Port 12345 – NETBUS (NetBus Trojan)

Why It’s Open

Port 12345 is notoriously associated with the NetBus trojan, one of the most well-known remote access trojans (RATs) from the late 1990s. If this port is open, it typically indicates either a compromised system or legitimate software using this port number. NetBus allows complete remote control of infected systems.

Common Risks

• Malware infection
  System likely compromised by NetBus or similar trojan
• Complete system control
  Remote attacker can execute any commands
• Data theft
  Files, passwords, and sensitive data can be stolen
• Keylogger deployment
  Capture all user input including credentials
• Network propagation
  Use infected system to attack other network hosts
• Backdoor persistence
  Maintains long-term unauthorized access

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

Book a Demo

Enumeration & Testing

Service Detection:

nmap -sV -p 12345

NetBus Detection:

nc  12345

Malware Script Detection:

nmap --script malware -p 12345

What to Look For

Mitigation

• Immediate isolation
  Disconnect infected system from network
• Malware removal
  Use updated antivirus to clean infection
• System reimaging
  Complete OS reinstall for critical systems
• Network monitoring
  Monitor for outbound connections on port 12345
• Firewall rules
  Block port 12345 in firewall configurations
• Endpoint protection
  Deploy advanced endpoint detection solutions

TL;DR

• Port 12345 = NetBus trojan default port
• Immediate security concern if detected on network
• Complete system compromise likely if service responds
• Requires immediate incident response and system isolation

Known CVEs and Exploits

• CVE-1999-0660 – NetBus trojan allows remote access to Windows systems
• NetBus 1.x/2.x Remote Access Trojan – Complete remote system control and data exfiltration capabilities
• Multiple NetBus variants – NetBus Pro, NetBus Haxdoor, and other derivatives with enhanced stealth