer | Accuracer Database System ・Server |
12008 | tcp/udp | accuracer-dbms | Accuracer Database System ・Admin |
12009-12011 | tcp/udp | # | Unassigned |
12012 | tcp/udp | vipera | Vipera Messaging Service |
12013-12108 | tcp/udp | # | Unassigned |
12065 |
tcp |
# |
Berbew |
12076 |
tcp |
# |
Gjamer |
12109 | tcp/udp | rets-ssl | RETS over SSL |
12110-12120 | tcp/udp | # | Unassigned |
12121 | tcp/udp | nupaper-ss | NuPaper Session Service |
12121 |
tcp |
# |
Balkart |
12122-12167 | tcp/udp | # | Unassigned |
12168 | tcp/udp | cawas | CA Web Access Service |
12169-12171 | tcp/udp | # | Unassigned |
12172 | tcp/udp | hivep | HiveP |
12173-12299 | tcp/udp | # | Unassigned |
12223 |
tcp |
# |
HackL99 KeyLogger |
12300 | tcp/udp | linogridengine | LinoGrid Engine |
12301-12320 | tcp/udp | # | Unassigned |
12321 | tcp/udp | warehouse-sss | |
12321 |
tcp |
# |
Roxe |
12322 | tcp/udp | warehouse | Warehouse Monitoring Syst |
12323-12344 | tcp/udp | # | Unassigned |
12345 | tcp/udp | italk | Italk Chat System |
12345 |
tcp/udp |
# |
Notice how this port is the sequence of
numbers "1 2 3 4 5". This is common
chosen whenever somebody is asked to
configure a port number. It is likewise
chosen by programmers when creating
default port numbers for their products.
One very famous such uses is with NetBus.
Trend Micro's OfficeScan products use
this port.
Ashley, cron / crontab, Fat Bitch trojan,
GabanBus, icmp_client.c, icmp_pipe.c,
Mypic, NetBus, NetBus Toy, NetBus worm,
Pie Bill Gates, Whack Job, X-bill, Amitis |
12346-12752 | tcp/udp | # | Unassigned |
12346 |
tcp/udp |
# |
Fat Bitch trojan, GabanBus, NetBus, X-bill |
12347 |
tcp |
# |
W32.Mytob |
12349 |
tcp |
# |
BioNet |
12361-12363 |
tcp |
# |
Whack-a-mole |
12623 |
udp |
# |
DUN Control |
12646 |
tcp |
# |
ButtMan |
12631 |
tcp |
# |
Whack Job |
12753 | tcp/udp | tsaf | tsaf port |
12754-12999 | tcp/udp | # | Unassigned |
12754 |
tcp |
# |
Mstream |