Skip to content
PortsDB

Port reference

Port 6667 (TCP) – IRC (Internet Relay Chat)

Default plaintext port for Internet Relay Chat servers; TLS IRC typically uses 6697.

tcpRegisteredCommonly attacked

Default state

Open on IRC servers, usually unencrypted on 6667 (TLS variant on 6697). Legitimate use is real-time chat, but the protocol is also a historic botnet C2 channel.

Common attacks

  • Botnet command-and-control over IRC channels
  • Detection of compromised hosts beaconing to IRC C2
  • Abuse of open/misconfigured IRCd for spam and flooding
  • Exploitation of vulnerable or backdoored IRC daemons

Hardening

  • Use TLS IRC (6697) and disable plaintext 6667 where possible
  • Monitor egress for unexpected outbound IRC — a classic C2 signal
  • Lock down IRCd config: disable open relays, require auth/SASL
  • Keep the IRC daemon patched and run it as an unprivileged user
  • Firewall IRC ports to expected users and block from servers/IoT

nmap snippet

nmap -p6667 --script irc-info,irc-botnet-channels <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 6667?

Port 6667 is the classic Internet Relay Chat (IRC) port. IRC is a simple, text-based, channel-oriented chat protocol that has powered real-time communities for decades. Plain IRC on 6667 is unencrypted; modern networks offer TLS IRC on 6697. The related registered IRC port is 194.

Why it matters for security

IRC's simplicity made it a favorite botnet command-and-control transport: infected hosts join a channel and await orders. So while 6667 itself is a legitimate chat port, unexpected outbound IRC — especially from servers or IoT devices that have no reason to chat — is a classic indicator of compromise.

How it's attacked

Defenders and attackers alike fingerprint IRC with irc-info and hunt for malware with irc-botnet-channels, which flags known C2 channel patterns. Misconfigured or open IRCd instances are abused for spam and flooding, and vulnerable or backdoored daemons (a famous historical risk) are exploited for code execution.

Hardening checklist

Use TLS IRC on 6697 and disable plaintext 6667 where possible. Monitor egress for unexpected outbound IRC — a classic C2 signal. Lock down the IRCd config: disable open relays, require auth/SASL, keep the daemon patched, and run it as an unprivileged user. Firewall IRC ports to expected users and block them from servers and IoT. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 194Port 6697Port 6660Port 113

Frequently asked questions

Is port 6667 traffic always malicious?
No. 6667 is the standard port for legitimate IRC chat. However, because IRC is simple and channel-based, malware has long used it for command-and-control, so unexpected outbound 6667 from servers or IoT is suspicious.
Why is unexpected IRC traffic a red flag on a server?
Servers and IoT devices rarely need IRC. Outbound connections to 6667 often indicate a compromised host beaconing to a botnet C2 channel; the irc-botnet-channels NSE script helps spot known C2 patterns.