Port 2620: LPSRecommender — A Registered Ghost

What Port 2620 Is

Port 2620 sits in the registered ports range (1024–49151). These are ports that someone has formally claimed with IANA — the Internet Assigned Numbers Authority — by submitting a name, a contact, and an intended use.

Port 2620 was claimed. The service name is LPSRecommender, registered by Pritham Shetty on behalf of Andromedia, a web analytics and personalization company from the late 1990s.¹

Andromedia no longer exists. Macromedia acquired it in 2000. Adobe acquired Macromedia in 2005. The service that LPSRecommender was built for — likely a recommendation engine component in Andromedia's web analytics platform — has been gone for over two decades.

The port registration remains.

What That Means in Practice

Nothing runs on port 2620. No server is listening. No client is connecting.

IANA's registry is not like a domain name — you can't easily reclaim an abandoned port. The entry persists because registries are built for permanence, not cleanup. Port 2620 is a fossil: a record of an intent that outlived the company that filed it.²

This is common across the registered range. Hundreds of ports were claimed during the dot-com era by startups that were acquired or shut down before their software shipped widely. The registry reflects the ambitions of 1999 as much as the reality of today.

Scanning Activity

The SANS Internet Storm Center logs occasional scanning activity against port 2620.³ This is background noise — automated scanners probe every port, not because they expect LPSRecommender, but because finding anything open on an unmonitored port is interesting to an attacker. An open port on an unexpected number suggests a forgotten service, a debug backdoor, or a misconfiguration.

The scans aren't targeted. They're the Internet equivalent of trying every door handle in a building.

Checking What's on Port 2620

If you see traffic on port 2620 on your own systems, something custom is using it — or something suspicious is.

# Who is listening on port 2620?
ss -tlnp | grep 2620
lsof -i :2620

# What process owns it?
sudo lsof -i TCP:2620
sudo netstat -tlnp | grep 2620

No result means nothing is listening, which is the expected outcome on any modern system.

Why Unassigned (and Abandoned) Ports Matter

The registered range exists so that software can claim a port and publish it — other developers know not to use that number, and users know what to expect. When port 443 is open, you know it's HTTPS. When port 22 is open, you know it's SSH.

But when registrations outlive their products, the system breaks down quietly. Port 2620 is registered, so it's technically not "unassigned" — but it's functionally unclaimed. No software uses it by convention. No firewall rule protects it. It just sits there, waiting for someone to notice.

The gap between "registered" and "actively used" is where most port confusion lives.