Port 1255 sits in an odd place in the port number system. It has an official IANA-registered service name—de-cache-query—but virtually no documentation, no known legitimate applications, and no clear purpose. What it does have is a history of being exploited by malware.
What Is Port 1255?
Port 1255 is a registered port (in the range 1024-49151) assigned to both TCP and UDP protocols for a service called "de-cache-query."1 The name suggests something related to cache query operations, but that's where the trail goes cold. There's no RFC defining the protocol, no known implementations, and no software that actually uses it for its intended purpose.
This is not uncommon in the registered ports range. IANA has assigned thousands of port numbers to services that were registered but never widely adopted, became obsolete, or were created for proprietary systems that have since disappeared.
The Scarab Connection
While the legitimate use of port 1255 is a mystery, its illegitimate use is well-documented. Port 1255 has been associated with the Scarab malware family, particularly Trojan.VBS.SCARAB variants.2
Scarab is ransomware that encrypts files using AES-256 cryptography and has been known to spread through the Necurs botnet, one of the largest spam botnets in operation. When security tools flag port 1255 activity, they're usually watching for this trojan, not for legitimate de-cache-query traffic (which doesn't exist).
This doesn't mean port 1255 is inherently dangerous. It means that malware authors sometimes choose obscure, unused ports for their communications precisely because they're not being watched by typical network monitoring.
What Are Registered Ports?
Port 1255 belongs to the registered ports range (1024-49151). Unlike well-known ports (0-1023), which require root/administrator privileges to bind on Unix-like systems, registered ports can be used by regular user applications.
IANA maintains the registry of these ports and assigns them to specific services upon request. Companies and developers can register a port for their application or protocol, which is how we ended up with thousands of assigned ports—many of which are rarely or never actually used in practice.
The process exists to prevent conflicts: if you're developing a new network protocol, you register a port so that your service doesn't accidentally collide with someone else's. But registration doesn't guarantee adoption.
Checking What's Using Port 1255
If you want to see whether anything is listening on port 1255 on your system:
On Linux/Mac:
On Windows:
If you see unexpected activity on this port, investigate it. Given the malware associations and the lack of legitimate services, any process using port 1255 warrants scrutiny.
Why Unassigned and Unused Ports Matter
The Internet's port system includes 65,535 possible port numbers. Only a fraction are actively used for well-known services. The rest exist as potential addresses—waiting rooms for future protocols, testing grounds for developers, and unfortunately, sometimes hiding spots for malicious software.
Understanding which ports are supposed to be quiet is part of network security. When a port that should be silent starts talking, that's worth noticing.
Port 1255 is a reminder that official registration and actual usage are two different things. IANA can assign a name, but it can't make a service relevant.
Related Ports
- Port 1254 — de-cache-admin (equally obscure, likely related)
- Port 80 — HTTP (actual cache-related traffic flows here)
- Port 443 — HTTPS (and here)
- Port 3128 — Squid proxy default port (real caching systems use this)
Frequently Asked Questions About Port 1255
آیا دا پاڼه ګټوره وه؟