Port 2400: OpEquus — The Ghost Assignment

What Port 2400 Is

Port 2400 sits in the registered port range (1024–49151). These ports are registered with IANA — the Internet Assigned Numbers Authority — but registration doesn't mean active, widespread use. IANA lists port 2400 as assigned to OpEquus Server, a service with almost no public documentation and no apparent modern presence. For practical purposes, this port behaves like an unassigned port.¹

The Registered Range and What It Means

The registered range runs from port 1024 to 49151. Unlike the well-known ports (0–1023) — where HTTP lives at 80, HTTPS at 443, SSH at 22 — the registered range is vast and loosely governed. Applications can register a port with IANA to stake a claim, but there's no enforcement. Other software can and does use the same port. The registration is a courtesy flag, not a lock.

Port 2400's OpEquus assignment is a textbook example of this. Someone registered it. Nobody uses it for that purpose. The port moved on without them.

Observed Unofficial Uses

Gaming. Several games have used port 2400 informally, including Battlecom and Homeworld 2, along with various titles in the Age of Empires and Flight Simulator families. These games bind to whatever ports they need; they don't check IANA first.²

The Portd trojan. Security databases flag TCP port 2400 as a known vector for the Portd trojan. If you see unexpected listening activity on this port on a system that shouldn't be running games or any known service, that's worth investigating.³

Novell ZENworks. This is the most documented story around port 2400. Novell ZENworks Handheld Management 7.0 ran a service (ZfHIPCND.exe) on TCP port 2400. In 2010 and 2011, researchers found heap-based and stack-based buffer overflow vulnerabilities in that service — CVE-2010-4299 and CVE-2011-0742 — that allowed remote attackers to execute arbitrary code by sending a single crafted packet to the port. No authentication required. Just connect and exploit.⁴⁵

That vulnerability is patched now, but SANS ISC still observes ongoing scanning activity targeting port 2400, likely probing for unpatched legacy systems.⁶

How to Check What's Listening

If port 2400 is open on a system you manage, identify what's using it:

Linux/macOS:

# Show the process listening on port 2400
sudo ss -tlnp | grep 2400
# or
sudo lsof -i :2400

Windows:

netstat -ano | findstr :2400
# Then look up the PID in Task Manager, or:
tasklist | findstr <PID>

If nothing you recognize is listening there, treat it as suspicious until proven otherwise.

Why Unassigned-in-Practice Ports Matter

Ports like 2400 reveal something real about how the Internet actually works versus how it's documented. IANA's registry is authoritative but not authoritative. Services appear and disappear. Games pick ports informally. Malware picks them opportunistically. Vulnerabilities attach to obscure services nobody is watching.

The registered range is mostly organized silence — 48,000 ports, most of them dark, waiting for something to start listening.