Discovered this when securing my VPS. No matter which host I scan with nmap, I always get these 2 ports open:

1863/tcp open  unknown
5190/tcp open  aol

What could be the reasons for this?

EDIT: I'm performing a simple nmap host.name scan on servers all over the world (say, habrahabr.ru obviously has only 80 port open). Concerning my VPS, netstat -tulpn shows there's nothing listening on those ports. Besides, iptables drops everything except for 80 & ssh ports.

  • 259
  • 1
  • 6
  • 13

3 Answers3


When you say "no matter which host I scan", are you scanning your own hosts or external servers? Could you include some sample nmap commands that you have run to get thee results in your question, to make this clearer?

If all external hosts that are showing these ports as open then it is likely that your VPS provider is transparently redirecting those ports so connections to any external host from any of its VPS customers go to one of their servers (which has the ports open for logging). It is not uncommon for hosts to have "no IRC" and similar rules, and redirecting traffic on common ports for the banned protocols would be a good way to enforce such a rule (and log machines that try to use the protocols, such as those that have been broken into and joined to a botnet). Of course, it may also be something in your VM's configuration that is redirecting the traffic but that is less likely (you'd know if you had done it, and I can't think of a reason why malicious code/people would want to tweak things that way behind your back).

If it is all your hosts/addresses that have the ports open this it is a different kettle of fish, and Mark's suggestion of netstat -tap to see if there are specific processes on your machines actively listening on these ports is your next diagnostic step.

David Spillett
  • 22,534
  • 42
  • 66

Edit: Misread your original question but still this might diagnose if there is something going on your end.

On the server run

sudo netstat -tap

that should tell you what programs are listing on those ports.

Mark Davidson
  • 395
  • 4
  • 11

A little trick I learned is to use lsof to figure out what binary has a port open. If netstat -tap doesn't help, try this:

lsof -i tcp:1863
lsof -i tcp:5190

Make sure the lsof package is installed if you get a 'command not found' error. My only other thought is that sometimes firewalls have port scanning detection, they may open random ports so that if someone hits them while doing a scan it can detect that port scan. Nothing really uses them, they are just used for that purpose.

Dave Drager
  • 8,315
  • 28
  • 45