1. Ports
  2. Port 2638

Port 2638: SQL Anywhere — The database port hiding in your enterprise software

Port 2638 belongs to the registered port range (1024–49151). These ports are formally tracked by IANA for specific services — not as tightly controlled as well-known ports, but not the wild frontier of ephemeral ports either.

This particular port has a clear owner: SAP SQL Anywhere, the embedded relational database formerly known as Sybase SQL Anywhere (and before that, Adaptive Server Anywhere). Sybase claimed this port when version 6.0 shipped, abandoning their previous default of port 1498. SAP acquired Sybase in 2010, but the port stayed.

What runs here

SQL Anywhere is an embedded database — the kind you don't usually install yourself, but find already running inside other software. Products that have shipped with SQL Anywhere embedded include:

  • Symantec Endpoint Protection Manager (and its successors)
  • Novell ZENworks configuration management
  • Siemens SICAM PAS industrial automation
  • Various medical devices and point-of-sale systems

If you see port 2638 open on a machine and don't know why, there's a good chance some enterprise software installed it without fanfare.

The UDP ghost

Here's the genuinely strange part: SQL Anywhere servers listen on UDP port 2638 on most systems even if you configure TCP to use a different port.1

This is intentional. The UDP listener handles service discovery — it's how SQL Anywhere clients find servers across subnets and through firewalls. You can reconfigure the TCP port. The UDP listener stays. It's a permanent announcement: a database lives here.

Security history

Visibility into an embedded database is a vulnerability surface. Port 2638 has a documented history:

  • CVE-2001-0599: Sybase Adaptive Server Anywhere 6.0.3 and earlier could be crashed by sending packets larger than 45KB to this port — a classic denial-of-service condition.2
  • CVE-2011-2042: A flaw in CiscoWorks allowed unauthenticated remote attackers to extract the database engine name and port by sending crafted requests to UDP 2638.3
  • CVE-2016-8567: Siemens SICAM PAS shipped with hard-coded factory credentials accessible via this port, potentially giving attackers direct database access.4

The pattern is consistent: embedded databases often inherit their host application's security assumptions, which tend to be optimistic.

What's actually listening

To see what's using this port on your machine:

macOS / Linux:

lsof -i :2638
ss -tlnp sport = :2638

Windows:

netstat -ano | findstr :2638

If you find SQL Anywhere running and don't recognize the application that installed it, check your endpoint protection software first.

Předchozí

Port 2637: Registered but Unassigned — A Name Without a Home

Další

Port 2639: AMInet — The Quiet Port Behind Theme Park Magic

Byla tato stránka užitečná?

😔
🤨
😃