Skip to content
ProtocolPorts

Port reference

Port 4899 (TCP) – Radmin

Famatech Radmin remote-administration server for graphical remote control of Windows hosts.

tcpRegisteredCommonly attacked

Default state

Open on Windows hosts running the Radmin Server service. Sometimes installed silently by malware that repurposes Radmin for remote control.

Common attacks

  • Brute force of Radmin credentials
  • Abuse of Radmin as a covert malware command-and-control channel
  • Scanning for exposed 4899 hosts to gain remote control
  • Exploiting unpatched or misconfigured Radmin servers

Hardening

  • Never expose 4899 to the internet — restrict to VPN/management networks
  • Use Radmin security mode with strong, unique passwords
  • Allowlist source IPs and enable connection logging
  • Detect unexpected Radmin installs as a possible compromise indicator
  • Keep Radmin Server updated and remove it where unused

nmap snippet

nmap -p4899 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 4899?

Port 4899 is the default for Radmin (Remote Administrator) by Famatech, a graphical remote-administration tool for Windows. The Radmin Server listens on 4899 and lets an operator view and control the desktop, transfer files, and open a remote shell — comparable to VNC or RDP, with its own protocol and authentication.

Why it matters for security

Radmin is dual-use: a legitimate admin tool that attackers also deploy as a covert command-and-control channel on compromised machines. An exposed 4899 offers direct, interactive control of a Windows host, so it draws scanners and brute-force attempts. Conversely, an unexpected Radmin install is itself a red flag — it may signal that someone has already planted remote-control software.

How it's attacked

Attackers scan for open 4899 and fingerprint the server via its banner, then brute-force Radmin credentials to gain control. Malware families bundle or drop Radmin to maintain persistent remote access while blending in with a known-good tool. Unpatched or misconfigured servers widen the opening.

Hardening checklist

Never expose 4899 to the internet — keep Radmin on VPN or internal management networks. Enable Radmin security mode with strong, unique passwords, allowlist source IPs, and turn on connection logging. Treat any unexpected Radmin install as a possible compromise indicator, keep the server updated, and remove it where unused. Use the nmap snippet above to locate exposed hosts you are authorized to assess.

Related ports

Port 5900Port 3389Port 5631Port 5938

Frequently asked questions

Why is Radmin sometimes flagged as malware?
Radmin is a legitimate remote-admin tool, but attackers silently install it to control compromised hosts. An unexpected Radmin server on 4899 can therefore be an indicator of compromise.
Is port 4899 safe to expose?
No. Exposing Radmin on 4899 invites credential brute force and remote takeover. Keep it on internal management networks or behind a VPN and require strong authentication.