Port 1116 sits in the registered ports range (1024-49151), officially assigned to a service called ARDUS Control. But the story of this port reveals something important about how the Internet actually works: what a port is registered for and what actually uses it can be two very different things.
What Port 1116 Is Registered For
According to IANA (the Internet Assigned Numbers Authority), port 1116 is assigned to "ARDUS Control" for both TCP and UDP protocols.1 The official service name is listed as "ardus-cntl" in the port registry.
But here's the problem: there's almost no documentation about what ARDUS Control actually is or was. The registration exists, but the service itself seems to have faded into obscurity—if it was ever widely deployed at all.
What Port 1116 Actually Became Known For
While ARDUS Control remained obscure, port 1116 gained a darker reputation. Security researchers identified this port as a common vector for remote access trojans (RATs), particularly a backdoor called "Lurker."2
The Lurker trojan operated on Windows systems, using port 1116 to establish remote control connections. Other malware, including a RAT called TransScout, also used this port.3 Network security scanners began flagging unexpected activity on port 1116 as potentially malicious.
This is how many registered ports actually exist on the Internet: officially assigned to one thing, practically used for something else entirely—or exploited by attackers precisely because the legitimate service isn't there to occupy the space.
Why This Gap Matters
The registered ports range (1024-49151) contains thousands of port assignments. Some are for services that became essential infrastructure. Others, like port 1116, are registered to services that never achieved widespread adoption.
These unused registrations create opportunities. An attacker looking for a port to use for malware prefers one that:
- Won't conflict with common services most people actually run
- Has an official-sounding registration (makes it slightly less suspicious)
- Isn't commonly monitored by default firewall rules
Port 1116 fit the profile perfectly. Registered but unused. Official but obscure.
Security Considerations
If you see unexpected traffic on port 1116, investigate it. The SANS Internet Storm Center tracks attack activity targeting this port,4 and while modern malware has moved to other techniques, legacy infections and scanning attempts still occur.
Any listening service on this port should be verified as intentional and legitimate. The legitimate ARDUS Control service is rare enough that most traffic on this port warrants scrutiny.
How to Check What's Using Port 1116
On Linux or macOS:
On Windows:
If something is listening and you don't recognize it, investigate further.
The Registered Ports Range
Port 1116 belongs to the registered ports range (1024-49151). These ports are registered with IANA for specific services, but unlike well-known ports (0-1023), they don't require special privileges to use.
Anyone can request a port registration in this range for a service they're developing. IANA registers the assignment to prevent conflicts. But registration doesn't guarantee the service will succeed, be maintained, or ever be widely deployed.
This is why the registered range is a mix: essential services like Microsoft SQL Server (1433), MySQL (3306), and PostgreSQL (5432) sit alongside hundreds of obscure or abandoned assignments like ARDUS Control.
What This Port Teaches Us
Port 1116 reveals the gap between the Internet's formal structure and its actual reality. IANA maintains the official registry—the map of what ports are supposed to be used for. But the real Internet is messier. Services fail. Registrations are abandoned. Malware fills the empty spaces.
Understanding this gap matters. When you secure a network, you can't just consult the official registry and assume that's what you'll find. You have to look at what's actually listening, actually connecting, actually running.
The port number might say "ARDUS Control." The reality might be something else entirely.
Frequently Asked Questions About Port 1116
このページは役に立ちましたか?