Port 3067: FJHPJP — A Name That Means Nothing, a History That Does

What Port 3067 Is

Port 3067 sits in the registered port range (1024–49151). These ports are tracked by IANA — the Internet Assigned Numbers Authority — which maintains the official list of what service, if any, is supposed to live at each number.

IANA lists port 3067 as assigned to a service called FJHPJP, for both TCP and UDP.¹ That name appears in no RFC, no vendor documentation, no open-source project. It is, for all practical purposes, a ghost: technically registered, functionally meaningless.

If you see port 3067 active on a system, the assignment offers no help. You have to look elsewhere.

The Korgo Connection

Port 3067's real history belongs to 2004, when a worm called W32.Korgo tore through Windows machines by exploiting the LSASS buffer overflow vulnerability — the same flaw targeted by the Sasser worm weeks earlier, documented in Microsoft Security Bulletin MS04-011.²

Once Korgo infected a machine, it opened TCP ports 113, 3067, and 2041 to receive commands. Port 3067 became a listening ear — a backdoor through which the worm awaited instructions and could download additional malware to the Windows system folder and execute it.³

Korgo spread through multiple variants (A, B, E, F, G, H, P) between May and June 2004. Different variants behaved slightly differently — some used port 3067 consistently, others did not. The worm is long dead as an active threat, but port 3067 carries the association in security databases to this day.

What "Registered" Actually Means

The registered port range (1024–49151) is not the same as the well-known range (0–1023). Well-known ports require IANA approval and carry genuine protocol weight — port 443 is HTTPS everywhere, port 25 is SMTP everywhere. Registered ports are softer: IANA records requests, but there is no enforcement. Any application can use any registered port. Many do.

This is why "registered as FJHPJP" tells you almost nothing. The registration exists, but the service does not appear to.

How to Check What's Listening

If port 3067 appears on a system you manage, find out what opened it:

On Linux or macOS:

sudo ss -tlnp | grep 3067
# or
sudo lsof -i :3067

On Windows:

netstat -ano | findstr :3067
# Then look up the PID:
tasklist | findstr <PID>

The process name will tell you whether this is something you installed intentionally or something worth investigating.

Should You Be Concerned?

Port 3067 appearing in a firewall log or port scan is not itself alarming — scanners probe every port, and random traffic is noise. Port 3067 active and listening on a machine you manage is worth a closer look, given the port's history and the absence of any legitimate well-known service using it.

If you find something listening here and you didn't put it there, treat it seriously.