Common backdoor and trojan ports to investigate
Ports tied to trojans, backdoors and C2 — NetBus, Back Orifice, ingreslock, Meterpreter and abused legit services — and how to detect a compromise.
When malware lands on a host, it often opens a port to listen for commands or phone home to a command-and-control (C2) server. Over the years, certain port numbers have become so closely tied to specific trojans and backdoors that finding one open is a red flag worth investigating. This post lists those ports, explains why they matter, and shows how to detect a compromise. You can browse all ports to look up anything unexpected you find listening.
Classic backdoor and trojan ports
These ports have little or no legitimate use. Seeing them listen on a host should trigger an investigation:
| Port | Associated threat | Notes |
|---|---|---|
| port 1524 | ingreslock backdoor | Root shell left by many worms |
| port 4444 | Metasploit Meterpreter | Default reverse-shell handler |
| port 12345 | NetBus | Windows remote-control trojan |
| port 31337 | Back Orifice | "eleet" backdoor of the late 1990s |
| port 32764 | SerComm router backdoor | Found in consumer router firmware |
Port 12345 (NetBus) and port 31337 (Back Orifice) are the textbook remote-access trojans. Port 1524 (ingreslock) is famous because many self-propagating worms drop a root shell there. Port 4444 is the default listener for Metasploit's Meterpreter payload, so it shows up constantly during intrusions. Port 32764 was a literal backdoor baked into several brands of home routers, allowing unauthenticated command execution.
Legitimate services that attackers abuse
Other ports belong to real, useful tools — but attackers reuse them for remote access and C2. Context matters: the same port can be perfectly normal in one environment and a red flag in another.
- port 23 — Telnet. A cleartext remote shell; IoT malware like Mirai spreads over it by brute-forcing default credentials.
- port 9050 — Tor SOCKS proxy. Legitimate for privacy, but also how malware reaches hidden C2 services anonymously.
- port 1080 — SOCKS proxy. Often opened by malware to tunnel traffic or pivot through a host.
- port 2375 — unauthenticated Docker API. Exposed instances are hijacked to deploy cryptominers and containers.
- port 4899 — Radmin remote control. A legitimate admin tool that is also dropped by attackers as a backdoor.
- port 5631 — pcAnywhere. Old remote-access software repeatedly abused for unauthorized access.
The presence of port 9050 or port 1080 is not proof of malware, but an instance you did not deploy — or one running under an unexpected process — deserves a closer look.
How to detect a compromise
A suspicious port is only the starting point. Confirm what is really happening:
List listening ports
Run netstat -anp or ss -tulpn on Linux, or netstat -anob on Windows, to see every listening socket and the process bound to it. Any of the ports above — or anything you cannot explain — warrants investigation.
Baseline and compare
Maintain a known-good inventory of which ports each server should expose. A deviation from that baseline is far more meaningful than a static "bad port" list, because attackers can pick any port they like.
Watch the network, not just the host
A compromised host may listen quietly and only beacon outward. An IDS/IPS such as Suricata or Snort, with rules for known C2 signatures, catches outbound connections to suspicious ports and destinations that host-level checks miss. Correlate with firewall and DNS logs to spot beaconing patterns.
Conclusion
Backdoor ports like port 12345, port 31337 and port 1524 have almost no innocent explanation, while abused legitimate services like Telnet, Tor and Docker require context before you raise the alarm. Either way, the right response is the same: identify the process behind the port, compare it against a trusted baseline, and watch network traffic for C2 activity. An unexplained open port is not a verdict — it is an invitation to investigate.