Open Port Finding Messages: Detected Services – Bitsight Knowledge Base

Detected services Open Port findings are observed using information returned by the port itself. The header that's returned from the server is analyzed, and then we look for attributes that identify the service.

GOOD
NEUTRAL
WARN
BAD

Detected service: ZooKeeper

This port was observed running Apache ZooKeeper, which is an open-source coordination service for distributed systems. It has had vulnerabilities in the past and it and its developers recommend that it should not be deployed on the public Internet. See the Apache ZooKeeper recommendations.

Port: 2181

Remediation Tips: Block the port in the company edge network infrastructure.

GOOD

Detected service: FTP with AUTH TLS: This port was observed running File Transfer Protocol (FTP) with AUTH TLS (encryption), which is used for securing FTP communications.
Detected service: HTTPS: This port was observed running Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic.
Detected service: HTTPS/Cisco RV: This port was observed running a Cisco RV device, which is a VPN router.
Detected service: IMAP with STARTTLS: This port was observed running Internet Message Access Protocol (IMAP) with STARTTLS, which is used for securing IMAP mail servers.
Detected service: IMAPS: This port was observed running Internet Message Access Protocol (IMAP) over Secure Sockets Layer (SSL).
Detected service: IPSec NAT Traversal: This port was observed running IPSec services over Network Address Translation (NAT) Traversal, which allows end-to-end encrypted communications across the Internet from computers sharing the same public IP address.
Detected service: ISAKMP (Cisco-ASA): This port was observed running Internet Security Association and Key Management Protocol (ISAKMP), which is a framework for authentication and key exchange, using a Cisco ASA device. Cisco ASA v1 and v2 devices have known vulnerabilities.
Detected service: ISAKMP NAT-T: This port was observed running Internet Security Association and Key Management Protocol (ISAKMP) over Network Address Translator (NAT) Traversal, which allows authentication and key exchange across connections that gateways that implement network address translation.
Detected service: ISAKMP NAT-T (Cisco-ASA): This port was observed running Internet Security Association and Key Management Protocol (ISAKMP) over Network Address Translator (NAT) Traversal, using a Cisco ASA device. Cisco ASA v1 and v2 devices have known vulnerabilities.
Detected service: POP3 with STARTTLS: This port was observed running Post Office Protocol version 3 (POP3) with STARTTLS, which is used for securing POP3 mail.
Detected service: POP3S: This port was observed using a secure Post Office Protocol version 3 (POP3S), which is used for securing POP3 email.
Detected service: SFTP: This port was observed running Secure File Transfer Protocol (SFTP), which is used for securing FTP communications.
Detected service: SMTPS: This port was observed running Simple Mail Transfer Protocol (SMTP) with Transport Layer Security (TLS).
Detected service: SMTP with STARTTLS: This port was observed running Simple Mail Transfer Protocol (SMTP) with STARTTLS, which is used for securing SMTP mail servers.
Detected service: SSH: This port was observed running Secure Shell (SSH), which is used for sending and receiving secure communication.
Detected service: Telnet over SSL/TLS: This port was observed running Telnet over Transport Layer Security (TLS)/Secure Sockets Layer (SSL) encryption layers.

NEUTRAL

Detected service: BGP

This port was observed running Border Gateway Protocol (BGP), which is used to exchange routing and reachability information between networks and systems on the Internet.

Remediation Tips: Create a company firewall filter that blocks all connection attempts to this port except from specified BGP peers, since there are no mechanisms internal to BGP that protect against attacks that modify, delete, forge, or replay data, any of which has the potential to disrupt overall network routing behavior.

Detected service: CouchDB

This port was observed running CouchDB, which is a document-oriented NoSQL database. Unlike a relational database that stores data and relationships in tables, CouchDB is self-contained in a collection of independent documents that can be accessed offline, such as a mobile device or server.

Detected service: DNS

This port was observed running a Domain Name System (DNS) service, which is used to direct requests for domain names to their assigned IP addresses.

Detected service: FTP

This port was observed running File Transfer Protocol (FTP), which is used to transfer files over a network.

Detected service: HTTP

This port was observed running Hypertext Transfer Protocol (HTTP), which used for sending and receiving internet traffic.

Detected service: HTTP/Cisco RV

This port was observed running a Cisco RV device, which is a VPN router.

Detected service: IMAP

This port was observed running Internet Message Access Protocol (IMAP), which is a commonly used mail protocol.

Detected service: ISAKMP

This port was observed running Internet Security Association and Key Management Protocol (ISAKMP), which is a framework for authentication and key exchange.

Detected service: Kubernetes API

This port was observed running Kubernetes, which is an open source platform that automates Linux container operations. In versions prior to v1.10.11, the incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection between the Kubernetes API server to backend servers. The Kubernetes API server's TLS credentials is used to authenticate and establish the backend connection. It then proceeds to send arbitrary requests directly to the backend over the same connection.

Remediation Tips: Update to a more recent version of Kubernetes. Refer to CVE-2018-1002105.

Detected service: LDAPS

This port was observed running a Lightweight Directory Access Protocol (LDAP) server, over TLS/SSL (LDAPS). It's used to maintain directory information service and can be used to gather information about a company's network infrastructure.

Detected service: ManageSieve

This port was observed running a ManageSieve server, which is used to manage filtering of server-side email messages.

Detected service: MySQL (connection refused)

This port was observed running MySQL, but is properly secured.

Detected service: NTP

This port was observed running Network Time Protocol (NTP), which is a common way for systems to keep their local time in sync with current time.

Detected service: Onvif

This port was observed running Open Network Video Interface Forum (ONVIF), which is an industry forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.

Detected service: POP

This port was observed running Post Office Protocol (POP), which is a commonly used mail protocol.

Detected service: PPTP

This port was observed running the Point-to-Point Tunneling Protocol (PPTP), which is a method for implementing Virtual Private Networks (VPN).

Detected service: SIP

This port was observed running Session Initiation Protocol (SIP), which is widely used for internet telephony and video services.

Detected service: SMTP

This port was observed running Simple Mail Transfer Protocol (SMTP) without STARTTLS, which is a commonly used mail protocol.

Detected service: SMTP with access control

This port was observed running Simple Mail Transfer Protocol (SMTP) with restrictive access controls. Bitsight could not gather additional information as a result.

Detected service: XMPP

This port was observed running Extensible Messaging and Presence Protocol (XMPP), which is a way to send Extensible Markup Language (XML)-based communications.

Detected service: XServer

This port was observed running an X Windows server, which is used to allow remote users to log in to a graphical desktop and use server resources to perform tasks.

WARN

Detected service: AMQP

This port was observed running the Advanced Messaging Queuing Protocol (AMQP), which is used for sending messages between distributed systems.

Remediation Tips: Create company firewall rules to only allow approved AQMP destinations or block the port entirely in the company edge network infrastructure and tunnel AQMP requests through a Virtual Private Network (VPN).

Detected service: Apple Airport Administration

This port was observed running Apple Airport Administration software, which can be used to modify and access connections on the machine or an attached network.

Remediation Tips: These devices should not be exposed to the Internet. Block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review.

Detected service: BitTorrent Tracker

This port was observed running a BitTorrent Tracker, which is used to help BitTorrent clients find each other and share files. File sharing is a known vector for malware to enter otherwise secure systems.

Remediation Tips: If there is no reason to legitimately share files over BitTorrent as a legal software distribution channel, block the port in the company edge network infrastructure.

Detected service: CouchDB (unauthenticated)

This port was observed running CouchDB, which is a document-oriented NoSQL database. It has known vulnerabilities due to insufficient validation of administrator-supplied configuration settings via the HTTP API. It may escalate a CouchDB administrator’s privileges to that of the operating system's user and gain arbitrary remote code execution capabilities. Resources: CVE-2018-11769, CVE-2018-8007

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries instead of exposing the database server to the Internet.

Detected service: Distributed Hash Table

This port was observed running a Distributed Hash Table, which is used to help BitTorrent nodes find each other and connect peers for file sharing.

Remediation Tips: If there is no reason to legitimately share files over BitTorrent as a legal software distribution channel, block the port in the company edge network infrastructure.

Detected service: Erlang Port Mapper Daemon

This port was observed running Erlang Port Mapper Daemon, which facilitates communications between Erlang nodes.

Remediation Tips: If there is no reason for the Erlang Port Matter Daemon to be running, block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Detected service: FTP without AUTH TLS

This port was observed running a File Transfer Protocol (FTP) service, without AUTH TLS (encryption).

Remediation Tips: Insecure FTP poses many risks as it is also common vector for trojans and other malware. Blocking port 21 bidirectionally on routers, hardware, and software firewalls. Switch to the Secure File Transfer Protocol (SFTP) - SSH File Transfer Protocol.

Detected service: GPRS Tunneling

This port was observed running a General Packet Radio Service (GPRS) Tunneling service, which is used to carry network packets for cellular networks. It allows cellular customers to stay connected to the Internet while roaming.

Remediation Tips: Implement a company firewall to ensure that only traffic from the mobile station to the Internet is allowed and not the other way around, in order to diminish the possibilities of GPRS protocol-based attacks. Consider using secure Virtual Private Network (VPN) services between your GPRS network elements. Read more in Vulnerabilities and Possible Attacks Against the GPRS Backbone Network.

Detected service: HP Data

This port was observed running an HP Data service, which is used for backing up single and enterprise systems data.

Remdiation Tips: Block this port in the company edge network infrastructure. If remote access is required, tunnel any connections through a secure Virtual Private Network (VPN).

Detected service: HP OpenView

This port was observed running an HP OpenView service, which is used to manage systems and networks for an organization's IT infrastructure. It is based on Simple Network Management Protocol (SNMP).

Remdiation Tips: Block this port in the company edge network infrastructure. If remote access is required, tunnel any connections through a secure Virtual Private Network (VPN).

Detected service: IMAP without STARTTLS

This port was observed running Internet Message Access Protocol (IMAP) without STARTTLS, which is an unsecured mail protocol.

Remdiation Tips: Configure your mail server software to use STARTTLS for IMAP and Post Office Protocol version 3 (POP3) as defined in RFC-2595. Unencrypted mail activity may also be a sign of malware activity. Consider blocking plain IMAP (port 143) and plain POP (port 110) after the transition to secure IMAP transmission.

Detected service: IRC

This port was observed running Internet Relay Chat (IRC), which is used for centralized communications.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources.

Detected service: Java RMI

This port was observed running Java Remote Method Invocation (Java RMI) or a Java RMI Server, which is the equivalent of Remote Procedure Calls (RPC) for the Java language. The default configuration of Java RMI servers allow loading classes from any remote Hypertext Transfer Protocol (HTTP) URL, which is considered insecure.

Remediation Tips: Implement Java RMI over Transport Layer Security (TLS)/Secure Sockets Layer (SSL).

Detected service: Lantronix

This port was observed running from a Lantronix device, which may be an Internet-of-Things (IoT) device or an IoT gateway.

Remediation Tips: Some serial-to-internet devices are known to expose Simple Network Management Protocol (SNMP) ports for serial devices¹ which is a security issue, since SNMP has known vulnerabilities. Additionally, some serial-to-ethernet devices permit unauthenticated access to the device over the network². Consider blocking the port in the company edge network infrastructure, connect any serial devices to machines that requires authentication, instead of directly exposing it to the internet, and utilize secure VPN connections to the machine in order to access the devices.

Detected service: LDAP

This port was observed running a Lightweight Directory Access Protocol (LDAP) server, which is used to maintain directory information service and can be used to gather information about a company's network infrastructure.

Remediation Tips: Block this port in the company edge network infrastructure. Use LDAP over TLS/SSL (LDAPS). See implementation guides for Microsoft servers and OpenLDAP.

Detected service: Minecraft

This port was observed running Minecraft, which is a computer game.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself.

Detected service: Moxa Nport device

This port was observed running a Moxa Nport device, which is used to make certain hardware and devices internet-accessible.

Remediation Tips: Some of these devices contain a flaw that can be exploited by attackers to brute force logins and obtain access to the vulnerable system. Block this port in the company edge network infrastructure. If remote access is required, tunnel connections over a secure Virtual Private Network (VPN). Ensure the machine receives a thorough security review.

Detected service: MQTT

This port was observed running MQ Telemetry Transport (MQTT), which is a subscription-based messaging protocol. It's used by some Internet-of-Things (IoT) services and devices.

Remediation Tips: Create company firewall rules to only permit connections with approved servers/clients, or block the port in the company edge network infrastructure and tunnel any MQTT connections through a secure Virtual Private Network (VPN).

Detected service: MS RDP with screen capture

This port was observed running Microsoft Remote Desktop Protocol (MS RDP) with screen capture enabled, which allows a user's actions and possibly sensitive data to be captured when connecting to another computer over a network connection. It can be vulnerable to man-in-the-middle (MITM) attacks.

Remediation Tips: Ensure RDP sessions are over a secure Virtual Private Network (VPN). Implement strong passwords and either strong password handling protocols or a key authentication system.

Detected service: MS SQL Server

This port was observed running Microsoft SQL Server, which has many known vulnerabilities.

Detected service: Multicast DNS

This port was observed running Multicast Domain Name System (DNS) services, which is a network protocol for dynamic registration of devices.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself.

Detected service: MySQL

This port was observed running MySQL Server, which is a common database server.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Implement strong passwords and either strong password handling protocols or a key authentication system.

Detected service: MySQL (connection not refused)

This port was observed running MySQL, which is a common database system. Anonymous connections are not refused.

Detected service: NNTP

This port was observed running Network News Transfer Protocol (NNTP), which is used to transport Usenet articles. It has known vulnerabilities.

Remediation Tips: Use Transport Layer Security (TLS) via NNTP over STARTTLS for improved security, as specified in RFC-4642.

Detected service: POP without STARTTLS

This port was observed running Post Office Protocol (POP) without STARTTLS, which is an unsecured mail protocol.

Remediation Tips: Configure your mail server software to use STARTTLS for Internet Message Access Protocol (IMAP) and POP3 as defined in RFC-2595. Unencrypted mail activity may also be a sign of malware activity. Consider blocking plain IMAP (port 143) and plain POP (port 110) after the transition to secure IMAP transmission.

Detected service: PostgreSQL

This port was observed running PostgreSQL, which is an object-relational database management system.

Detected service: RMCP

This port was observed running Remote Management and Control Protocol (RMCP), which can be used to obtain password hash information.

Remediation Tips: Configure your Active Directory servers to implement RCMP over Secure Sockets Layer/Transport Layer Security (SSL/TLS).

Detected service: RSYNC

This port was observed running RSYNC, which is software designed to keep copies of files synchronised on the same or multiple computers. This service should not be exposed to the Internet.

Remediation Tips: Use RSYNC with SSH and block this port in the company edge network infrastructure.

Detected service: RTSP

This port was observed running the Real Time Streaming Protocol (RTSP) service, which is used to control streaming media servers.

Remediation Tips: Unsecured RTSP is vulnerable to compromise. Use Secure RTSP (RTSPS) or use a secure Virtual Private Network (VPN) to tunnel streaming media connections. Block the port in the company edge network infrastructure.

Detected service: SMB

This port was observed running Server Message Block (SMB), which is used to share files, devices, printers, and other communications between machines.

Remediation Tips: Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to tunnel inbound connections to the SMB server.

Detected service: SMB (Anonymous login)

This port was observed running Server Message Block (SMB), which is used to share files, devices, printers, and other communications between machines. This machine is accepting anonymous logins. Allowing anonymous logins is a security risk.

Remediation Tips: Ensure proper authentication controls are in place. Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to tunnel inbound connections to the SMB server.

Detected service: SMTP without STARTTLS

This port was observed running Simple Mail Transfer Protocol (SMTP) without STARTTLS, which is an unsecured mail protocol.

Remediation Tips: Configure your mail server software to use Secure SMTP over Transport Layer Security (TLS), according to the RFC-3207 specification.

Detected service: SNMP

This port was observed running Simple Network Management Protocol (SNMP), which is a protocol for managing devices on IP networks. It has known security vulnerabilities.

Remediation Tips: Use SNMP over Transport Layer Security (TLS) or Datagram TLS, as specified in RFC-5953. Implement and cease use of the unencrypted SNMP protocol.

Detected service: SNMP (Insecure Older [V1])

An insecure version (v1) of Simple Network Management Protocol (SNMP) is used on the same server.

Remediation Tips: Update SNMP to the latest version.

Detected service: SNMP (Insecure Older [V1,V2])

An insecure version (v1 or v2) of Simple Network Management Protocol (SNMP) is used on the same server.

Remediation Tips: Update SNMP to the latest version.

Detected service: SNMP (Insecure Older [V2])

An insecure version (v1) of Simple Network Management Protocol (SNMP) is used on the same server.

Remediation Tips: Update SNMP to the latest version.

Detected service: SNMP (Insecure V3)

A later, secure version of the Simple Network Management Protocol (SNMP) is being used – SNMPv3 – but no SNMPReport with authPriv and AES encryption is received.

Remediation Tips: Set up the SNMPReport response to have authPriv and AES encryption. Refer to Cisco, "SNMPv3 Groups" for more information.

Detected service: Steam

This port was observed running Steam™, which is a computer game distribution platform.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself.

Detected service: TACACS+

This port was observed running Terminal Access Controller Access-Control System (TACACS), which is used for remote authentication and access control through a central server. TACACS+ is known to be vulnerable to certain attacks.

Remediation Tips: Block the port in the company edge network infrastructure. If remote access is required, consider using a secure Virtual Private Network (VPN) to access local resources or employ a comparable alternative enterprise solution.

Detected service: Time protocol

This port was observed running the Time protocol (RFC-868), but the reported time is incorrect, which can be exploited by attackers to break secure connections and encryption certificates. The Time daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly.

Remediation Tips: We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Ensure all affected machines have the NTP package up-to-date (4.2.8p4 or higher) and ensure any NTP clients do not run with the -g option. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients.

Detected service: Time protocol (incorrect clock)

This port was observed running the Time protocol (RFC-868), but the reported time is incorrect; which can be exploited by attackers to break secure connections and encryption certificates, and may cause problems with security protocols (like TLS) that rely on having both ends of the connection to roughly have the same idea of the current time. The Time daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly.

Detected service: Ventrilo

This port was observed running Ventrilo, which is a voice-over-IP (VoIP) and text chat software. The service should not be visible to unauthorized clients.

Remediation Tips: Use access control lists to permit authorized users to access the service.

Detected service: VMWare Authentication Daemon

This port was observed running a VMWare authentication daemon, which allows remote users to connect to the console of a VMWare virtual machine.

Remediation Tips: Unsecured authentication daemons may lead to compromise by attackers. Consider blocking the port in the company edge network infrastructure. If remote connections are required, utilize secure Virtual Private Network (VPN) connections to the machine in order to access the console.

BAD

Detected service: Adtran Gen3

This port was observed running Adtran Gen3, which is a business network gateway and should not be exposed to the Internet.

Remediation Tips: If remote access functionality is mandatory, tunnel any connections to the device through a secure Virtual Private Network (VPN) connection. Ensure management interfaces are not publicly accessible to the Internet and are accessible only to local machines.

Detected service: BACnet

This port was observed running BACNet, which is a communications protocol for building automation. These devices should not be exposed to the Internet.

Remediation Tips: Create private networks for these devices and secure gateways for intranet use. If this activity is not coming from an industrial process or is behind a network that does not use industrial processes, block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review.

Detected service: BGP (ASN )

This port was observed running Border Gateway Protocol (BGP) Autonomous System Number (ASN), which is used to exchange routing and reachability information between networks on the Internet. It is advertising an Autonomous System (AS).

Remediation Tips: Create a company firewall filter that blocks all connection attempts to this port except from specific BGP peers. Any BGP router can advertise routes with any AS number and may perform man-in-the-middle (MITM) attacks.

Detected service: Cassandra {}

This port was observed running Cassandra, which is a NoSQL database.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system.

Detected service: Cisco SMI

This port was observed running Cisco Smart Install, which is a protocol that can be used to access and install new firmware on Cisco IOS devices. This protocol should not be exposed to the Internet. Attackers can take advantage of this service to install malicious files on Cisco devices and run privileged commands.

Remediation Tips: If remote access is required, use a secure VPN to access required resources.

Detected service: Citrix Applications

This port was observed running Citrix, which delivers applications to enterprise systems.

Detected service: Dahua DVR

This port was observed running a Dahua DVR, which is used to digitally record video from cameras. Exposing this port to the Internet may allow the data and privacy of the cameras to be compromised by attackers.

Remediation Tips: Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to access required resources. Ensure the machine receives a thorough security review.

Detected service: ElasticSearch

This port was observed running ElasticSearch, which is a search-optimized database.

Detected service: fuel tank monitor

This port was observed running a fuel tank monitor, which shouldn't be exposed to the Internet.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Consider using a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system.

Detected service: Hadoop/HDFS

This port was observed running Hadoop/Hadoop Distributed File System, which is used for distributed databases. Attackers can collect information about this database and try to remotely attack it.

Detected service: HTTPS/Cisco {{RV320}} (config disclosure)

This port was observed running a Cisco RV320 device, where the firewall security is vulnerable to remote attackers who may gain access and obtain complete device configuration information (CVE-2019-1653).

Remediation Tips: Update the device firmware to version 1.4.2.19 or later.

Detected service: HTTPS/Cisco {{RV325}} (config disclosure)

This port was observed running a Cisco RV325 device, where the firewall security is vulnerable to remote attackers who may gain access and obtain complete device configuration information (CVE-2019-1653).

Remediation Tips: Update the device firmware to version 1.4.2.19 or later.

Detected service: HTTP CVE-2017-7269

A buffer overflow in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 with WebDAV and PROPFIND enabled allows remote attackers to execute arbitrary code.

Remediation Tips: Update to a more recent version of Microsoft Windows Server (2015, 2016), disable WebDAV on the affected 2003 server, or manually apply a patch.

Detected service: HTTP (Open Webcam)

This port was observed running a webcam with no authentication. This can expose private information to the general public.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Detected service: Intel-AMT

This port was observed running Intel-AMT services, which is used to manage system hardware and firmware. Some Intel-AMT devices contain vulnerabilities that can be used by attackers to gain access to those systems.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure these managed systems receive all available vendor updates.

Detected service: Kerberos

This port was observed running Kerberos, which is used to authenticate users and services.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself.

Detected service: memcached

This port was observed running Memcached, which is a memory caching system. It has known security vulnerabilities.

Detected service: MongoDB

This port was observed running MongoDB, which is a document-oriented database.

Remediation Tips: Block the port in the company edge network infrastructure and ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local database queries instead of directly exposing the database server to the Internet.

Detected service: Moxa Nport device (no auth)

This port was observed running a Moxa Nport device, which is used to make certain hardware and devices internet-accessible, and does not have a password set. These devices can be easily exploited by attackers.

Remediation Tips: Set an administrative password on the device. Block this port in the company edge network infrastructure. If remote access is required, tunnel connections over a secure Virtual Private Network (VPN). Ensure the machine receives a thorough security review.

Detected service: MS RDP

This port was observed running Microsoft Remote Desktop Protocol (MS RDP) without screen capture, which allows a user to connect to another computer over a network connection. It can be vulnerable to man-in-the-middle (MITM) attacks.

Remediation Tips: Ensure RDP sessions are over a secure Virtual Private Network (VPN). Implement strong passwords and either strong password handling protocols or a key authentication system.

Detected service: NetBIOS

This port was observed running NetBIOS, which allows applications on different computers to communicate over a Local-area Network (LAN). It has known security vulnerabilities and is a common attack target.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If NetBIOS connectivity is required, tunnel any connections through a secure Virtual Private Network (VPN) connection. Implement strong passwords and either strong password handling protocols or a key authentication system.

Detected service: Netstat

This port was detected running Netstat, which is a deprecated tool used to monitor network performance.

Remediation Tips: Block the port in the company edge network infrastructure.

Detected service: Niagara Fox

This port was observed running Niagara Fox with or without SSL. Niagara Fox is a software platform for Internet-of-Things (IoT) devices.

Detected service: ONC RPC (Portmapper)

This port was observed running Open Network Computing (ONC) Remote Procedure Call (RPC) port mapper, which maps RPC service numbers to network port numbers. Malicious actors can use Portmapper requests for Distributed Denial of Service (DDoS) attacks because the service runs on Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port 111. Since UDP allows IP spoofing, attackers can send small requests to Portmapper using the target’s IP address and the server sends a larger response to the victim¹.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. If the service is required, set up a company firewall to only allow connections from approved IP addresses, and disable UDP access to the service.

Detected service: Open XServer

This port was observed running an X11 Server with open authentication (no access controls). Open authentication is enabled, which allows anonymous attackers to capture all activity of the logged-on user.

Remediation Tips: Enable access controls on the X Server machine (run “xhost -” as the X server user) and replace any instances of “xhost +” in your config files with “xhost -.” Use “man xinit” to find locations of your config files. Block the port in the company edge network infrastructure. If remote access is required, tunnel any inbound connections to the machine through a Virtual Private Network (VPN) tunnel. Ensure the machine receives a thorough administrative security review.

Detected service: pcAnywhere

This port was observed running pcAnywhere, which allows a user to connect to another computer over a network connection. It has known vulnerabilities and is no longer supported. Symantec recommends users disable PC Anywhere and use Bomgar as the replacement.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review.

Detected service: POP3 without STARTTLS

POP3 is a way for email clients to access their mailbox from different systems. STARTTLS is a protocol extension that allows the client and the server to negotiate upgrading the connection to use TLS. Without STARTTLS, a man-in-the-middle (MITM) can read all the email that are being received by the client.

Remediation Tips: Configure your mail server software to use STARTTLS for Internet Message Access Protocol (IMAP) and POP3 as defined in RFC-2595.

Detected service: Portmapper with services

This port was observed running Portmapper with services, which is used to assign services to ports for communication over the Internet.

Remediation Tips: Block the port in the company edge network infrastructure. If the service is required, disable User Datagram Protocol (UDP) access to the service and require Transmission Control Protocol (TCP)-only connections in order to avoid denial-of-service reflection attacks.

Detected service: Printer

This port was observed running printer services.

Remediation Tips: Block the port in the company edge network infrastructure and disable any Universal Plug-n-Play features (UPnP) on the printer to prevent future unwanted exposure to the Internet. If remote access is required, tunnel any printer connections through a secure Virtual Private Network (VPN). Ensure that the machine receives a thorough administrative security review.

Detected service: Quote of the day

This port was observed running the Quote of the Day service, which distributes philosophical statements and quotations.

Remediation Tips: Block the port in the company edge network infrastructure, as well as within the machine itself.

Detected service: Recursive DNS

This port was observed running a recursive Domain Name Server (DNS) service, which is used for finding IP addresses associated with domain names. A DNS server that supports recursive resolution is vulnerable to an array of attacks and compromises, and may be blocked by other DNS servers as a result.

Remediation Tips: Disable recursive DNS lookups on the server. Lookup requests will still be served to clients, but the DNS server will no longer be vulnerable to recursive exploits.

Detected service: Redis

This port was observed running Redis, which is a data structure server.

Detected service: RIP

This port was observed running the Routing Information Protocol service (RIP), which is used to select network routes between computers. This routing protocol is vulnerable to redirection attacks. Although RIP supports password authentication, it is sent in clear text.

Remediation Tips: Block the port in the company edge network infrastructure. If IP routing services are required, consider transitioning to Open Shortest Path First.

Detected service: Samsung TV

This port was observed providing remote access to Samsung TV devices. Leaving this port open may allow remote attackers to gain administrative privileges on the device.

Remediation Tips: Block the port in the company edge network infrastructure.

Detected service: SSH version 1.5

This port was observed running Secure Shell (SSH) version 1.5, which is outdated and vulnerable to exploits.

Remediation Tips: Update your server's version of SSH immediately, as well as conduct a thorough administrative security review of the machine. Ensure SSL and TLS libraries are up to date and the operating system of the machine is also fully updated. If an up-to-date version of SSH is not available for your system (SSH version 2), consider upgrading to a modern operating system or take the machine offline until it can be properly administered.

Detected service: Telnet

This port was observed running Telnet, a communication protocol which does not encrypt traffic and has known security vulnerabilities.

Remediation Tips: Block the port in the company edge network infrastructure. Replace any operational uses of Telnet with Secure Shell (SSH) connections. If Telnet is required, mandate that Telnet connections require SSL/TLS encryption.

Detected service: TFTP

This port was observed running Trivial File Transfer Protocol (TFTP), which is used to get or put files to a server or for network booting. This port should not be exposed to the Internet.

Remediation Tips: Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to access TFTP services.

Detected service: Ubiquiti

This port was observed running a Ubiquiti network device, where the management interface is publicly accessible.

Remediation Tips: Update the device in question to the latest revision of its management software. There may also be firmware updates available. Ensure the device is enrolled in a company-wide program which tracks device updates. Block the port in the company edge network infrastructure.

Detected service: Unauthenticated RTSP

This port was observed running a Real Time Streaming Protocol (RTSP) service, which is used to control streaming media servers. This server allows unauthenticated access. While convenient, unauthenticated (anonymous) connections may compromise your data, devices, and privacy.

Remediation Tips: Ensure your server implements Basic or Digest authentication and refuses anonymous connections.

Detected service: Unauthenticated VNC

This port was observed running a Virtual Network Computing (VNC) service, which allows a remote user to control a graphical desktop on the server. This server has not implemented authentication.

Remediation Tips: Ensure passwords are implemented at all levels of the VNC server, including administrative access and service access. Block the port in the company edge network infrastructure. If remote access is required, tunnel any VNC connections through a secure Virtual Private Network (VPN).

Detected service: Unsecured Lantronix

This port was observed running from a Lantronix device, which may be an Internet-of-Things (IoT) device or an IoT gateway. It allows unsecured access.

Remediation Tips: Consider blocking the port in the company edge network infrastructure, connect any serial devices to machines that require authentication instead of directly exposing the device to the Internet, and utilize secure Virtual Private Network (VPN) connections to the machine to access the devices.

Detected service: VNC

This port was observed running Virtual Network Computing (VNC), which is a graphical desktop sharing system. It is not a secure protocol.

Remediation Tips: Block the port in the company edge network infrastructure. Tunnel any VNC connections through a secure Virtual Private Network (VPN) or secure shell (SSH) connection.

March 20, 2025: Separated Open Port finding messages.
April 16, 2024: Niagara Fox with or without SSL.
December 14, 2023: SNMP findings; Detected service: NetBIOS moved from WARN to BAD.

GOOD

NEUTRAL

WARN

BAD

Related articles