Port 3632: distcc — The Distributed Compiler That Forgot to Lock Its Door

What Port 3632 Is

Port 3632 is the default port for distcc, a distributed compiler that accelerates C and C++ builds by farming out compilation jobs to other machines on the network. When you're building something large — the Linux kernel, a game engine, a sprawling C++ codebase — distcc can turn an hour-long build into a ten-minute one by using every idle CPU you can reach.

It's technically in the registered port range (1024–49151), the space where applications can claim ports with IANA, though distcc's registration there is informal. In practice, 3632 means distcc the way 22 means SSH: not because a standards body decreed it, but because it's been true for long enough that it's just true.

How distcc Works

Martin Pool created distcc in 2002 while working at Linuxcare.¹ He had spare machines, large codebases, and slow builds — the combination that makes any engineer start staring at ceiling tiles and thinking about parallelism.

The insight: compilation has two parts. Preprocessing (expanding macros, resolving includes) must happen locally because it needs the full source tree. But the actual compilation — turning preprocessed C into machine code — is stateless. Send the preprocessed source to another machine, get back an object file. The remote machine doesn't need your headers, your build system, or any context. It just needs a compiler and a job.

distcc sends that job over a simple binary protocol on port 3632. The server — distccd — receives source code and compiler arguments, compiles them, and returns the result. Multiple machines running distccd become a compilation farm. Large teams at Google used distcc (and later built their own derivative, Goma) to distribute builds across thousands of machines.²

The Part Where Nobody Checked Credentials

distcc has no authentication. It never did. The design assumption was that distccd would run on a trusted local network — your build farm, your office LAN, machines you control. In that context, authentication would be overhead for no benefit.

The problem: distccd will compile anything for anyone who can reach port 3632. And "compile" in this context means "run the compiler on your behalf," which means arbitrary code execution as the distcc daemon user.

CVE-2004-2687 documents this formally.³ The CVSSv2 score is 9.3. Metasploit has a module for it. Nmap has a script for it.⁴ It appears in CTF challenges regularly because distcc is just old enough and just common enough that somebody left it running somewhere, and it just works.

The exploit is almost elegant in its simplicity: send a distcc job that "compiles" a shell command instead of actual code. distccd runs it. You have a shell.

# Check if a host is running an exposed distccd
nmap -p 3632 --script distcc-cve2004-2687 <target>

This isn't a zero-day. It's been publicly documented since 2002. It still works against unpatched or misconfigured installations because distcc gets installed, put on a build server, and forgotten.

Security Considerations

If distccd is running on a machine that faces the Internet, or is reachable from untrusted network segments, assume it's compromised or will be. The fix is simple:

• Use distcc's --allow flag to restrict which IP addresses can connect
• Run distccd inside a firewall that blocks external access to port 3632
• Use distcc's SSH transport instead of direct TCP (slower, but authenticated)

The Arch Wiki distcc page has clear setup guidance.⁵

How to Check What's on This Port

If you see port 3632 open on a machine you're responsible for:

# On Linux/macOS — see what process owns the port
ss -tlnp | grep 3632
lsof -i :3632

# On Windows
netstat -ano | findstr :3632

If it's distccd, decide immediately whether that machine should be accepting compilation jobs from the network. If yes, configure --allow. If no, stop the service.

Why Unassigned (or Informally Assigned) Ports Matter

Port numbers below 1024 are tightly controlled — you need root to bind them, and IANA formally assigns services to most of them. The registered range (1024–49151) is looser. Applications can request assignments, but many just pick a port and ship with it. distcc picked 3632 and it stuck.

This matters because "no official assignment" doesn't mean "nothing uses it." A port scanner showing 3632 open means something specific. Port registries and tools like Shodan have catalogued enough traffic patterns that most commonly used ports are identifiable regardless of IANA's records.