Port 2130: SWC-XDS — A Name Without a Story

What Range This Port Belongs To

Port 2130 is a registered port — part of the range from 1024 to 49151. This range sits between the well-known ports (0–1023, reserved for major protocols like HTTP, SSH, and DNS) and the ephemeral ports (49152–65535, used temporarily by your OS for outbound connections).

Registered ports are meant to be claimed. Anyone can apply to IANA for a registered port assignment, and IANA maintains the list.¹ The idea is that if your application needs a consistent, recognizable port, you register it so other software knows to stay out of the way.

Most registered ports have clear documentation: a protocol specification, an RFC, a contact. Some do not.

The Official Assignment: SWC-XDS

Port 2130 is officially assigned to a service called SWC-XDS.²

That is approximately everything that is publicly known about SWC-XDS. IANA lists it. The name appears in port databases. No RFC documents it. No specification describes what it does. The entry exists the way a placeholder exists — it marks the space without filling it.

This is not unusual. The registered port range contains thousands of assignments from companies and projects that no longer exist, protocols that were never fully specified, and internal services that were registered in the 1990s and never updated. Port 2130 appears to be one of these.

The Unofficial History

Where port 2130 does appear in documentation, the context is less benign.

Mini BackLash — a remote access trojan targeting Windows 95, 98, and ME — used port 2130/UDP as part of its communication channel, typically alongside port 3150/UDP.³ Mini BackLash was a password-stealing RAT: once installed, it gave an attacker remote access to the infected machine and the ability to harvest stored credentials.

This was the late 1990s. Windows 9x had no firewall. Most home connections were dial-up, and personal security software was rare. Trojans of this era used obscure registered ports precisely because they looked plausible — port traffic on a "registered" number seemed less suspicious than traffic on a random high port.

Mini BackLash is decades obsolete. No modern Windows system is vulnerable to it. But its association with port 2130 is why some security scanners still flag the port as worth a second look.

Checking What's on This Port

If you see port 2130 open on a system you manage, the cause is almost certainly benign — some internal service, a game, a development tool claiming a convenient port. But it's worth knowing.

On Linux or macOS:

# See what process is listening on port 2130
ss -tlnp | grep 2130
# or
lsof -i :2130

On Windows:

netstat -ano | findstr :2130

The last column in the Windows output is a process ID. Cross-reference it with Task Manager (Details tab) to identify the process.

Why Unassigned and Under-Documented Ports Matter

The registered port range is large — over 48,000 ports — and IANA cannot verify that every registered service is active, documented, or maintained. Many assignments are effectively abandoned.

This creates a quiet opportunity: an application that needs a port can simply pick one from the registered range, check that nothing else is obviously using it, and run there without formal registration. This works fine until two applications make the same choice, or until a security scanner flags the port based on historical associations.

Port 2130 illustrates both the utility and the limits of the registration system. It has a name. It has no story. And it carries just enough trojan history to make a security team ask questions.

If you find it open on your network and you didn't put it there, find out what did.