What This Port Is
Port 3139 sits in the registered ports range (1024–49151). These ports are assigned by the Internet Assigned Numbers Authority (IANA) to specific services on a first-come, first-served basis. Unlike well-known ports (0–1023), registered ports don't require elevated privileges to bind, and their assignments are less rigorously enforced.
IANA lists port 3139 as assigned to "incognitorv" — Incognito Rendez-Vous. Beyond the name in the registry, there's essentially no documentation: no RFC, no active project, no software that advertises using it. The assignment exists; the protocol, for all practical purposes, does not.1
The MyDoom Shadow
Port 3139 is more notable for what passed through it uninvited.
In January 2004, the MyDoom worm (also called Novarg) became the fastest-spreading email worm ever seen at that time. Within days, a variant called MyDoom.B emerged. Both variants installed a backdoor on infected machines by dropping a malicious DLL into the Windows system directory and binding it to a TCP port — whichever port was available in the range 3127 to 3198.2
Port 3139 falls inside that range. A compromised machine with MyDoom listening on 3139 would silently execute any code sent to it. Attackers used these backdoors to install keyloggers, run spam relays, and stage further attacks. At peak infection, millions of machines were affected.
MyDoom wasn't targeting 3139 specifically — it was just grabbing ports. That randomness is the point: the worm created a moving target across a 72-port window, making it harder to block uniformly.
How to Check What's Using This Port
If you see traffic on port 3139, here's how to investigate:
Linux/macOS:
Windows:
The output will show the process ID (PID) bound to the port. Cross-reference the PID with Task Manager or ps aux to identify the owning process. On a clean system, nothing should be listening here.
Why Unassigned-in-Practice Ports Matter
The registered port range has over 48,000 slots. IANA assigns them, but no one verifies the assignments are in active use. The result is a registry full of entries like "incognitorv" — names that suggest a purpose but point to nothing real.
This matters for two reasons. First, it means the assignment offers no real protection: if you need port 3139 for something, the "incognitorv" claim won't stop you. Second, the apparent emptiness of these ports makes them attractive to malware authors. An unmonitored port looks like a quiet alley.
The registered range isn't a reservation system. It's more like a name registry for a city that never got built.
Byla tato stránka užitečná?