Port 2002: The Worm That Named Itself After the Year

Port 2002 has no official service. IANA lists it as unassigned — no protocol, no registered owner, no RFC. And yet if you watch network traffic on this port, you'll find it isn't quiet.

What Range This Port Belongs To

Port 2002 sits in the registered port range (1024–49151). These ports are officially tracked by IANA, but "registered" doesn't mean "occupied." IANA maintains the registry; individual services apply for numbers. Port 2002 was never claimed.

That leaves it open for anyone to use — legitimately or not.

What Actually Runs Here

The Slapper Worm

In September 2002, a worm began spreading through Linux servers running Apache with a vulnerable version of mod_ssl. It exploited a buffer overflow, took root, and then did something unusual: it didn't just phone home to a central server. It built a peer-to-peer network among infected machines, using UDP port 2002 as its command channel.

The worm used port 2002 as both source and destination port — a characteristic signature that made it identifiable. Infected machines talked to each other, sharing instructions, capable of launching coordinated DDoS attacks.

What made it stranger: after patches were deployed and machines were cleaned, port 2002 didn't go quiet. The botnet's P2P discovery traffic kept flowing — probing for nodes that no longer existed. Security researchers at SANS called it an "afterglow": the traffic signature of a network that had already died, still looking for itself.¹

The worm is gone. The knocking still happens.

Cisco Secure ACS

Cisco's Secure Access Control Server (ACS) 3.x used port 2002 for its CSAdmin web administration interface — the panel where network administrators managed authentication policies. A 2004 vulnerability (CVE-2004-1458) found that flooding this port with TCP connections could hang the interface, a denial-of-service against the tool meant to control network access.²

LogMeIn

LogMeIn, the remote access service, uses port 2002 TCP as one of its communication channels alongside ports 80 and 443.³

Globe

SANS and Nmap databases list "Globe" as associated with this port. What Globe actually does: unclear. It appears in port databases and nowhere else with any substance. Some entries are ghosts too.

How to Check What's Listening

If you see traffic on port 2002 and want to know what's generating it:

# On Linux/macOS — show what process owns port 2002
sudo ss -tlnp | grep 2002
sudo lsof -i :2002

# On Windows
netstat -ano | findstr :2002

If nothing is listening locally but you're seeing UDP traffic with port 2002 as both source and destination, that's residual Slapper worm P2P discovery traffic. It's harmless at this point — probes from systems scanning for a botnet that no longer exists.

Why Unassigned Ports Matter

The port number space isn't fully allocated. IANA has registered services for only a fraction of the 49,151 ports below the ephemeral range. The rest are available — for legitimate software to claim, for malware to squat on, for coincidence to create conflicts.

Port 2002's history is a small illustration of how that works: no one claimed the number, a worm moved in, legitimate software moved in separately, and now the port carries a mix of echoes and real traffic with no single owner.