logo

Port 31337 – ELITE (Elite/Back Orifice)

Service:

elite

Protocol:

TCP

Port:

31337

Used for:

Elite hacker port / Back Orifice trojan (malicious)

Why It’s Open

Port 31337 (often read as “eleet” or “elite” in hacker culture) is the default port for Back Orifice, a notorious remote access trojan created by Cult of the Dead Cow in 1998. This port is also favored by various other malware families and is considered a strong indicator of system compromise.

Common Risks

  • System compromise
    Back Orifice provides complete administrative access
  • Stealth operations
    Malware designed to avoid detection
  • File system access
    Complete read/write access to all files
  • Network reconnaissance
    Use compromised system to map network
  • Registry manipulation
    Modify system settings and configurations
  • Credential harvesting
    Extract passwords and authentication tokens

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Service Detection:

Terminal window
nmap -sU -sV -p 31337

Back Orifice Detection:

Terminal window
echo -en '\xce\x63\xd1\xd2\x16\xe7\x13\xd0\x10\x1f' | nc -u  31337

Malware Scripts:

Terminal window
nmap --script malware -p 31337

What to Look For

CheckpointWhat it means
UDP responseBack Orifice typically uses UDP protocol
Encrypted communicationBack Orifice uses encryption to hide traffic
Magic packet responseSpecific packet formats trigger Back Orifice
Process artifactsLook for suspicious processes on the system

Mitigation

  • Immediate containment
    Isolate suspected compromised systems
  • Deep malware scan
    Use multiple antivirus engines for detection
  • Network traffic analysis
    Monitor for Back Orifice communication patterns
  • Registry analysis
    Check for malware persistence mechanisms
  • Complete system rebuild
    Recommended for critical systems
  • Enhanced monitoring
    Implement behavioral analysis tools

TL;DR

  • Port 31337 = Back Orifice and other malware
  • Elite hacker port commonly used in attacks
  • High-confidence IOC for system compromise
  • Requires immediate response and forensic analysis

Known CVEs and Exploits

  • CVE-1999-0660 – Back Orifice trojan allows remote access to Windows systems
  • CVE-1999-0158 – Back Orifice allows unauthorized access and control
  • Back Orifice 2000 (BO2K) – Enhanced version with plugin architecture and encryption
  • SubSeven variants – Multiple trojan families using this port for C&C communication
  • Modern malware families – Contemporary trojans and RATs often use 31337 as tribute to hacker culture