Port 2028: The Registered Port That Was Never Really Claimed

What Range This Port Belongs To

Port 2028 falls in the registered ports range (1024–49151). These ports are assigned by IANA to specific services upon application — they sit between the well-known ports (0–1023), which are reserved for foundational protocols like HTTP and SSH, and the ephemeral ports (49152–65535), which operating systems hand out dynamically for outgoing connections.

A registered port is supposed to mean something. Someone filed a request, IANA granted a number, and that number was reserved for a specific purpose. The registered range is the Internet's middle class: not core infrastructure, but not random noise either.

The "Submitserver" Problem

Some port databases list port 2028 as assigned to a service called submitserver. This name appears in IANA's registry for both TCP and UDP.¹

But "submitserver" is a name, not a protocol. There is no RFC documenting it. No open-source implementation. No vendor documentation. No mailing list thread. No trace of what it was supposed to submit, to whom, or why port 2028 was the right place to do it.

This happens. Someone registers a port number with vague intentions, the project never materializes or ships, and the registration persists indefinitely — a name in a table attached to nothing. The Internet's port namespace has plenty of these fossils.²

For practical purposes, treat port 2028 as unassigned.

What Might Actually Be Running Here

Because 2028 has no established service, anything found listening on this port is application-specific — software that chose the number for its own reasons. A few possibilities:

• Development servers: Developers occasionally use ports in the 2000–2099 range for local services, test APIs, or internal tooling. If you see 2028 on your own machine during development, it's almost certainly something you or your toolchain started.
• Custom application services: Internal enterprise software sometimes claims arbitrary registered ports for its own use. If you're seeing 2028 on a server you didn't configure, check with whoever manages the application layer.
• Historical malware: Port scanners and security databases note that malware has used this port in the past, as attackers routinely exploit obscure, unmonitored ports for command-and-control traffic. This is not unique to 2028 — any quiet corner of the registered range is a potential target.

A port on your system doesn't come with a label. You have to ask it.

How to Check What's Listening on Port 2028

Linux / macOS:

# Show the process listening on port 2028
ss -tlnp sport = :2028

# Or with lsof
lsof -i :2028

macOS (alternative):

netstat -anv | grep 2028

Windows:

netstat -ano | findstr :2028
# Then look up the PID
tasklist | findstr <PID>

If something is listening, these commands tell you the process name and PID. From there, you know what it actually is — not what a database says it might be.

Why Unassigned Ports Matter

The 65,535 ports available to TCP and UDP are a finite namespace. Well-known ports (0–1023) are densely documented. Ephemeral ports are temporary by design. The registered range is where the interesting ambiguity lives.

An unassigned or nominally-assigned port like 2028 is significant precisely because it's quiet. Legitimate traffic tends to cluster around recognized ports. If you see unexpected activity on 2028, there's no standard service to explain it away — which makes it easier to notice when something unusual is happening, and harder to dismiss.

Quiet ports are useful for monitoring. They're also useful for anyone trying to go unnoticed.