Port 668 exists in the uncomfortable space between official assignment and actual use. IANA registered it for a service called MECOMM (Memcomm), but in practice, you're more likely to encounter it in two very different contexts: as part of Mac OS X's legacy infrastructure, or flagged by security tools as a known threat vector.12
What MECOMM Is (Officially)
MECOMM is registered with IANA for both TCP and UDP on port 668.3 The problem? There's no RFC defining it. No public documentation explaining what it does. No evidence of widespread deployment. It's an official assignment pointing to a protocol that exists in name only.
This happens more often than you'd think in the well-known port range. Someone applied for the assignment decades ago. IANA granted it. And then... nothing. The service either never launched, died quietly, or operates in such specialized environments that it left no trace in public documentation.
What Port 668 Actually Does (In Practice)
Mac OS X RPC Services
Port 668 falls within the range 600-1023, which Mac OS X uses for RPC-based services.4 Specifically, NetInfo—Apple's legacy hierarchical database for managing administrative data—operates within this range.
NetInfo came from NeXTSTEP, the operating system Steve Jobs built at NeXT that became the foundation for Mac OS X. It stored user accounts, email configurations, NFS mounts, printer definitions—everything that makes a Unix system know who and what it is.5
Modern macOS has largely replaced NetInfo with Open Directory, but the RPC infrastructure lingers. If you see port 668 active on an older Mac server, you're looking at a ghost from the NeXT era still doing its job.
The Security Problem
Port 668 has been flagged repeatedly as a port exploited by trojans and malware for remote access.67 This isn't unique to port 668—any port in the well-known range can be misused—but it's worth knowing if you're scanning your network and see unexpected traffic.
The pattern is always the same: malware picks a port that looks legitimate enough to slip past casual observation. A port officially assigned to an obscure protocol? Perfect cover.
Why This Port Matters
Port 668 is a case study in how port assignments age:
- Official assignment — IANA registers it for MECOMM
- Unofficial use — Apple's RPC services adopt the range
- Malicious exploitation — Attackers recognize an opportunity
- Ambiguity — Years later, no one's quite sure what legitimate traffic on this port should look like
This is what happens when the Internet outlives the systems that shaped it. The assignments remain. The original purposes fade. New uses emerge. And administrators are left trying to determine whether port 668 traffic is a legacy Mac server doing its job, malware establishing command and control, or that MECOMM service that might still exist somewhere.
How to Check What's Listening
On Linux or macOS:
On Windows:
If you find something listening on port 668, the next question is: what is it? Check the process ID. Verify it's legitimate. And if you're not running legacy Mac services or intentionally using MECOMM (whatever that is), consider it suspicious.
The Bigger Picture
Well-known ports below 1024 were assigned in an era when the Internet was smaller, assignments were scarce, and services seemed permanent. Port 668 reminds us that permanence is an illusion. Protocols vanish. Systems evolve. Security threats emerge. And port numbers—those supposedly fixed assignments—become archaeological layers telling the story of what the Internet used to be.
MECOMM might be gone. NetInfo might be dying. But port 668 remains, waiting for whatever comes next.
Apakah halaman ini membantu?