Port 3628: ept-machine — A Ghost Registration

What Range This Port Belongs To

Port 3628 falls in the registered port range (1024–49151), also called User Ports by IANA. These ports are available for use by ordinary applications — unlike the well-known ports below 1024, they don't require elevated system privileges to bind. IANA maintains a registry of assignments within this range to prevent collisions between applications.

In practice, registration doesn't mean active use. Many registered ports are abandoned, deprecated, or were never widely deployed at all.

The Official Assignment: A Ghost

IANA assigned port 3628 to "ept-machine" (EPT Machine Interface) in October 2002, attributed to a Victor H. Farrace.¹

That's where the paper trail ends. No RFC. No public specification. No open-source implementation. No vendor documentation. The assignment exists in the registry, but the protocol itself appears to have never shipped publicly. Port 3628 is what happens when someone registers a port for a product that never reached the world, or reached it without anyone noticing.

This is not unusual. The registered port range contains hundreds of these ghost registrations — placeholders from the early 2000s that were claimed and then quietly abandoned.

The Real History: Trend Micro ServerProtect

The more notable story of port 3628 involves Trend Micro's ServerProtect software. EarthAgent.exe, a daemon included with ServerProtect 5.58, bound to TCP port 3628 by default and exposed a DCE/RPC interface.

The daemon had a stack-based buffer overflow in its RPC handler. A remote, unauthenticated attacker could send a crafted RPC request and execute arbitrary code on the target machine — with LocalSystem privileges, because that's what Trend Micro's services ran as.²

This vulnerability appeared in Metasploit, Immunity Canvas, and Core Impact. Security Patch 2 (Build 1174) fixed it.

The irony: antivirus software running on a port most firewalls wouldn't think to block, exploitable by anyone who could reach it.

How to Check What's Listening on Port 3628

If you see traffic on this port and want to know what's using it:

On Linux/macOS:

# Show the process listening on port 3628
ss -tlnp sport = :3628

# Or with lsof
lsof -i :3628

On Windows:

netstat -ano | findstr :3628

Then look up the PID in Task Manager, or use:

tasklist /fi "PID eq <PID>"

If something unexpected is listening here, that's worth investigating.

Why Unassigned (and Ghost-Assigned) Ports Matter

The registered port range is effectively a first-come, first-served namespace. IANA doesn't verify that applicants will actually build or deploy what they register. The result is a port namespace with significant gaps and ghosts — ports that exist on paper but nowhere else.

This matters for two reasons. First, firewall rules that assume "registered port = legitimate service" are making a bad assumption. Second, software that binds to obscure registered ports (like ServerProtect on 3628) may not get the scrutiny that well-known ports receive. Security review tends to follow familiarity.

Port 3628 is a small example of both problems.