Port 3143: Seaview — Assigned to Seagate, Forgotten by Everyone Else

What Port 3143 Is

Port 3143 sits in the registered port range (1024–49151). These ports require IANA registration, which distinguishes them from the well-known ports (0–1023) that run the core Internet protocols, and from the dynamic/ephemeral range (49152–65535) that operating systems hand out freely for outgoing connections.

Registered ports are supposed to mean something: a vendor claimed the port, documented a service, and established a stable assignment. In practice, registration quality varies widely. Some registered ports define major Internet infrastructure. Others are internal enterprise applications that got an IANA entry decades ago and then quietly disappeared.

Port 3143 is the second kind.

The IANA Assignment

The IANA Service Name and Transport Protocol Port Number Registry lists port 3143 as seaview, with the description "Sea View." The contact is Jim Flaherty at Seagate.¹

That's where the trail ends. No RFC. No published specification. No documentation of what the Sea View service does, what protocol it speaks, or whether it was ever deployed outside Seagate's internal network. The registration exists as a placeholder more than a definition.

This isn't unusual. Many entries in the registered port range are like this: a vendor requested an assignment, IANA issued one, and the world moved on without anyone ever explaining what the service actually does.

The MyDoom Connection

Port 3143 has a second history, less official but more consequential.

In January 2004, the MyDoom worm became the fastest-spreading email worm ever recorded. Its payload included a backdoor component that opened a listening port somewhere in the range 3127–3198, varying by variant.² Port 3143 sits in the middle of that range.

If you saw traffic on port 3143 in 2004, the most likely explanation was MyDoom, not anything Seagate ever shipped. The worm used the backdoor to download and execute arbitrary files, turning infected machines into remote-controllable hosts.

MyDoom's variants are long dormant, but this history is a useful reminder: being in the registered range doesn't protect a port from being appropriated. Malware doesn't check the registry.

How to Check What's Listening

If port 3143 shows up in your environment, there are straightforward ways to identify what's using it.

On Linux or macOS:

# Show the process listening on port 3143
ss -tlnp | grep 3143

# Or with lsof
lsof -i :3143

On Windows:

netstat -ano | findstr :3143

The process ID in the last column can then be looked up in Task Manager or with tasklist /fi "PID eq <pid>".

To check from outside your machine:

nmap -p 3143 <host>

An open port with nothing in the IANA registry to explain it is worth investigating. An open port that matches known malware ranges even more so.

Why This Matters

The registered port range contains 48,128 possible assignments. Many of those slots were claimed by services that never shipped, applications that were retired, or internal tools that were only ever relevant to the company that registered them.

This creates a gap between what the registry says and what's actually running in the world. Port 3143 illustrates that gap cleanly: officially "seaview," practically unknown, historically associated with a worm that used the entire neighborhood.

The registered range isn't a guarantee of legitimacy — it's a historical record of who asked. What matters is what's actually listening.