This page documents DANGEROUS TCP/IP ports, that are used by trojan horse and backdoor programs or that expose system vulnerabilities, that hackers use to break into your network. Port highlighted in RED are ports that you definitely want closed, possibly with firewall alarms set on them to detect any external probes or internal compromise.

Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports

Port

Protocols

Use 

Risk

0

 

UDP

Reserved

 

1

TCP

UDP

TCP Port Service Multiplexer (TCPMUX)

This port is technically illegal, but possible. It is often used to fingerprint machines, because different operating systems respond to this port in different ways.

2

TCP

UDP

CompressNE [5  Management Utilit [6

Death 

20

TCP

UDP

FTP data transfer

Senna Spy FTP server 

21

TCP / SCTP

UDP

FTP control (command)

Back Construction, Blade Runner, Doly Trojan, Fore, Invisible FTP, Juggernaut 42 , Larva, MotIv FTP, Net Administrator, Senna Spy FTP server, Traitor 21, WebEx, WinCrash 

22

TCP/ SCTP

UDP

Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service [RFC 4251], [RFC 4960]

freeSSHd 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a SSH2_MSG_NEWKEYS packet to TCP port 22, which triggers a NULL pointer dereference.
References: [CVE-2008-0852] [BID-27845] [SECUNIA-29002]

The SSH service on Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48, and 5324 2.0.1.4 switches allows remote attackers to cause a denial of service (device reset) or possibly execute arbitrary code by sending many packets to TCP port 22.
References: [CVE-2013-3594], [XFDB-90595], [BID-65070]

RUCKUS could allow a remote attacker to bypass security restrictions. An unauthenticated remote attacker with network access to port 22 can tunnel random TCP traffic to other hosts on the network via Ruckus devices. A remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access to the vulnerable application.
References: [XFDB-84626]

360 Systems contains a default hard-coded password in the image server series. By logging into the device via TCP port 22, a remote attacker could gain root privileges on the system to modify or upload video to play immediately and affect the emergency broadcast system in the United States.
References: [XFDB-82650], [BID-58338], [CVE-2012-4702]

Some trojans also use this port: InCommand, Shaft, Skunt

23

TCP

UDP

Telnet protocol—unencrypted text communications

Telnet is one of the oldest Internet protocols and the most popular program for remote access to Unix machines. It has numerous security vulnerabilities [RFC 854]

Trojans that also use this port: ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants,Backdoor.Dagonit (109.26.2005)

Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23.
References: [CVE-2012-1222] [BID-52061]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513. 
References: [CVE-2012-4703]

Buffer overflow in the Remote command server (Rcmd.bat) in IpTools (aka Tiny TCP/IP server) 0.1.4 allows remote attackers to cause a denial of service (crash) via a long string to TCP port 23.
References: [CVE-2012-5345]

Hospira Lifecare PCA infusion pump running "SW ver 412" does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23. 
References: [CVE-2015-3459]

Fire HacKer, Tiny Telnet Server - TTS, Truva Atl, ADM worm, Aphex's Remote Packet Sniffer , AutoSpY, ButtMan, Fire HacKer, My Very Own trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl

25

TCP

UDP

Simple Mail Transfer Protocol (SMTP), used for e-mail routing between mail servers

Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy 

31

 

 

 

Agent 31, Hackers Paradise, Masters Paradise 

41

 

 

 

Deep Throat, Foreplay or Reduced Foreplay 

48

 

 

 

DRAT 

50

TCP

UDP

ES [11

DRAT

59

 

 

 

DMSetup 

79

TCP

UDP

Finger protocol

CDK, Firehotcker 

80

TCP / SCTP

UDP

Hypertext Transfer Protocol (HTTP [13

AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero , 711 trojan (Seven Eleven), AckCmd, BlueFire, Cafeini, Duddie, Executor, God Message, Intruzzo , Latinus, Lithium, MscanWorm, NerTe, Nimda, Noob, Optix Lite, Optix Pro, Power, Ramen, Remote Shell , Reverse WWW Tunnel Backdoor, RingZero, RTB 666, Scalper, Screen Cutter, Seeker, Slapper, Web Server CT , WebDownloader

81

TCP

 

Torpark onion routing

RemoConChubo 


Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports


99

TCP

 

WIP Message protocol

Hidden Port 

110

TCP

UDP

Post Office Protocol v3 (POP3)

ProMail trojan 

113

TCP

 

Ident, authentication service/identification protocol [16  used by IRC servers to identify users

Identd Invisible Deamon, Kazimas 

119

TCP

 

Network News Transfer Protocol (NNTP), retrieval of newsgroup messages

Happy99 

121

 

 

 

JammerKillah

123

TCP

UDP

Network Time Protocol (NTP), used for time synchronization

Net Controller 

133

 

 

 

Farnaz 

137

TCP

UDP

NetBIOS Name Service

NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.

NetBios services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

By default, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly. Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines:

1. Use strong passwords, containing non-alphanumeric characters.
2. Attach "$" at the end of your share names (the casual snooper using net view might not see them).
3. Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-routable protocol).
4. Block ports 135-139 in your router/firewall.

Keep in mind that you might still be leaking out information about your system that can be used against you (such as your computer and workgroup names) to the entire Internet, unless ports are filtered by a firewall.

There is also a Critical Windows RPC vulnerability affecting ports 135,139 and 445, as detailed here: MS Technet Security Bulletin [MS03-026]

The following trojans/backdoors also use these ports: Chode, God Message worm, Msinit, Netlog, Network, Qaz
W32.HLLW.Moega
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.

Windows Internet Naming Service (WINS) also uses this port (UDP).

Chode, Nimda

Bugbear, Msinit, Opaserv, Qaz

NETBIOS Name Service

[trojan] Qaz

[trojan] Msinit

Femot

Msinit


138

TCP

UDP

NetBIOS Datagram Service

See Port 137

139

TCP

UDP

NetBIOS Session Service

NukeNabber, Chode, God Message worm, Msinit, Netlog, Network, Qaz, Sadmind, SMB Relay

142

 

 

 

NetTaxi 

146

TCP

UDP

 

Infector

170

TCP

 

Print-srv, Network PostScript

A-trojan


Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports

 

180

TCP

UDP

 

amanda

334

 

 

 

Backage 

420

 

 

 

Breach 

412

 

 

 

TCP Wrappers trojan 

456

 

 

 

Hackers Paradise, Intruders Paradise

513

TCP

UDP

rlogin, Wh [23

Grlogin 

514

TCP

UDP

Remote Shell, used to execute non-interactive commands on a remote system (Remote Shell, rsh, remsh), Syslog, used for system logging

RPC Backdoor

531

TCP

UDP

AOL Instant Messenger

Rasmin 

555

 

 

 

Ini-Killer , Net Administrator, Phase Zero, Phase-0, Stealth Spy , NeTadmin

559

TCP

UDP

 

teedtap

 

Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports

 

605

 

 

 

Secret Service 

666

TCP

UDP

Doom, first online first-person shooter, airserv-ng, aircrack-ng's server for remote-controlling wireless devices

Attack FTP, Back Construction, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre , Satanz Backdoor

667

 

 

 

SniperNet 

669

 

 

 

DP trojan 

692

 

 

 

GayOL

777

 

 

 

AimSpy, Undetected 

808

TCP

 

Microsoft Net.TCP Port Sharing Service

WinHole

911

TCP

 

Network Console on Acid (NCA), local tty redirection over OpenSSH

Dark Shadow

999

TCP

 

ScimoreDB Database System

Deep Throat, Foreplay or Reduced Foreplay, WinSatan 

1000

 

 

 

Der Späher / Der Spaeher

1001

 

 

 

Der Späher / Der Spaeher, Le Guardien, Silencer, WebEx , Silencer, WebEx, Der Späher / Der Spaeher, GOTHIC Intruder, Lula, One Windows Trojan, Theef

1010

TCP

 

ThinLinc Web Administration

Doly Trojan 

 

Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports

 

1011

 

 

 

Doly Trojan 

1012

 

 

 

Doly Trojan 

1015

 

 

 

Doly Trojan 

1016

 

 

 

Doly Trojan 

1020

 

 

 

Vampire

1024

 

 

 

NetSpy

1025

TCP

 

NFS

Fraggle Rock, md5 Backdoor, NetSpy, Remote Storm

1026

TCP

 

Often used by Microsoft DCOM services

nterm, BDDT, Dark IRC, DataSpy Network X, Delta Remote Access , Dosh, Duddie, IRC Contact, Remote Explorer 2000, RUX The TIc.K

 

1028

 

 

 

ICKiller, DataSpy Network X, Dosh, Gibbon, KiLo, KWM, Litmus, Paltalk, SubSARI

1042

 

 

 

BLA trojan

1045

 

 

 

Rasmin

1049

 

 

 

 /sbin/initd

1050

 

 

 

MiniCommand 

1054

 

 

 

AckCmd

1080

TCP

 

SOCKS proxy

WinHole , MyDoom.B, MyDoom.F, MyDoom.G, MyDoom.H

1081

 

 

 

WinHole 

1082

 

 

 

WinHole 

1083

 

 

 

WinHole 

1090

 

 

 

Xtreme

1095

 

 

 

Remote Administration Tool - RAT 

1097

 

 

 

Remote Administration Tool - RAT 

1098

TCP

UDP

rmiactivation, Java remote method invocation (RMI) activation

Remote Administration Tool - RAT 

1099

TCP

UDP

rmiregistry, Java remote method invocation (RMI) registry

Blood Fest Evolution, Remote Administration Tool - RAT 

1170

 

 

 

Psyber Stream Server - PSS, Streaming Audio Server, Voice

1200

TCP

UDP

scol, protocol used by SCOL 3D virtual worlds server to answer world name resolution client request, Steam Friends Applet

NoBackO 

1201

TCP

UDP

 

NoBackO

1207

 

 

 

SoftWAR

1212

 

 

 

Kaos

1234

 

UDP

VLC media player default port for UDP/RTP stream

Ultors Trojan

1243

 

 

 

BackDoor-G, SubSeven , SubSeven Apocalypse, Tiles , Ultors Trojan,

1245

 

 

 

VooDoo Doll 

1255

 

 

 

Scarab


Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports

 

2000

TCP

UDP

Cisco SCCP (Skinny)

Remote Explorer 2000, Last 2000, Insane Network, Der Späher / Der Spaeher, Senna Spy Trojan Generator, ATrojan, InsaneNetwork

2283

 

 

 

Dumaru.Y

2535

TCP

 

Multicast Address Dynamic Client Allocation Protocol (MADCAP)

Beagle.W, Beagle.X, other Beagle/Bagle variants

2745

 

 

 

Beagle.C through Beagle.K

3127

 

 

 

MyDoom.A

3128

TCP

 

Web caches and the default for the Squid (software)


Port used by some proxy servers (3proxy). Common web proxy server ports: 8080, 80, 3128, 6588

Officiall assignment: Active API Server Port

Trojans and backdoors that use this port: Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero

Mydoom.B (01.28.2004) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.

W32.HLLW.Deadhat (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.

Multiple buffer overflows in Thomas Hauck Jana Server allow remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request with a long major version number, an HTTP GET request to the HTTP proxy on port 3128 with a long major version number, a long OK reply from a POP3 server, and a long SMTP server response.
References: [CVE-2002-1061], [BID-5320]

HTTP used by Web caches and the default for the Squid cache (unofficial)

Reverse WWW Tunnel Backdoor , RingZero

Active API Server Port

Proxy Server

squid-http

[trojan] Reverse WWW Tunnel Backdoor

[trojan] RingZero

Mydoom

W32.HLLW.Deadhat

Squid

 

Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports


3410

 

 

 

Backdoor.OptixPro.13 and variants

5000

TCP

UDP

VTun, VPN Software

Sockets de Troie, Bubbel, Back Door Setup

5000

 

UDP

FlightGear multiplaye [77

Sockets de Troie, Bubbel, Back Door Setup

5000

TCP

 

commplex-main

Sockets de Troie, Bubbel, Back Door Setup

5000

TCP

 

UPnP—Windows network device interoperability

Sockets de Troie, Bubbel, Back Door Setup

5000

TCP

 

Synology Inc. Management Console, File Station, Audio Station

Sockets de Troie, Bubbel, Back Door Setup

5000

TCP

 

Flask Development Webserver

Sockets de Troie, Bubbel, Back Door Setup

5000

TCP

 

Heroku console access

Sockets de Troie, Bubbel, Back Door Setup

5554

 

 

 

Sasser through Sasser.C, Sasser.F

5060

TCP

udp

SIP

Session Initiation Protocol (SIP) (official) - SIP VoIP phones and providers use this port. Asterisk server, X-ten Lite/Pro, Ooma, Vonage (ports 5060,5061,10000-20000), Apple iChat, iTalkBB, Motorola Ojo, OpenWengo, TalkSwitch, IConnectHere, Lingo VoIP (ports 5060-5065)


Memory leak in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (memory consumption or device reload) by sending crafted SIP packets to UDP port 5060, aka Bug ID CSCtj04672.
References: [CVE-2011-3280]

The provider-edge MPLS NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) via a malformed SIP packet to UDP port 5060, aka Bug ID CSCti98219.
References: [CVE-2011-3279]

Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) by sending crafted SIP packets to UDP port 5060, aka Bug ID CSCti48483.
References: [CVE-2011-3278]

Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload or hang) by sending crafted SIP packets to TCP port 5060, aka Bug ID CSCso02147.
References: [CVE-2011-3276], [BID-49822]

Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500.
References: [CVE-2011-2577] [BID-49392]

Siemens C450 IP and C475 IP VoIP devices allow remote attackers to cause a denial of service (disconnected calls and device reboot) via a crafted SIP packet to UDP port 5060.
References: [CVE-2008-7065] [BID-32451] [SECUNIA-32827] [OSVDB-50274]

The Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a flood of fragmented packets to port 5060. 
References: [CVE-2007-5789], [BID-26349]

Memory leak in Cisco Unified Communications Manager IM and Presence Service before 8.6(5)SU1 and 9.x before 9.1(2), and Cisco Unified Presence, allows remote attackers to cause a denial of service (memory and CPU consumption) by making many TCP connections to port (1) 5060 or (2) 5061, aka Bug ID CSCud84959.
References: [CVE-2013-3453]

Cisco Unified Communications Manager (Unified CM) 8.5(x) and 8.6(x) before 8.6(2a)su3 and 9.x before 9.1(1) does not properly restrict the rate of SIP packets, which allows remote attackers to cause a denial of service (memory and CPU consumption, and service disruption) via a flood of UDP packets to port 5060, aka Bug ID CSCub35869.
References: [CVE-2013-3461]

Cisco TelePresence Video Communication Server is vulnerable to a denial of service, caused by the improper handling of messages by the Session Initiation Protocol (SIP) module. By sending a specially-crafted Session Description Protocol (SDP) message to UDP and TCP port 5060, a remote attacker could exploit this vulnerability to cause the device to reload.
References: [CVE-2014-0662], [BID-65076], [XFDB-90621]

6667

TCP

 

 

Dark FTP, EGO, Maniac rootkit, Moses, ScheduleAgent, SubSeven, The Thing (modified), Trinity, WinSatan

6670

TCP

 

 

BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame

6711

 

 

 

BackDoor-G, SubSeven, SubSARI, VP Killer, DeepThroat, Noknok

6969

TCP

 

BitTorrent tracker

2000 Cracks, BlitzNet, Dark IRC, GateCrasher, Kid Terror, Laphex, Net Controller, SpArTa, Vagr Nocker, Priority

7000

TCP

 

Default for Vuze's built in HTTPS Bittorrent Tracker

 

7000

TCP

 

Avira Server Management Console

Aladino, Gunsan, Remote Grab, SubSeven , SubSeven 2.1 Gold, Theef

8080

 

UDP

FilePhile Master/Relay

Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor, RingZero

8080

TCP

 

HTTP alternate (http_alt)—commonly used for Web proxy and caching server, or for running a Web server as a non-root user

Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor, RingZero

8080

TCP

 

Apache Tomcat

Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor, RingZero

8080

TCP

 

M2MLogger WebFRONT Cloud connector

Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor, RingZero

8080

TCP

 

Syncthing web GUI

Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor, RingZero

8080

TCP

 

Vermont Systems / RecTrac Vermont Systems RecTrac (WebTrac) network installer

Brown Orifice, Generic backdoor, RemoConChubo, Reverse WWW Tunnel Backdoor, RingZero

8886

TCP

 

PPM3 (Padtec Management Protocol version 3)

Beagle.B

 

Quick Jump:  100  | 300  |  500  | 1000  | 1500 | 5000 | 10000 |  Other Dangerous Ports

 

9898

TCP

UDP

MonkeyCo [citation needed

Dabber.A and Dabber.B

10000

TCP

UDP

Network Data Management Protocol

Dumaru.Y

10008

TCP

UDP

Octopus Multiplexer, primary port for the CROMP protoco [dead link , which provides a platform-independent means for communication of objects across a network

MyDoom.B

10080

     

MyDoom.B

12345

 

 

NetBus remote administration tool (often Trojan horse). Also used by NetBuster. Little Fighter 2 (TCP), Cubeworl [154  (TCP and UDP), and (TCP) GVG (Grass Valley Group) SMS7000 and RCL video router control

NetBus, GabanBus, NetBus, Pie Bill Gates, X-bill

 

12456

 

 

 

GabanBus, NetBus, X-bill

17200

 

 

 

Kuang2

17300

     

Kuang2

21554

 

 

 

Exploiter, Schwindler, Kid Terror, FreddyK, Winsp00fer

22136

TCP

 

FLIR Systems Camera Resource Protocol

 

22222

TCP

 

Davis Instruments, WeatherLink IP

Donald Dick, G.R.O.B., Prosiak, Ruler, RUX The TIc.K

27374

 

 

Sub7 default.

Bad Blood, Fake SubSeven, li0n, Ramen, Seeker, SubSeven , SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, SubSeven 2.2, SubSeven Muie, The Saint

29559

 

 

 

DuckToy, Katux, Latinus, Pest

31337

TCP

 

Back Orifice remote administration tool (often Trojan horse)

BackFire, Back Orifice, DeepBO, Client, Baron Night, B02, Bo Facil

31338

 

 

 

Back Orifice, DeepBO, Butt Funnel, NetSpy (DK)

65506

 

 

 

various names: PhatBot, Agobot, Gaobot

These are ports you may want to BLOCK, at least at the edge of your network. An asterisk * in the Notes field indicates that the ports are IANA registered. There are many other dangerous ports we have not listed.  We will do our best to publish them here.

SWAT, RealSecure 901 901 Samba Web Administration Tool. Also port that RealSecure IDS listens on for console communications. IANA registered for SMP NAME RES (Simple Messaging Protocol name resolution?). Also used by a Trojan.
possible Messenger Service or others 1026-1029 1026-1029 this low range in the ephemeral ports is a usual place for services to be communicating, however see MS Messenger 1026 info
MS SQL Server 1433, 1434 1433, 1434 * CERT Advisories CA-2002-22CA-2003-04
MSUniversal Plug and Play (UPnP) 1900, 5000, 2869? 1900, 5000, 2869? Port 1900 is IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol). Port 5000 is also registered, but not by Microsoft, and not for this service I don't think. Microsoft Security Bulletins: MS01-054MS01-059. NIPC Advisory 01-030.2SecurityFocus. Also see the Remote Access Trojan FAQ about port 5000. About 2869 (which is IANA registered as MS ICSLAP), Microsoft says starting with Windows XP SP2, SSDP event notification service will rely on TCP port 2869. Currently this is only a speculative risk.
Remote Desktop Protocol 3389 3389 potential for unauthorized use of XP Pro Remote Desktop or XP Remote Assistance
radmin 4899 4899 remote administration of your computer, essentially remote control. See Radmin Default Installation Security Vulnerabilities.
DameWare 6129 6129 CERT Vulnerability Note VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets

Sign-Up For Threat Alerts!

LIVE THREATS MENU

- Overview Home

Country Filtering

- Company Filtering

- High Risk Ports Filtered

- Spam Reduction & Performance 

- Threat List Performance

- Ports and Risks


GET MORE PACKETVIPER INFO

Let us show you how PacketViper can immediately improve performance, reduce and identify threats faster, lessen logging and alerting burdens, without replacing anything.  No risk or commitment required!