Port 1101: PT2-DISCOVER — The port with two histories

Port 1101 carries two histories. One official, one infamous.

What Runs on This Port

Official registration: PT2-DISCOVER, a network discovery protocol registered with IANA¹

Transport protocols: Both TCP and UDP

Port range: Registered ports (1024-49151), meaning it was registered with IANA by a specific organization or vendor for their protocol

PT2-DISCOVER is a legitimate service used for network device discovery. The protocol's specific implementation details aren't widely documented in public sources, suggesting it's used by proprietary systems or specialized network equipment.

The Other History

If you mention port 1101 to someone who worked in network security in the early 2000s, they won't think of PT2-DISCOVER. They'll think of Backdoor.Hatckel.

Hatckel was a trojan written in Visual Basic that gave attackers unauthorized access to infected computers. What made it distinctive was its pattern: when Hatckel infected a machine, it didn't just open port 1101—it opened fifteen consecutive ports, from 1101 through 1115.²

This was documented by Symantec in 2002. The trojan is long obsolete by modern standards, but port 1101 still carries that association in security databases.

The Legitimate Software Vulnerability

Port 1101 appeared in another security context: Ing. Punzenberger COPA-DATA zenon 6.51 SP0, industrial automation software, used this port through a service called ZenSysSrv.exe. A vulnerability (CVE-2011-4534) was discovered that could lead to service crashes or arbitrary code execution via multiple rapid connections and disconnections.²

This is unrelated to Hatckel—just another chapter in port 1101's complicated history.

Why This Matters

This port illustrates something important about the Internet's infrastructure: official assignments don't prevent misuse. PT2-DISCOVER is the legitimate registered service. But malware doesn't ask permission. It just opens ports and listens.

When you see port 1101 open on a system:

• Legitimate: Could be PT2-DISCOVER or other network discovery tools
• Legitimate: Could be zenon industrial automation software
• Suspicious: Could indicate Hatckel or similar backdoor (though unlikely on modern systems)
• Inconclusive: Could be any application that decided to use this port

How to Check What's Listening

On Linux/Mac:

sudo lsof -i :1101

On Windows:

netstat -ano | findstr :1101

Both commands will show you which process is using port 1101, if any. Cross-reference the process name with what you expect to be running.

Related Ports

Port 1101 sits in the middle of the registered port range, surrounded by other vendor-specific protocols:

• Port 1100: Used by various applications (also unassigned officially)
• Port 1102-1115: The rest of Hatckel's range—these ports share the same historical association
• Port 1024-49151: The full registered port range where vendors and organizations can register specific services

Security Considerations

Port 1101's history with Backdoor.Hatckel means it appears in threat databases and historical malware documentation. Modern security tools may flag unexpected traffic on this port because of that association.

If you're running a firewall:

• Block port 1101 unless you specifically need PT2-DISCOVER or other legitimate services
• Monitor for unexpected connections on ports 1101-1115 as a group
• Verify any process listening on this port matches expected software

If you're investigating suspicious activity:

• Port 1101 alone doesn't indicate compromise
• Look at the listening process, connection patterns, and what initiated it
• Hatckel is obsolete, but the port number may be reused by modern malware