Port 3147: RFIO — CERN's File Pipeline, Retired

What This Port Is

Port 3147 sits in the registered port range (1024–49151). These ports are assigned by IANA to specific applications and services, but unlike well-known ports (0–1023), they don't require root privileges to open, and the IANA assignment is a registration, not an enforcement. Any process can listen here.

IANA registered this port for RFIO — Remote File Input/Output — on both TCP and UDP.¹

RFIO: Physics Data at Scale

RFIO was built at CERN in the 1990s to solve a specific problem: moving enormous volumes of particle physics data between storage systems faster than NFS could manage.²

The context matters. CERN's experiments generate data at scales that stress every assumption of standard file protocols. RFIO was purpose-built for that environment — a tight, high-throughput protocol for remote file access, speaking through a daemon called rfiod. It was integrated into ROOT, CERN's scientific data analysis framework, allowing physicists to open remote files as naturally as local ones.³

RFIO was part of CASTOR (CERN Advanced Storage Manager), CERN's hierarchical storage system. CASTOR supported RFIO until around 2016, when newer protocols took over.⁴

Today, RFIO is retired. If you find traffic on port 3147 in your environment, it is almost certainly not particle physics.

The MyDoom.B Connection

In 2004, MyDoom.B — a variant of what became one of the most destructive email worms ever recorded — used port 3147 as part of its backdoor infrastructure.⁵ The original MyDoom caused an estimated $38 billion in damages (inflation-adjusted) and, at its peak, accounted for roughly one in four emails on the Internet.

The worm's use of this port was opportunistic: it needed an obscure registered port that wouldn't raise immediate flags. Port 3147 fit. The worm is long dead, but the association persists in security databases, which is why port scanners sometimes flag this port as a historical risk indicator.

A flag in a threat database doesn't mean your traffic is malicious. It means someone should check.

How to Check What's Listening Here

If you see port 3147 open on a system, find out what owns it:

Linux / macOS:

sudo lsof -nP -iTCP:3147 -sTCP:LISTEN
sudo ss -tlnp | grep 3147

Windows:

netstat -ano | findstr :3147
tasklist | findstr <PID>

The output will give you the process name and PID. From there you can determine whether it's something you installed, something you should investigate, or a port scan artifact.

Why Unassigned and Lightly-Used Ports Matter

The registered range contains thousands of ports in various states: actively used, historically used, speculatively assigned, or quietly abandoned. Port 3147 is in the last category — it has an IANA entry, a defunct protocol behind it, and a worm association that makes security tools take notice.

This matters because obscurity is not security. Malware authors have always favored registered-but-quiet ports precisely because they blend into the background of legitimate protocol space. A port that "should" carry CERN physics data and instead carries a backdoor connection is harder to notice than one that has no legitimate use at all.

Knowing what's supposed to be here — and what isn't — is how you tell the difference.