Port 2125: Lockstep — A Ghost in the Registry

Port 2125 sits in the registered port range (1024–49151) and carries an official IANA assignment: lockstep, for Lockstep Systems Backup for Workgroups.¹

The product is effectively gone. But the registration is forever.

What Lockstep Was

Lockstep Systems Backup for Workgroups was an enterprise backup application. Port 2125 (TCP and UDP) served as its communication channel. The software had a documented security problem: a stack-based buffer overflow vulnerability that allowed a remote attacker to send a specially crafted packet to port 2125 and either crash the application or execute arbitrary code.²

Buffer overflows in backup agents are a particularly bad species of vulnerability. Backup software typically runs with elevated privileges — it needs them to access files across the system. A compromised backup agent is a compromised machine.

The software faded. The port number stayed.

The Registered Port Range

Port 2125 lives in the registered ports range (1024–49151), also called user ports. Here is what that means:

• Well-known ports (0–1023): Reserved for foundational Internet services — HTTP, HTTPS, SSH, DNS. Require root/admin privileges to bind on most operating systems.
• Registered ports (1024–49151): Companies and developers register these with IANA for specific applications. No privilege requirement to bind, but IANA tracks the assignment.
• Dynamic/ephemeral ports (49152–65535): Unregistered, used temporarily by operating systems for outbound connections.

Registered does not mean active. IANA's registry is not a census of what is running on the Internet today — it is a historical record of what was claimed. Thousands of registered ports belong to products that have been discontinued, acquired, or quietly abandoned. Port 2125 is one of them.³

What Is Actually Listening on Port 2125 Today

Almost certainly nothing official. If you see port 2125 active on a system, it is worth investigating. Common reasons a port appears active:

• A legacy backup agent still running from an old deployment
• An application that chose this port informally (the registration is obscure enough that developers sometimes pick it without knowing)
• Malware — orphaned port numbers in low-traffic ranges occasionally get repurposed by software that wants to blend in

To check what is listening on port 2125:

On Linux/macOS:

sudo ss -tlnp | grep 2125
# or
sudo lsof -i :2125

On Windows:

netstat -ano | findstr :2125
# Then look up the PID:
tasklist | findstr <PID>

If something is there and you do not recognize it, find out what it is before assuming it is benign.

Why Ghost Ports Matter

The IANA registry was designed to prevent collisions — two applications fighting over the same port. But the registry has no expiration mechanism. A company can register a port, ship one version of a product, and disappear. The port stays claimed.

This creates a sprawl of ghost registrations. Port numbers that are officially taken but practically available, sitting in the registry like unclaimed mail. For most purposes this is harmless. But it means the registry cannot be read as a map of what is actually in use — only as a map of what was once assigned.

Port 2125 is registered. Lockstep Systems is gone. The number endures.