What Range This Port Belongs To
Port 3136 falls in the registered port range (1024–49151), sometimes called the "user ports." IANA maintains this range for services that apply for an assignment — unlike the well-known ports below 1024 (which require root privileges on Unix systems) or the ephemeral ports above 49151 (which operating systems grab freely for outgoing connections).
Registered ports don't require root to bind, and while IANA records assignments, it doesn't enforce exclusivity. Software can use any registered port regardless of what's written in the registry.
The Official Assignment: "grubd"
IANA lists port 3136 as assigned to grubd (Grub Server Port) on both TCP and UDP.1
What is grubd? That's a genuinely difficult question. The assignment exists in the registry, but documentation of any software actually implementing it is essentially nonexistent. No RFC, no active project, no deployment guides. It's one of hundreds of registered ports that were claimed and then quietly abandoned or never built.
In practice, port 3136 behaves as unassigned.
MyDoom's Backdoor Range
The more significant entry in port 3136's history is the MyDoom worm (also called Novarg), which began spreading in January 2004 and became the fastest-spreading email worm ever recorded at the time.2
MyDoom.A opened a backdoor on the first available TCP port between 3127 and 3198. It would try 3127 first, then 3128, and so on until it found something available. Port 3136 sits squarely in that range.3
The backdoor let anyone who knew about it connect to the infected machine and use it — to send spam, launch attacks, or install additional malware. At its peak, MyDoom accounted for roughly 25% of all email traffic globally.4
MyDoom.B, the follow-up variant, extended the damage by modifying infected hosts files to block access to antivirus update servers. If you found port 3136 open on a Windows machine in early 2004, there was a real chance you were looking at a compromised system.
The worm is long dormant, but security tools still flag this port range as suspicious, and some firewall rulesets continue to block it by default.
How to Check What's Using This Port
On Linux or macOS:
On Windows (Command Prompt as Administrator):
With nmap (scan a remote host):
If port 3136 is open on a machine you administer and you didn't configure it, that's worth investigating. Modern MyDoom infections are essentially zero, but other software may have claimed this port.
Why Unassigned Ports Matter
The port system works on trust. IANA assigns numbers to prevent conflicts, but the Internet has no port police. Any application can listen on any port. The registry exists so that when two applications both want port 5432, PostgreSQL was there first and gets the number — and other software knows to look elsewhere.
Ports like 3136 are assigned but effectively empty. They serve as placeholders that prevent future conflicts with the service that claimed them, while in practice being available for anything that wanders along. The 65,535 possible port numbers sound like a lot until you consider the volume of software that needs them, and gaps like this are genuinely valuable real estate in the port namespace.
האם דף זה היה מועיל?