Port 2323: The Shadow Telnet Port

Port 2323 is unassigned. IANA has not designated any official protocol for it. And yet, if you watch your firewall logs, you'll see it scanned constantly.

There's a reason for that.

What Range This Port Belongs To

Port 2323 sits in the registered ports range (1024–49151). These ports aren't reserved for privileged system services like the well-known ports below 1024, but they're also not the ephemeral throwaway ports above 49151 that operating systems hand out for outbound connections.

Registered ports are supposed to be claimed through IANA. Port 2323 never was. It's legitimately unassigned — available for any application to use, with no official meaning.

What Actually Runs Here

Alternate Telnet

The most common unofficial use of port 2323 is Telnet — specifically, Telnet moved off its standard port 23 by manufacturers who wanted to hide it.

Some ISP-supplied home gateways (Technicolor models were notable offenders) shipped with a technician-access Telnet service on port 2323. The logic: port 23 is well-known and often blocked or monitored, so put it somewhere less obvious. This is security through obscurity, which is not security.

The devices shipped with default credentials. The Telnet service listened on 2323. The credentials never changed.

Mirai Knew About This

In 2016, the Mirai botnet didn't just scan port 23 — it scanned port 2323 too. Specifically, Mirai sent one port-2323 probe for every ten port-23 probes. The botnet authors knew that some fraction of vulnerable IoT devices had been "hidden" on the alternate port. They accounted for it.¹

When Mirai found an open port 2323 responding to Telnet, it tried the same list of 62 default credential pairs it used everywhere else. Factory defaults — admin/admin, root/root, root/vizxv, and dozens more. Mean time to compromise: under 10 minutes.²

The 2016 Mirai attacks took down Dyn DNS and with it large portions of the Internet. Port 2323 was one of the entry points.

Security Implications

If you have a device with port 2323 open, assume it's running Telnet with default credentials until proven otherwise. Telnet sends everything — including passwords — in plaintext. Anyone on your network path can read it.

What to do:

• Scan your network for open port 2323: nmap -p 2323 192.168.1.0/24
• If you find it open, check what's listening (see below)
• If it's Telnet on a home router or IoT device, change the credentials immediately or disable the service entirely
• Consider whether you need that device on your network at all

How to Check What's Listening on Port 2323

On Linux/macOS, to check your own machine:

# See if anything is listening on port 2323
ss -tlnp | grep 2323

# Or with lsof
lsof -i :2323

To scan another device on your network:

# Basic port check
nmap -p 2323 <ip-address>

# With service detection
nmap -sV -p 2323 <ip-address>

# Scan your whole local network
nmap -p 2323 192.168.1.0/24

If nmap shows port 2323 open on a device you didn't configure, that's worth investigating.

Why Unassigned Ports Matter

The port system works because most ports mean something agreed upon. When you connect to port 443, both sides know HTTPS is expected. When ports are used informally — by manufacturers hiding services, by applications picking numbers without registering them, by malware scanning for informal conventions — the agreed-upon meaning breaks down.

Port 2323 is a case study in what happens when manufacturers take shortcuts. "Nobody will scan that port" turned out to be spectacularly wrong.