Port 1243: SubSeven's Home — A Trojan's Legacy

The Official Story

Port 1243 is registered with IANA for INFOTRIEVE-2, described as a database retrieval system.¹ That's what the official record says. Good luck finding anyone who ever used it.

The port sits in the registered range (1024-49151)—the middle tier of the port number system where organizations can request assignments from IANA for specific applications.

The Real Story: SubSeven

Port 1243 is remembered for something else entirely: SubSeven (also called Sub7), a remote access trojan that terrorized Windows users from 1999 onward.²

SubSeven wasn't subtle. Once installed on a victim's machine, it opened port 1243 by default and waited. Anyone with the client software could connect and gain complete control: read keystrokes, steal passwords, watch through the webcam, manipulate files, execute commands. Everything.

The trojan consisted of three parts:²

• Server (server.exe) — The backdoor running on the victim's computer
• Client (SubSeven.exe) — The GUI used to connect and control the victim
• EditServer — Tool to customize the server before deploying it

Created by a Romanian programmer known as "mobman" (the name came from spelling NetBus backwards—"suBteN"—and swapping "ten" with "seven"), SubSeven became one of the most widely used remote access trojans of its era.²

Why Port 1243 Mattered

Port 1243 was SubSeven's default, but the server was configurable. Attackers could change it to any port they wanted, making detection harder. But many didn't bother—port 1243 became synonymous with compromise.

Security professionals learned to watch for unexpected traffic on 1243. Firewalls blocked it by default. Finding something listening on port 1243 meant you had a problem.

The Registered Port Range

Port 1243 lives in the registered ports range (1024-49151). These ports require IANA registration but don't need root privileges to bind to them like well-known ports (0-1023) do.

This makes them attractive for:

• Legitimate applications that don't need privileged access
• Unofficial services that grabbed a number and ran with it
• Malware looking for a semi-official-looking home

What's Listening on Port 1243 Today?

To check if anything is listening on port 1243:

On Linux or macOS:

sudo lsof -i :1243
# or
sudo netstat -tuln | grep 1243

On Windows:

netstat -ano | findstr :1243

If you find something listening and you didn't intentionally put it there, investigate. SubSeven is ancient history, but port 1243 hasn't forgotten what it carried.

Why Unassigned and Forgotten Ports Matter

The port number system has 65,535 possible values. Only a fraction are actively used for well-known services. The rest—registered but forgotten, or completely unassigned—form the background noise of the Internet.

These ports matter because:

• Malware hides in them — Attackers prefer ports that don't draw attention
• Legitimate software can squat — Applications grab seemingly unused ports for custom protocols
• Conflicts happen quietly — Two applications using the same port won't know until something breaks

Port 1243 shows what happens when official registration meets actual use. The record says "database retrieval." History says "trojan horse." Reality says "probably nothing, but check anyway."