Port 105: CCSO/Ph — The Internet's First Phonebook

Port 105 carries a protocol most people have never heard of, but it solved a problem everyone had: how do you find someone's email address?

Before search engines, before LDAP, before you could type a name into a box and get results, there was Ph. Short for "phonebook." It ran on port 105, and for a brief window in the early 1990s, it was how universities across the world let people look each other up.

What Ran on Port 105

Port 105 was assigned to two services. The older assignment is csnet-ns, the CSNET Mailbox Name Nameserver, part of the Computer Science Network that the National Science Foundation funded starting in 1981.¹ The newer and more widely known assignment is the CCSO Nameserver, also called the Ph/Qi protocol.²

The CCSO system worked like this: a server called Qi listened on TCP port 105, holding a database of people and their information (names, email addresses, phone numbers, department affiliations). A client called Ph connected to that server and sent plaintext queries. You'd type something like ph john smith and get back a structured record with that person's contact details.

The protocol was simple. Commands were keywords followed by values, separated by spaces, terminated by a carriage return and line feed. Queries were case-insensitive. The server responded with numbered status codes, not unlike HTTP or SMTP. It was clean, functional, and purpose-built for exactly one thing: finding people.

The Story Behind Port 105

Steve Dorner built the CCSO Nameserver at the University of Illinois at Urbana-Champaign, working at the university's Computing and Communications Services Office (the CCSO in the name).³ Work began around 1988, and the system was in active use by 1991, though the formal RFC wouldn't come until September 1998.²

Dorner is better known for creating Eudora, one of the most popular email clients of the 1990s, which he also built at the University of Illinois in 1988.⁴ He built the tool people used to send email and the tool people used to find email addresses. Both from the same office, in the same small city in central Illinois.

When Qualcomm hired Dorner in 1992, he refused to relocate to California. Instead, he telecommuted from an office in a 1950s bomb shelter beneath his home in Urbana.⁴ Later, he moved his office to his woodworking shop, because the bomb shelter wasn't heated but the shop was.

The Internet's first phonebook was built by a man who preferred solitude.

The Dual Assignment

Port 105's older tenant, csnet-ns, predates the CCSO Nameserver by several years. CSNET (Computer Science Network) was a $5 million NSF project launched in 1981 to connect computer science research groups across the country.¹ Its nameserver maintained a central registry mapping usernames to their home sites, so you could route mail to someone even if you didn't know which machine they were on.

The CSNET nameserver and the CCSO nameserver are different systems that ended up sharing the same port number. Both solved the same fundamental problem (finding people on a network), just in different decades and at different scales.

How the Protocol Works

A Ph session is straightforward:²

1. The client opens a TCP connection to port 105
2. The client sends a query: query name=dorner return email phone
3. The server searches its database and returns matching records with numbered response codes
4. Either side can close the connection

Fields in the database had properties that controlled access. A field marked Public was visible to anyone. Private fields were restricted to administrators. Sacred fields couldn't be changed over the network at all. Unique fields enforced that no two records could share the same value.

The system also supported authentication through Kerberos v4, v5, and the GSS-API for write operations like updating your own phone number or office location.

Security

The Ph protocol sends everything in plaintext. Every query, every response, every login. The RFC is blunt about this: "In the absence of encryption between client and server, all Nameserver traffic is unsecure."²

The protocol supports authentication mechanisms but has no built-in way to negotiate encryption. The RFC suggests that TLS or IPSec could be layered underneath, but by the time those became widely available, Ph was already being replaced by LDAP.

Port 105 has also been associated with the NerTe trojan, a remote access tool and keylogger that targeted older Windows systems. Like many well-known ports with declining legitimate use, port 105 became a convenient door for malware to try.

What Replaced It

LDAP won. The Lightweight Directory Access Protocol offered a richer data model, better security, standardized replication, and integration with enterprise systems. Ph was a phonebook. LDAP was a directory service that could be a phonebook and a thousand other things.

As of today, fewer than a handful of CCSO servers remain on the open Internet.³ The protocol's last visible footprint is that Lynx, the text-mode web browser, still supports cso:// URLs. If you open one, Lynx presents a form with the server's searchable fields. A small monument to a protocol that once made the Internet feel like a place where you could find anyone.

The Port's Neighborhood

Port 105 sits in the well-known port range (0-1023), where IANA assigns ports through IETF Review or IESG Approval. Its neighbors tell a story about what mattered in early networking:

This cluster of ports is a snapshot of what the early Internet was trying to do: find hosts, find people, move messages, connect terminals. Port 105 handled the "find people" part.

How to Check What Is Listening on Port 105

On most modern systems, nothing should be listening on port 105. If something is, you should investigate:

# Linux
sudo ss -tlnp | grep :105
sudo lsof -i :105

# macOS
sudo lsof -i :105
sudo netstat -an | grep '\.105 '

# Windows
netstat -an | findstr :105

If a process is bound to port 105 and you didn't put it there, treat it with suspicion. No mainstream software uses this port in 2025.