Port 3385: qnxnetman — The Quiet Corner of the Internet

What This Port Does

Port 3385 is registered with IANA for qnxnetman, the network management service used by QNX. Both TCP and UDP are assigned.

QNX (pronounced "cue-nicks") is a Unix-like real-time operating system built for environments where failure is not acceptable: the infotainment system in your car, industrial control systems on factory floors, medical devices in hospitals, and avionics software in aircraft. BlackBerry acquired QNX in 2010, and it now runs inside hundreds of millions of vehicles under the QNX Neutrino RTOS.

The qnxnetman service handles network management communication between QNX nodes. It is specialized, proprietary, and essentially invisible on any network not running QNX. Most administrators will never see traffic here.

The Registered Port Range

Port 3385 lives in the registered port range (1024–49151). IANA tracks these ports and assigns them to specific services, but unlike the well-known ports (0–1023), no special privileges are required to open one. Any application can bind to a registered port, and IANA registration doesn't guarantee a service is actually running there — it's a reservation, not an enforcement.

The practical consequence: on most networks, port 3385 sits completely idle. Nothing runs there. Which brings us to why it attracted attention.

The Security Note

Port 3385 has been documented as a communication channel for W32.Mytob.KP@mm, a mass-mailing worm that opens a backdoor, lowers security settings, and connects to IRC servers for remote command execution.¹

Mytob didn't pick this port by accident. It needed somewhere quiet — a registered port that firewalls might not flag, that security teams wouldn't recognize, that monitoring systems would ignore. An obscure QNX management service on port 3385 fit perfectly. The port's legitimacy provided cover.

SANS ISC shows ongoing low-level scanning activity against port 3385, consistent with routine Internet reconnaissance. Current threat level is green — background noise, not active exploitation.²

If you're not running QNX systems, there is no reason for this port to be open or receiving traffic.

How to Check What's Listening

macOS/Linux:

# Show what process is listening on port 3385
sudo lsof -i :3385

# Alternative using ss (Linux)
ss -tlnp | grep 3385

# Or netstat
netstat -an | grep 3385

Windows:

netstat -ano | findstr :3385

If you find something listening on port 3385 and you're not running QNX, investigate. The process name in the output will tell you where to look next.

Why Unassigned (and Obscure) Ports Matter

The registered port range contains thousands of ports like this one — officially assigned to real services, but functionally invisible on most networks. They occupy a strange middle ground: technically legitimate, practically abandoned, useful to nobody except occasionally to malware looking for an unlocked side door.

This is why port hygiene matters. Knowing what's running on every open port — not just the obvious ones — is the difference between a network that's monitored and one that just hopes nothing is wrong.