Skip to content
ProtocolPorts

Port reference

Port 1524 (TCP) – ingreslock

Nominally an Ingres database lock service, but infamous as a bind-shell backdoor port that often yields instant root.

tcpRegisteredCommonly attacked

Default state

Rarely a real service. A listening 1524 is usually a backdoor bind shell left by an attacker, as on Metasploitable.

Common attacks

  • Bind-shell backdoor listening on 1524 for direct attacker access
  • Instant root shell on misconfigured or compromised hosts
  • Mass scanning for the classic ingreslock backdoor
  • Use as a persistence channel after initial exploitation

Hardening

  • Treat a listening 1524 as a likely backdoor and investigate the host
  • Inspect inetd/xinetd and startup scripts for a shell bound to 1524
  • Block inbound 1524 at the perimeter firewall
  • Rebuild the host if a backdoor is confirmed and rotate credentials

nmap snippet

nmap -p1524 -sV --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1524?

Port 1524 is registered for ingreslock, the lock service of the old Ingres database. In practice it is far better known as a bind-shell backdoor. On the deliberately vulnerable Metasploitable image and on many compromised hosts, a root shell is left listening on 1524, so connecting to the port drops you straight into a privileged session with no authentication.

Why it matters for security

A listening 1524 is rarely a legitimate Ingres service — it is usually a backdoor. Because the bound shell often runs as root, an attacker who reaches the port gains instant, full control of the machine. That makes an open 1524 a strong indicator of compromise and one of the fastest privilege escalations available when present.

How it's attacked

Attackers mass-scan for the classic ingreslock backdoor and simply connect to 1524 to land in the waiting shell. The port is also used as a persistence channel: after an initial exploit, an operator binds a root shell to 1524 so they can return later. No exploit is needed at connect time — the listener is the whole vulnerability.

Hardening checklist

Treat a listening 1524 as a likely backdoor and investigate the host. Inspect inetd/xinetd configuration and startup scripts for a shell bound to the port, and remove it. Block inbound 1524 at the perimeter firewall. If a backdoor is confirmed, rebuild the host from known-good media and rotate all credentials. The nmap snippet above grabs the banner on systems you are authorized to test.

Related ports

Port 12345Port 31337Port 4444Port 23

Frequently asked questions

Why is port 1524 considered a backdoor?
Although 1524 is registered for the Ingres database lock service, it is far better known as a bind-shell backdoor. Attackers and lab targets like Metasploitable leave a root shell listening on it for instant access.
What happens if I connect to an open port 1524?
On a backdoored host you often land directly in a root shell with no authentication. That is why a listening 1524 should be treated as a compromise and investigated immediately.