Port 2005: Deslogin — The Protocol That Never Arrived

What Port 2005 Is

Port 2005 sits in the registered port range (1024–49151). These are ports that applications can register with IANA, the body that coordinates global Internet addressing. Registration means the port has an official name in the record books — it doesn't mean anyone is obligated to use it, or that many people do.

IANA's official name for port 2005 is deslogin — short for "DES login." The registered description: encrypted symmetric telnet/login.¹

The Protocol That Wasn't

In the late 1980s and early 1990s, telnet was how you logged into remote systems. It was also a security disaster: every character you typed, including your password, flew across the network in plaintext. Anyone sniffing the wire could read it.

"Deslogin" was apparently an attempt to fix this — encrypting the telnet session with DES (Data Encryption Standard), the dominant symmetric cipher of the era. It was a reasonable idea. It just didn't win.

SSH, designed by Tatu Ylönen in 1995 after he watched credentials crossing his university network in the clear, became the answer everyone actually adopted. SSH runs on port 22. Deslogin never deployed at any meaningful scale. Port 2005 became a registration without a resident.

What Actually Uses Port 2005

With no legitimate service occupying the port, others moved in:

Malware. Port 2005 appears in threat databases for the W32.Reatle worm, the TransScout trojan, and Backdoor.Win32.Delf.zs — all of which have used this port for backdoor access or proxy services.² A port with no expected traffic is convenient: nothing is listening for it, nothing blocks it.

Enterprise software. NetIQ Secure Configuration Manager uses port 2005 for its Windows security agent (VigilEntAgent.exe). This is legitimate but niche — something you'd encounter in a specific corporate security tooling context, not on a typical machine.³

If you see port 2005 open on a system and you're not running NetIQ software, investigate.

How to Check What's Listening

On Linux or macOS:

# Show what process has port 2005 open
sudo ss -tlnp | grep 2005

# Or with lsof
sudo lsof -i :2005

On Windows:

# Show listening processes on port 2005
netstat -ano | findstr :2005

# Then look up the PID
tasklist | findstr <PID>

If nothing appears, the port is closed. If something appears that you don't recognize, that's worth investigating before assuming it's benign.

Why Unassigned Ports Matter

The registered port range contains thousands of ports like 2005: officially named, functionally abandoned, occasionally squatted by software that had nowhere else to go.

This matters for two reasons. First, network scanning and intrusion detection systems use port registrations as a baseline. An open port that matches a known malware signature stands out. Second, firewall policy often defaults to "block everything not explicitly allowed" — which means ports like 2005, with no expected legitimate traffic on most networks, should be closed unless you have a specific reason to open them.

The ghost of deslogin is useful precisely because it never arrived. An empty port is a signal. Pay attention to it.