Port 653 sits in the well-known range (0-1023), which means it's theoretically reserved for system services assigned by IANA. But this port's actual history shows how messy port assignments can get in practice.
What Actually Uses Port 653
Official assignment: Mac OS X RPC-based services, particularly NetInfo1
Unofficial commercial use: SupportSoft Nexus Remote Command, a remote management and diagnostic system2
Security concern: Known malware vector—various Trojans and viruses have used this port for command and control3
The Apple Story
Apple originally used port 653 for NetInfo, part of Mac OS X's directory services infrastructure. NetInfo handled user accounts, network configuration, and other system information through RPC (Remote Procedure Call) mechanisms.
This was legitimate system-level usage, exactly what the well-known port range was designed for. If you saw traffic on port 653 from a Mac, this was probably why.
The SupportSoft Story
SupportSoft (later acquired by Consona) built remote support tools that allow technicians to diagnose and fix problems on customer computers remotely. Their Nexus Remote Command service used port 653 for both TCP and UDP communication between support clients and agents installed on user systems4.
This created a collision: the same port number serving completely different purposes depending on what software you were running. An Apple server and a SupportSoft installation could both be listening on 653 for entirely different reasons.
Many ISPs and computer manufacturers embedded SupportSoft tools into their customer service systems, which meant port 653 traffic became common even on non-Apple systems.
The Security Story
Port 653 appears on security warning lists as a known virus vector5. This doesn't mean the port itself is dangerous—it means malware authors have used it for command and control communications, likely because legitimate software was already using it, providing cover for malicious traffic.
Additionally, SupportSoft products themselves had documented security vulnerabilities, including buffer overflows in ActiveX controls that could allow remote code execution6. When support software becomes an attack vector, the ports it uses become part of the threat surface.
Why This Matters
Port 653 illustrates a fundamental tension in the port number system:
IANA assigns ports based on requests from software vendors and standards bodies. The assignment goes into the official registry.
Software vendors use ports based on what works for their architecture, sometimes regardless of what's officially assigned.
Attackers use ports based on what's already open, what provides good cover, and what administrators might not scrutinize.
The result: a single port number can carry Apple directory services, corporate remote support sessions, and malware command traffic—all at different times, on different networks, with no way to tell which is which just by looking at the port number.
Checking What's Listening on Port 653
On Linux or Mac:
On Windows:
If you see something listening on port 653, the next question isn't "what's assigned to this port?" It's "what software is actually using it on this system?"
Check the process name. If it's a Mac system service, it's probably legitimate. If it's SupportSoft or a vendor-branded support tool, that's expected for systems with that software installed. If it's something you don't recognize, investigate further.
The Well-Known Range Reality
Port 653 reminds us that the well-known range (0-1023) isn't as orderly as it appears. These ports require root or administrator privileges to bind to, which provides some security. But official assignments don't prevent unofficial use, and privilege requirements don't stop malware running with elevated permissions.
The well-known range was designed for a smaller, more controlled Internet where assignments meant something. In practice, ports get used for whatever software needs them for, official assignments become suggestions, and administrators learn to check what's actually running rather than trusting what the registry says should be there.
Related Ports
- Port 22 — SSH, the secure way to do remote administration
- Port 3389 — Remote Desktop Protocol (RDP), Microsoft's remote management standard
- Port 5900 — VNC, another remote desktop protocol
- Port 687 — ASIPREGISTRY, another Apple directory service port
Frequently Asked Questions About Port 653
Была ли эта страница полезной?