What This Port Is
Port 3436 sits in the registered port range — ports 1024 through 49151, managed by the Internet Assigned Numbers Authority (IANA). These ports are reserved for specific services by application, with IANA maintaining the official registry of who claimed what.
IANA lists port 3436 as assigned to gc-config, the GuardControl Exchange Protocol, registered in March 2002. Beyond that entry in the registry, the protocol left almost no trace. There are no widely circulated RFCs, no open-source implementations, no communities of administrators managing it. It is, for all practical purposes, a name attached to a number — a claim filed and then abandoned to the silence of the Internet.
What It's Actually Known For
Port 3436 appears in security literature for one reason: the Backdoor.Netjoe trojan (also catalogued as Backdoor:Win32/Netjoe by Microsoft), which opens TCP ports 3436 and 3437 to establish a remote access channel. When Netjoe infects a Windows system, it listens on these ports, waiting for its operator to connect and issue commands.
The trojan was documented by Symantec in 2004. It is a textbook example of why open ports that aren't associated with a running service should raise questions: something put that listener there, and it wasn't GuardControl.
How to Check What's Listening on This Port
If you see traffic on port 3436 and you weren't expecting it, find out what opened it.
On Linux/macOS:
On Windows:
The output will show the process ID. Cross-reference it with your process list. If you don't recognize what's running there, that's worth investigating.
Why Unassigned (and Abandoned) Ports Matter
The registered port range contains over 48,000 entries. Many are like port 3436 — legitimately filed, then practically dormant. This matters for a few reasons:
- Scanners will flag them. Security tools that scan for unusual listeners don't know which registered services are actually deployed. Anything unexpected on a registered port gets scrutinized the same way.
- Malware likes the gaps. Trojans and backdoors often pick ports in the registered range precisely because they don't attract the immediate attention that port 22 or 443 would.
- The registry isn't a guarantee of use. IANA registration means someone asked for the port. It says nothing about whether real software uses it, whether it's maintained, or whether the original author is still reachable.
If you encounter port 3436 in the wild, GuardControl is not what put it there.
Var den här sidan till hjälp?