No Official Resident
Port 30 has no assigned service. No protocol was ever registered to it. No RFC defines what should run here. In the IANA Service Name and Transport Protocol Port Number Registry, port 30 simply does not appear, because IANA only lists ports that have been assigned or reserved.1
It sits in the well-known range (ports 0 through 1023), the most privileged tier of the port system. On Unix-like systems, binding to any port in this range requires root privileges.2 These ports were meant for the foundational protocols of the Internet: HTTP, SSH, SMTP, DNS. Port 30 was set aside with the rest of them, waiting for a service that never came.
Roughly 24% of well-known ports have never been assigned.2 Port assignments are demand-driven. Someone has to need a port, request it from IANA, and go through IETF Review or IESG Approval to get a system port.2 For port 30, no one ever did.
The Uninvited Tenant
The most notable use of port 30 was never legitimate.
In the late 1990s, a trojan called Agent 40421 used TCP port 30 as one of its communication channels.3 Agent 40421 was the server component of Master's Paradise, a remote access trojan created by Dan Lehmann from Munich Brain House, a German hacker group.4 Master's Paradise operated primarily on port 40421, but its agent component also listened on ports 30 and 31, quieter doors that were less likely to draw attention precisely because nothing legitimate was expected there.3
Master's Paradise was part of that strange late-1990s ecosystem of remote access tools: Back Orifice, SubSeven, NetBus, Deep Throat. Programs that let someone on the other side of the Internet eject your CD tray, swap your mouse buttons, read your files, capture your keystrokes.4 They targeted Windows 95, 98, and ME. Some were built as pranks. Some were built as weapons. The line between the two was thinner than anyone wanted to admit.
Agent 40421 chose port 30 for the same reason burglars prefer houses with no lights on. An unassigned port has no expected traffic. No legitimate service means no legitimate monitoring. The silence was the point.
The Well-Known Range
Port 30 belongs to the System Ports range (0 through 1023), also called the Well-Known Ports. This range carries specific implications:
- Privileged binding: On most operating systems, only processes running with elevated privileges can listen on these ports2
- IANA governance: Assignment requires formal IETF Review or IESG Approval, the most rigorous approval process in the port registry2
- Implicit trust: Network administrators and firewalls often treat well-known ports differently, applying specific rules and expectations
Being unassigned in this range is not the same as being unassigned in the registered range (1024 through 49151) or the ephemeral range (49152 through 65535). A well-known port without an assignment is a privileged address with no occupant. It was built for something important. Nothing important ever moved in.
How to Check What Is Listening on Port 30
If something is listening on port 30 on your system, you should investigate. There is no legitimate reason for a standard service to bind here.
Linux:
macOS:
Windows:
If you find a process listening on port 30 that you do not recognize, treat it as suspicious. Check the process name and path. Cross-reference it with known services on your system. The historical association with trojan activity makes unexpected listeners on this port worth investigating thoroughly.
Why Unassigned Ports Matter
The Internet's port system has 65,535 ports. Only a fraction are assigned. The unassigned ones are not waste. They are capacity, held in reserve for protocols that have not been invented yet, for problems that have not been identified yet.
But unassigned ports also create a kind of negative space that is useful to understand. Firewalls can be configured to block traffic on ports where no legitimate service should exist. Intrusion detection systems can flag unexpected connections to unassigned ports. The absence of an assignment is itself a form of information: if traffic appears here, something unusual is happening.
Port 30 is a reminder that in networking, silence is a signal too.
Frequently Asked Questions
Was this page helpful?