Port 3119: D2000 Kernel — The SCADA Port with a Shadow

What Port 3119 Does

Port 3119 is registered with IANA under the service name d2000kernel — the kernel port for D2000, an industrial SCADA (Supervisory Control and Data Acquisition) platform built by IPESOFT.

SCADA systems are the software that runs industrial infrastructure: power grids, water treatment plants, manufacturing lines, pipelines. D2000 is one of the platforms used for this. Its kernel is the central server process — the piece everything else connects to. When D2000 clients (operator terminals, data loggers, protocol bridges) need to talk to the D2000 Server, port 3119 is the door they knock on.

It operates on both TCP and UDP.

The Range It Belongs To

Port 3119 falls in the registered port range: 1024–49151.

These ports are assigned by IANA upon request. Unlike the well-known ports below 1024 (which require root/admin privileges to bind on Unix systems and carry protocols everyone knows), registered ports are claimed by specific applications or vendors. IANA maintains the registry, but enforcement is weak — any process can listen on any of these ports regardless of the official assignment.

The Shadow: Delta Remote Access

Port 3119 appears in malware databases as a vector for Delta Remote Access, classified as Backdoor.Win32.DRA.c.

This is a remote access trojan that listens on port 3119 and uses a hardcoded password: go.

No elaborate exploitation. No zero-day. Just an open door with the world's least imaginative lock. If this trojan is running on a system, anyone who knows to connect to port 3119 and type go has remote access. The industrial context makes this grimly notable — a compromised SCADA-adjacent system is not a hypothetical risk.

This does not mean port 3119 is inherently malicious. Legitimate D2000 installations use it routinely. But unexpected activity on this port, especially outside of industrial environments, warrants investigation.

How to Check What's Listening

On Linux/macOS:

# Show what process is bound to port 3119
ss -tlnp | grep 3119

# Or with lsof
lsof -i :3119

On Windows:

netstat -ano | findstr :3119

Then match the PID to a process name in Task Manager, or:

tasklist /fi "PID eq <pid>"

If you find something listening on 3119 and you're not running D2000, that's worth understanding. If the process name is unfamiliar, check it.

Why This Port Exists in the Register

IANA's registered port list exists to reduce collisions. Without it, two applications wanting to use the same port number would conflict whenever they ran on the same machine, with no way for administrators to anticipate which port a given service expected. The registry is a coordination mechanism, not enforcement — but it means that when D2000 documentation says "connect to port 3119," every D2000 deployment expects the same port, and network administrators can write firewall rules that mean something.

For industrial systems in particular, stable, predictable port assignments matter. A SCADA kernel that used a random port would be a configuration nightmare across hundreds of field devices.