Port 2023: xinuexpansion3 — An Official Assignment Nobody Uses

What Port 2023 Is

Port 2023 sits in the registered ports range (1024-49151). IANA has officially assigned it to a service called xinuexpansion3, one of a cluster of ports reserved for XINU, an educational operating system created at Purdue University by Douglas Comer in the 1980s.¹

XINU stands for XINU Is Not Unix, a recursive acronym in the spirit of GNU. It was designed for teaching operating systems concepts, not production networking, and the "xinuexpansion" port family never gained adoption outside academic contexts. Port 2023 exists on IANA's registry, but there's no RFC behind it, no active software community using it, and no traffic you're likely to encounter for this purpose.²

The More Interesting History

While the official tenant never moved in, someone else did.

In the late 1990s, port 2023/TCP became associated with Ripper Pro (also known as HackCity Ripper Pro, BackDoor-AL, and Backdoor.Ripper), a remote access trojan that targeted Windows 95 and 98 machines.³ Ripper Pro functioned as a keylogger and password stealer, opening a backdoor on the victim's machine and listening on port 2023 for its operator.

By 1999, security researchers had documented it and it appeared on trojan port lists distributed across early security mailing lists.⁴ The threat is long obsolete, targeting operating systems that haven't run on new hardware for decades. But port 2023 still appears on legacy "bad ports" lists for this reason.

What This Means for You

If you see unexpected traffic on port 2023, the realistic explanations today are:

• A developer chose it arbitrarily. Registered ports with no active services make convenient choices for internal tools and test servers.
• An application configured it explicitly. Some software lets administrators specify custom ports; 2023 looks clean and memorable.
• Something misconfigured. Worth investigating.

The Ripper Pro scenario is not a realistic concern on any modern operating system.

How to Check What's Using It

On Linux or macOS:

# Show what process is listening on port 2023
ss -tlnp | grep 2023

# Or with lsof
lsof -i :2023

On Windows:

netstat -ano | findstr :2023

Then match the PID to a process in Task Manager or with tasklist | findstr <PID>.

Why Unassigned-in-Practice Ports Matter

The registered ports range contains thousands of entries like this: officially assigned names attached to projects that never took off, services that were deprecated, or expansions that were planned but never built. These ports aren't truly available, but they aren't actively used either.

They end up as unmarked territory. Developers pick them for internal services. Malware authors pick them because security tools won't flag them by default. The gap between "assigned to IANA" and "in active use" is wider than most people realize.

Port 2023 is a small case study in that gap.