Port 365 is assigned to DTK (Deception Tool Kit), created by Fred Cohen. Unlike most security tools that hide, DTK on port 365 announces itself—it's a honeypot that wants to be discovered.
What DTK Does
The Deception Tool Kit is a collection of Perl scripts and C code that emulates known system vulnerabilities.1 When you connect to port 365, DTK returns a text string warning that it's active.2
The concept is psychological: if attackers scan a network and see port 365 responding with "DTK is running here," they might realize the network has active defenses and move on. The port exists to increase Fear, Uncertainty, and Doubt—to make attackers question whether any vulnerabilities they find are real or deceptions.3
Who Created It
Fred Cohen isn't just any security researcher. On November 3, 1983, he demonstrated the first computer virus to a security seminar at USC. His advisor, Len Adleman, pointed out the similarity to biological viruses—and the term "computer virus" entered the language.4
Cohen's 1987 paper "Computer Viruses – Theory and Experiments" started the entire field of computer virus research and remains one of the most widely cited papers in computing.5
The First Public Honeypot
In 1997, Cohen released DTK version 0.1—the first publicly available honeypot that anyone could download and deploy on their own systems.6 Before DTK, honeypots were research projects or custom tools. Cohen made deception-based defense available to everyone.
DTK doesn't just log attacks quietly. It actively deceives attackers by making systems appear to have vulnerabilities they don't have. Every probe gets a fake response. Every scan finds fake services. The attacker can't tell what's real.7
And port 365 is the announcement: "Everything you're seeing might be a lie."
Why Port 365 Matters
Most honeypots try to blend in. DTK on port 365 does the opposite—it's a flag planted in the ground. The man who invented computer viruses created a port that exists purely to warn attackers they're being watched.
It's a psychological weapon disguised as a network service. And it still carries that warning today.
How to Check What's on Port 365
On Linux or macOS:
On Windows:
If you see something listening here, you're either running DTK or something has claimed this port unofficially. Given its history, that's fitting—port 365 has always been about deception.
Related Ports
Port 365 sits in the well-known ports range (0-1023), which means it was assigned by IANA through formal procedures. Most ports in this range carry essential Internet services. Port 365 carries a warning.
Frequently Asked Questions
Was this page helpful?