Port 20034 sits in the registered port range (1024-49151), unassigned by IANA. It has no official service, no RFC, no standardized protocol. But if you were on the Internet in the late 1990s, this port might have been how someone else controlled your computer.
What Runs on Port 20034
Port 20034 is the default port for NetBus Pro 2.0, a remote access tool created in 1998 by Swedish programmer Carl-Fredrik Neikter.1 The name translates from Swedish as "NetPrank."2
NetBus was marketed as a remote administration tool. What it actually did was give someone else total control of your Windows computer. They could:
- Execute files remotely
- Capture screenshots of your desktop
- Steal passwords
- Open and close your CD-ROM drive
- Play sounds through your speakers
- Print documents
- Read your files
- Shut down or reboot your machine3
The attacker had almost complete control. And the port was configurable—20034 was just the default.4
How It Worked
NetBus Pro used its own protocol. Packets started with a ten-byte header, the first two bytes always 42 4E, followed by encrypted data.5 Simple. Effective. Devastating.
If an attacker installed the NetBus server on your machine (often bundled with pirated software or sent as an email attachment), they could connect to port 20034 and do anything they wanted. You wouldn't know until your CD tray opened by itself, or a message appeared on your screen, or your files disappeared.
The Story
Carl-Fredrik Neikter released NetBus in March 1998.6 He said it was for pranks. He announced it openly. He didn't hide what he'd built.
The Internet had other ideas.
NetBus spread rapidly. It was in wide circulation before Back Orifice—the more famous remote access trojan—was released in August 1998.7 By February 1999, Neikter released NetBus 2.0 Pro with improved features.
Then came the consequences. In 1999, an attacker used NetBus to target Magnus Eriksson, a law professor at Lund University in Sweden. The attacker planted 12,000 pornographic images on Eriksson's computer, 3,500 of which were child pornography. System administrators discovered them. The professor lost his job.8
A prank tool became a weapon. The distance between the two was just one download.
The Legacy
NetBus inspired others. Sub7 (SubSeven), one of the most notorious trojans of the early 2000s, is believed to be named as "NetBus" spelled backward, with "ten" replaced by "seven."9
Today, security systems flag port 20034 as a classic indicator of compromise. Unexpected connections on this port suggest the presence of remote access malware.10
Security Reality
Port 20034 is a red flag. If you see traffic on this port and you're not running some very specific legacy software, investigate immediately.
Modern security tools detect NetBus signatures. Antivirus software flags it. Intrusion detection systems watch for its packet headers (42 4E). The original NetBus is ancient by security standards, but the pattern it established—using high-numbered registered ports for covert remote access—continues today.
To check what's listening on port 20034 on your system:
Windows:
macOS/Linux:
If you see something listening on this port, identify what it is. If you can't identify it, treat it as hostile.
Why This Port Matters
Port 20034 represents a truth about the Internet's infrastructure: not all ports are planned. Some are claimed by software that was never supposed to exist in the first place.
The registered port range (1024-49151) was designed for applications to register with IANA for official assignment. But in practice, software just picks a port and uses it. NetBus picked 20034. No permission. No RFC. Just a Swedish programmer building a prank tool that would, within a year, destroy someone's career and become a foundational example of what we now call a Remote Access Trojan.
This port was never blessed by a standards committee. It was claimed by history instead.
Related Ports
- Port 12345: NetBus 1.x default port, the original version before NetBus Pro
- Port 27374: Sub7 (SubSeven), the spiritual successor to NetBus
- Port 31337: Back Orifice, NetBus's contemporary and rival in the RAT space
Frequently Asked Questions
האם דף זה היה מועיל?