Port 2773: Unassigned — A Ghost Port with a Dark Past

What Range This Port Belongs To

Port 2773 sits in the registered port range (1024–49151). These ports are meant to be claimed — software vendors and protocol designers register them with IANA to stake a spot. Port 80 is HTTP, port 443 is HTTPS, port 3306 is MySQL. Each has a name, an RFC or registration, and a clear purpose.

Port 2773 has none of that. IANA's registry shows it unassigned. No vendor claimed it. No protocol lives here officially.¹

That doesn't mean it's empty.

The History: SubSeven's Keylogger Channel

In the late 1990s and early 2000s, a Remote Access Trojan called SubSeven (also written Sub7) spread across Windows machines. It was built like commercial software — the attacker got a polished GUI client, the victim got a hidden server process running silently in the background. The attacker could watch the victim's screen, control their mouse, activate their webcam, and steal passwords.²

SubSeven cycled through several ports across its versions. Port 2773 appeared specifically in SubSeven 2.1 Gold as the channel for its keylogger component — the piece that captured every keystroke and reported it back to the attacker.³

This port never became permanently associated with SubSeven in the way that port 27374 did (SubSeven's most famous default). But it appears in security databases and firewall block lists from that era, a relic of early-2000s malware that spread through IRC channels and fake file downloads.

SubSeven is largely dormant now. Its source code was eventually released publicly, and modern endpoint protection blocks it readily. But port 2773 carries that history — one of many ports that got tainted by association and never got reassigned to anything clean.⁴

Is Port 2773 Dangerous Today?

Seeing traffic on port 2773 today almost certainly isn't SubSeven. That threat is two decades old.

What it more likely is: custom application traffic, development software that picked a random high port, or scanning activity probing for open ports. Security scanners still check for it out of habit.

The honest answer: port 2773 is inert for most systems. If you see something listening here unexpectedly, investigate it — not because of SubSeven, but because any unexpected open port deserves an explanation.

How to Check What's Using This Port

On Linux or macOS:

sudo ss -tlnp | grep 2773
# or
sudo lsof -i :2773

On Windows:

netstat -ano | findstr :2773
# Then look up the PID:
tasklist | findstr <PID>

Cross-platform (if nmap is installed):

nmap -p 2773 localhost

If something is listening, those commands tell you which process owns it.

Why Unassigned Ports Matter

There are 65,535 ports. IANA has formally assigned fewer than half of them. The rest — including 2773 — are a kind of commons. Any application can bind to them. Most of the time, nothing does.

This is by design. The registered port range exists so software can stake a claim and avoid collisions. When vendors don't register, they're squatting on shared space. Sometimes that's fine (small tools, internal services). Sometimes it creates the kind of overlap that made SubSeven's port choices confusing to document in the first place.

Port 2773 is a small example of a larger truth: the port registry is a map, and plenty of territory on that map remains unclaimed.