Skip to content
PortsDB

Port reference

Port 31337 (UDP) – Back Orifice

Default port of the Back Orifice Windows backdoor — the iconic "eleet" port and a classic IDS signature.

udpRegisteredCommonly attacked

Default state

Not a normal service. A listening 31337 is a strong compromise indicator and a long-standing IDS detection signature.

Common attacks

  • Back Orifice remote-administration backdoor control channel
  • Covert remote control of an infected Windows host over UDP
  • Use of 31337 as a generic C2 / reverse-shell port by other malware
  • Mass scanning for the iconic "eleet" backdoor port

Hardening

  • Treat a listening 31337 as a likely compromise and investigate the host
  • Run a reputable AV/EDR scan to remove Back Orifice and similar RATs
  • Alert on 31337 in IDS/IPS — it is a long-standing signature
  • Block inbound UDP 31337 at the perimeter firewall

nmap snippet

nmap -sU -p31337 -sV --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 31337?

Port 31337 is the default port of Back Orifice, the iconic Windows backdoor released by the Cult of the Dead Cow in 1998. The number spells "eleet" in leetspeak, which cemented its place in security culture. It is not a legitimate service: a listening 31337 most likely means a Back Orifice-style backdoor, and the port is also reused as a generic C2 / reverse-shell channel by other malware.

Why it matters for security

Back Orifice gives an attacker covert remote control of an infected Windows machine over UDP — file access, command execution, and surveillance. Because the port is so iconic, 31337 is a long-standing IDS/IPS signature: most detection systems flag it on sight. An open 31337 is therefore a strong indicator of compromise that should trigger investigation, not a normal listening service.

How it's attacked

The backdoor itself is the threat: a Back Orifice client sends UDP control packets to 31337 to drive the victim. Opportunistic actors also mass-scan for the famous port to find hosts other attackers already infected, and various malware families simply reuse 31337 as their command-and-control port.

Hardening checklist

Treat a listening 31337 as a likely compromise and investigate with a reputable AV/EDR scan to remove Back Orifice and similar RATs. Keep the IDS/IPS signature for 31337 enabled and alert on any matching traffic. Block inbound UDP 31337 at the perimeter firewall. The nmap snippet above uses -sU to probe the UDP port on systems you are authorized to test.

Related ports

Port 12345Port 1524Port 4444Port 27374

Frequently asked questions

Why is port 31337 famous?
31337 spells "eleet" in leetspeak and is the default port of the 1990s Back Orifice backdoor. It became a cultural icon and a standard IDS signature for backdoor traffic.
Is an open port 31337 dangerous?
Yes. It is the classic Back Orifice backdoor port and is also reused as a generic C2 port by other malware, so a listening 31337 is a strong indicator of compromise to investigate.