Port 3131: Net Book Mark — Registered, Abandoned, and Occasionally Squatted

What This Port Is

Port 3131 sits in the registered port range (1024–49151). These ports are managed by IANA, the organization responsible for coordinating the global pool of port numbers. In principle, each registered port has an assigned purpose. In practice, the assignment is just a name in a text file — there is no technical mechanism enforcing it.

IANA's registry lists port 3131 as "Net Book Mark" over both TCP and UDP.¹ Whatever Net Book Mark was supposed to be, it never became real software that anyone deployed. The name exists; the service does not.

This is not unusual. Hundreds of entries in the registered range are ghost assignments — names attached to ports from a period when anyone could submit a request and many did. Some were speculative. Some were products that never shipped. Port 3131 appears to be one of these.

Known Unofficial Uses

Cloud9 IDE uses port 3131 as a default for its development server. Cloud9 is a browser-based development environment built on Node.js. When you spin up a Cloud9 workspace, it typically listens on 3131 locally.² This is an informal convention, not a standard — the port was available, so it was used.

Malware has also camped here. The SubSARI trojan and the MyDoom.B@mm worm both used port 3131 for command-and-control communication.³ This is a common pattern with ghost ports: because nothing legitimate owns them, they attract software that benefits from blending into ambiguity.

Gameframe scanning: In 2007, security researchers observed a sustained wave of probes targeting port 3131, making HTTP requests to gameframe.net/headers from European IP addresses. After monitoring it for weeks, the researchers concluded the intent was unclear and not obviously malicious — reconnaissance of unknown purpose.⁴ The mystery was never publicly resolved.

How to Check What's Listening

If you see port 3131 open on a machine and don't know why, these commands will tell you what process owns it:

Linux / macOS:

# Show the process listening on port 3131
sudo ss -tlnp sport = :3131

# Alternative with lsof
sudo lsof -i :3131

Windows:

netstat -ano | findstr :3131

The PID in the output can be matched to a process name in Task Manager or with tasklist.

If nothing you recognize is running on 3131, that is worth investigating. A Cloud9 installation you forgot about is likely harmless. Anything else deserves scrutiny.

Why Unassigned Ports Matter

The registered port range exists because applications need stable, predictable addresses. When a service registers a port, other software knows to avoid it. When that registration is abandoned — as with 3131 — the port enters a gray zone. It's technically claimed but practically unclaimed.

That gray zone is useful to understand because:

• Firewalls default to allowing registered ports in many configurations, on the assumption that a registered port implies a legitimate service
• Malware authors know this, which is why ghost ports appear in malware port lists more often than you'd expect
• Dev tools land here because the ports are available without conflict but stable enough for local conventions to form

Port 3131 is a small example of how the port registry works in practice: an authoritative list that nobody enforces, in a system that mostly runs on trust and convention.