Port 2094: NBX AU — The Audio Channel of a Dead Phone System

What Port 2094 Is

Port 2094 is registered with IANA under the service name nbx-au — the audio component of the 3Com NBX IP telephony platform.¹

It belongs to the registered port range (1024–49151), the middle tier of the port numbering system. IANA coordinates this range so applications can claim a number without conflicting with each other. Anyone can apply; the registration doesn't require open-source code or public documentation — just a vendor, a product, and a form.

3Com registered a cluster of four ports for the NBX system:

These four ports covered the full lifecycle of a phone call on an NBX system: finding the party (directory), setting up the call (call control), carrying the voice (audio), and managing devices (serial). Port 2094 was the one that actually carried speech.

The NBX System

The 3Com NBX was an IP phone platform introduced in the late 1990s, aimed at small and mid-sized businesses that wanted digital voice without the cost of enterprise PBX hardware.² It was a proprietary system — phones, servers, and software were all 3Com's — and it used UDP 2093–2096 to carry its signaling and audio over the local network.

For organizations running NBX phones behind firewalls, these four ports needed to be open to allow IP phones to register with the call server and pass audio. When NBX deployments reached across a WAN or Internet connection, the port forwarding list always included 2094.

Hewlett Packard acquired 3Com in 2010. In 2013, HP announced end-of-sale and end-of-support for the NBX product line.³ The phones stopped shipping. The software stopped receiving updates. Port 2094 stopped mattering to new deployments.

The IANA registration remains.

Security Notes

Port 2094 has been associated with at least one piece of malware: W32.Mytob.FO@mm, a mass-mailing worm that attempted to open an IRC backdoor on TCP port 2094.⁴ This is unrelated to the legitimate NBX use — malware authors sometimes pick registered ports hoping firewall rules already permit them.

If you see unexpected traffic on port 2094 on a system with no legacy 3Com hardware, treat it as suspicious.

Check What's Listening

# macOS / Linux - show process using port 2094
sudo lsof -i :2094

# Linux alternative
sudo ss -tlnp | grep 2094

# Windows
netstat -ano | findstr :2094

If something is listening on 2094 and you don't have 3Com NBX hardware, investigate.

Why Unoccupied Registered Ports Matter

The registered port range contains thousands of entries like this one: products that shipped, registered their ports, and then went end-of-life. The registration persists indefinitely unless explicitly revoked.

This matters because:

• Firewall rules outlive products. An organization that opened port 2094 for NBX phones in 2005 may still have that rule in place — now permitting traffic with no legitimate destination.
• Malware looks for open doors. Attackers specifically target ports that are often permitted by legacy firewall rules but no longer actively monitored.
• Port scanners still light up. Security tools flagging open port 2094 aren't wrong — they just require context to interpret.

The registered port range is partly a historical archive. Port 2094 is a small, honest entry in that archive: a phone system from another era, registered correctly, and now silent.