Port 605 carries SOAP over BEEP—Simple Object Access Protocol running on top of the Blocks Extensible Exchange Protocol. It's a protocol with elegant ambitions that never found its audience, but a malware legacy that made the port notorious.
What Runs on Port 605
Official Assignment: SOAP over BEEP (soap-beep)1
Protocol: TCP
Defined in: RFC 3288 (obsoleted by RFC 4227)2
SOAP over BEEP binds XML-based web service messaging to BEEP's sophisticated transport framework. BEEP (Blocks Extensible Exchange Protocol) provides framing, multiplexing, pipelining, and full-duplex communication—features that seemed futuristic when the protocol was designed in 2001.3
The protocol supports multiple message patterns:
- One-way messages — Client sends, server acknowledges immediately with NUL
- Request-response — Client sends MSG, server responds with RPY
- Request/N-responses — Client sends one message, server streams back multiple ANS responses2
The Protocol That Time Forgot
BEEP was designed by Marshall T. Rose, the same engineer who worked on POP3, SMTP, and SNMP.3 It was meant to be a general-purpose framework for building network protocols—sophisticated, multiplexed, and connection-oriented.
But BEEP never gained widespread adoption. HTTP won the web services battle. REST became the dominant paradigm. The elegant peer-to-peer architecture that BEEP offered was too complex for most use cases, too unfamiliar for most developers.
SOAP over BEEP exists in that graveyard of well-designed protocols that solved problems nobody actually had.
The Darker Legacy
Port 605 is better known for malware than for web services.
In the early 2000s, a trojan called "Secret Service" used port 605 to establish remote control over infected Windows machines.4 Security scanners and firewall documentation from that era list port 605 as a known trojan port, associating it with backdoor access rather than legitimate XML messaging.
The irony: the official protocol barely saw production use, but the malware made port 605 infamous enough to appear in every trojan port reference list for the next two decades.
Security Considerations
If you see port 605 open on a system:
- It's unlikely to be legitimate SOAP over BEEP traffic (the protocol is essentially dead)
- It could be legacy malware or a system compromised years ago that was never cleaned
- Modern trojans don't typically use this port, but old infections persist
To check what's listening:
If something is listening on port 605 and you don't know why, investigate. It's not a port that should be open in 2026.
Why This Port Matters
Port 605 is a reminder that official assignments don't guarantee adoption, and that malware often outlives the legitimate services it exploits.
BEEP was a genuinely interesting protocol. Full-duplex multiplexing over a single connection. Asynchronous message patterns. Elegant framing. But elegance doesn't win adoption—simplicity does. HTTP was good enough. REST was easier to understand. SOAP itself fell out of favor, let alone SOAP over an obscure transport protocol.
What remains is the assignment, the RFCs, and the trojan port lists.
Related Ports
- Port 80 — HTTP, the protocol that actually won web services
- Port 443 — HTTPS, where modern APIs live
- Port 3288 — Another BEEP-related port assignment
Frequently Asked Questions About Port 605
Adakah halaman ini membantu?