Port 3547: Registered, Unoccupied, and Worth Watching

What Range This Port Belongs To

Port 3547 is a registered port — part of the range from 1024 to 49151. These ports sit between the well-known ports (0-1023, reserved for core Internet services) and the ephemeral ports (49152-65535, used temporarily by operating systems for outbound connections).

Registered ports can be claimed by software vendors and application developers through IANA. The registration doesn't grant exclusive use — it just records intent and avoids collisions with other officially registered services.

Official Assignment

SpeedGuide's port database notes a historical association with Symantec SIM (Security Information Manager), Symantec's enterprise security event correlation product.¹ That product has since been discontinued, and the port carries no active official registration in the current IANA service name registry.² The registration is effectively a relic.

Unofficial and Observed Uses

Port 3547 appears in threat documentation as one of several ports used by Backdoor.Amitis.B, a Windows remote access trojan.¹ Like most RATs, Backdoor.Amitis opens a listening port so a remote attacker can issue commands, exfiltrate data, or use the infected machine as a relay.

This is not unusual for ports in this range. When a legitimate registered service goes dormant, malware authors sometimes adopt the port — partly because firewall rules written for the original service may leave it open, and partly because an unrecognized port number attracts less scrutiny than port 4444 or 12345.

If port 3547 appears open on a machine you administer and you didn't configure anything to use it, treat that as a signal worth following.

How to Check What's Listening

On Linux or macOS:

# Show which process is listening on port 3547
ss -tlnp | grep 3547

# Alternative using lsof
lsof -i :3547

On Windows:

# Show the process ID listening on port 3547
netstat -ano | findstr :3547

# Look up the process by PID
tasklist | findstr <PID>

The process name will tell you whether what's running there is expected. An unfamiliar or obfuscated process name on this port deserves a closer look.

Why Unassigned Ports Matter

The port number system only works because there's a shared agreement about what's where. Well-known ports (80, 443, 22) are stable and predictable. Registered ports are supposed to provide a second tier of predictability — but registrations age, services get discontinued, and the port sits unclaimed.

That gap is where noise enters. Malware, ad hoc internal tools, and misconfigured services all tend to accumulate in the quieter corners of the registered range. Port 3547 is one of those corners.

It's not dangerous to have this port on your network — as long as nothing is listening on it unexpectedly.