What’s listening on port 80? Probably a web server… right? What about 443? Gotta be HTTPS. Not always. Sometimes it's SSH. Or RDP. Or something way worse.
These aren’t hypotheticals. They’re real-world examples of protocol-port mismatches and risky services that security teams uncover with runZero.
In this post, we’re shining a light on the strange, surprising, and straight-up dangerous services hiding across your environment — and how you can use runZero to uncover them before attackers do.
Real-world examples of ports misbehaving #
Before we dive into how and why this happens, let’s take a look at common examples we’ve seen in the wild. These are the kinds of misconfigurations and protocol mismatches that pop up in real environments more often than you’d expect. And yes, they’re exactly the kinds of things attackers love to exploit.
SSH on Port 80 or 443 #
Why it’s risky: Ports 80 and 443 are traditionally used for HTTP and HTTPS. SSH running on these ports is often done intentionally to bypass firewall rules or evade detection. Many firewalls allow web traffic by default, so tunneling SSH through these ports is a tactic used by attackers or even well-meaning admins trying to work around strict network controls.
Real-world concern:
- This setup could indicate unauthorized remote access or shadow IT — a developer or insider enabling SSH access for convenience.
- It makes it harder for security tools to detect brute force attempts or unusual SSH usage, since those ports are usually not monitored for SSH behavior.
- Malware and backdoors have been known to leverage SSH over port 443 to create encrypted tunnels that blend in with regular HTTPS traffic.
RDP on Port 8080 #
Why it’s risky: Port 8080 is typically used for web proxy traffic or alternate HTTP services, not remote desktop connections. If RDP is running here, it’s likely either a misconfiguration or an intentional evasion tactic. Security teams and firewall rules often focus on the default RDP port (3389), so attackers or rogue insiders may shift RDP to an alternate port like 8080 to bypass detection or gain persistent access.
Real-world concern:
- Attackers actively scan for RDP on non-standard ports to find forgotten, exposed systems that aren’t being logged or monitored properly.
- Tools like Shodan or Censys can easily uncover exposed RDP, even when it’s masked on uncommon ports.
- RDP over 8080 may also go unnoticed in environments that whitelist web traffic, allowing brute force attacks, ransomware deployment, or lateral movement to go undetected.
Why do vulnerability scanners miss this stuff? #
Traditional vulnerability scanners only check for known vulnerabilities on known ports. When it comes to discovering services that are running on unexpected ports or unusual asset types, they often fall short. Here's why:
- Port-Based Assumptions: Most scanners only test services on their default ports (e.g., RDP on 3389 or SSH on 22). If a service is running on a non-standard or unexpected port, it often gets skipped or misidentified.
- Shallow Inspection: They rely on banner grabs or lightweight probes that can be spoofed or fail to identify the actual protocol.
- Credential Requirements: Vulnerability scanners often require credentials to detect deeper service context, which may not be available for all assets.
- Blind Spots: Many scanners ignore unmanaged, shadow IT, IoT, or OT devices entirely if they don’t have credentials or agents installed.
The result? Assets with risky services go undetected. Attackers love these blind spots.
runZero helps you find them.
How runZero finds weird and risky protocols #
runZero’s purpose-built scan engine uses deep, multi-layer fingerprinting and unauthenticated discovery to:
- Identify services running on non-standard ports
- Detect protocols that don’t match the asset type
- Highlight devices exposing risky or legacy services
To dive a little deeper, let’s see the platform in action — and how it helps you zero in on these risks quickly and with precision.
Ready to catch misbehaving ports in your environment? #
Sometimes the biggest risks aren't CVEs. They're misconfigurations hiding in plain sight. With runZero, you don't just scan ports. You understand what's really running, where it lives, and whether it belongs there — all from a single exposure management platform.
Looking to catch ports misbehaving in your environment?
Test drive the runZero Platform free for 21 days