| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 8871 |
udp |
games |
not scanned |
Armies of Exigo |
| 8872 |
tcp,udp |
games |
not scanned |
Warhammer: Mark of Chaos |
| 8875 |
tcp,udp |
applications |
not scanned |
Napster |
| 8879 |
tcp |
trojans |
Premium scan |
BackOrifice 2000 [Symantec-2000-121814-5417-99], Hack Office Armageddon |
| 8880 |
tcp |
unifi |
not scanned |
Plesk uses port 8880 for http and 8443 for https
Ubiquiti UniFi Controller uses these ports:
8080 tcp - http port for UAP to inform controller
8443 tcp - https port for controller GUI/API
8880 tcp - http portal redirect port (may also use ports 8881, 8882)
8843 tcp - https portal redirect port
3478 udp - STUN port (should be open at firewall)
WebSphere Application Server SOAP connector default
Win Media Streamer to Server SOAP connector default
CDDBP (IANA official) (TCP/UDP) |
| 8881 |
tcp |
worm |
Members scan |
Atlasz Informatics Research Ltd Secure Application Server
Netflexity Inc QFlex - IBM WebSphere MQ monitoring software
W32.Mytob.IK@mm [Symantec-2005-072915-5351-99] (2005.07.29) - a mass-mailing worm that uses its own SMTP engine, opens a backdoor, and lowers security settings on the compromised computer. Listens for remote commands on port 8881/tcp.
Galaxy4D Online Game Engine [Galaxy4D] (IANA official) |
| 8882 |
tcp |
applications |
not scanned |
Atlasz Informatics Research Ltd Secure Application Server |
| 8883 |
tcp |
mqtt |
Premium scan |
Hatch+ Gen. 2 Noise Machine
LG appliances
NTI Boiler Communication for NTI Net
Plum.pl connection to cloud of heating drivers
Roborock WiFi bridge
TineCo S5
XiaoMi camera live stream port for Android Mi Home App
ESET Kernel Service (ekrn.exe) uses port 8883/TCP for push notifications to epns.eset.com
Ubiquiti UniFi Cloud Access uses these ports:
443 TCP/UDP - Cloud Access service
3478/UDP - port used for STUN
8883/TCP - Cloud Access service
IANA registered for: MQTT (Message Queuing Telemetry Transport Protocol) over TLS. Also uses port 1883. |
| 8885 |
tcp |
trojans |
Members scan |
W32.Reatle.mm@mm [Symantec-2005-071510-0336-99] (2005.07.15) - mass-mailing worm that exploits the MS Windows LSASS Buffer Overrun Vulnerability ([MS04-011]) on TCP port 445. Opens a backdoor by running an FTP server on port 8885/tcp. Also attempts to perform a denial of service attack against www.symantec.com by targeting port 1052/tcp with randomly generated packets.
W32.Reatle.C@mm [Symantec-2005-071521-3122-99] (2005.07.15) - another variant of the above mass-mailing worm. Opens a backdoor on port 8885/tcp and attempts to perform a denial of service attack against www.symantec.com on port 1052/tcp. |
| 8886 |
tcp |
applications |
not scanned |
PPM3 (Padtec Management Protocol version 3)
Integer signedness error in ovspmd.exe in HP OpenView Network Node Manager (OV NNM) 8.01, and 7.53 and earlier, allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a long request to TCP port 8886 that begins with a certain negative integer, which passes a signed comparison and triggers a heap-based buffer overflow.
References: [CVE-2008-1842] [BID-28689] [SECUNIA-29713] |
| 8887 |
tcp,udp |
applications |
not scanned |
I2P, HyperVM HTTP (TCP)
Red-M 1050 (Bluetooth Access Point) publicizes its name, IP address, and other information in UDP packets to a broadcast address, which allows any system on the network to obtain potentially sensitive information about the Access Point device by monitoring UDP port 8887.
References: [CVE-2002-0397] |
| 8888 |
tcp |
althttpd |
Members scan |
Used by some applications as an alt http port.
Applications using this port:
AirDroid
Freenet nodes
FortiNet's enterprise UTM client software
MAMP on macOS default Apache port
GNUmp3d HTTP music streaming and Web interface
LoLo Catcher HTTP web interface (www.optiform.com)
SimpleCam v2.0
Sun Answerbook HTTP server
Winpower Manager for UPS (internal server)
HyperVM HTTPS
D2GS Admin Console Telnet administration console for D2GS servers (Diablo 2)
Earthland Relams 2 Server (AU1_2)
NewsEDGE server (IANA official)
Games using port 8888:
Evil Islands
Heroes of Might and Magic 5
Splinter Cell (Chaos Theory, Double Agent, Pandora Tomorrow)
Ultima Online
Vulnerabilities/Malware:
Napster
W32.Axatak
Dark IRC (trojan)
W32.Axatak [Symantec-2002-082217-5638-99] - password stealing virus with remote access trojan capabilities. Affects all current Windows versions, uses ports 8888 and 8889.
Autodesk VRED Professional 2014 contains an unauthenticated remote code execution vulnerability. Autodesk VRED Professional 2014 contains an integrated web server that binds to port tcp/8888 which is accessible remotely. It has been reported that this web server gives access to a Python API which provides users with a vast amount of libraries which could allow an attacker to execute operating system commands. Through this API, Python code can be executed on the target system, the output is returned in the web server response. By importing the Python "os" library, arbitrary operating system commands can be executed on the target system with the privileges of the user running VRED Professional 2014.
References: [CVE-2014-2967]
An issue was discovered in CloudMe 1.11.0. An unauthenticated local attacker that can connect to the "CloudMe Sync" client application listening on 127.0.0.1 port 8888 can send a malicious payload causing a buffer overflow condition. This will result in code execution, as demonstrated by a TCP reverse shell, or a crash. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-6892.
References: [CVE-2018-7886], [EDB-44470]
A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
References: [CVE-2019-7678]
XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888.
References: [CVE-2019-7677]
A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
References: [CVE-2019-7676] |
| 8888 |
udp |
fortiguard |
not scanned |
Fortinet FortiGuard uses the following ports (in addition to standard ports 53, 80, 443):
514/TCP - FortiAP-S syslog
541/TCP - management, analysis
1000/TCP, 1003/TCP - policy override keepalive
5246/UDP - FortiAP-S event logs
8001/TCP - FSSO
8008/TCP, 8010/TCP - policy override authentication
8888/UDP - alternate DNS, web filtering servers
8890/TCP - AV/IPS updates, management, firmware, FortiGuard distribution servers
9443/UDP - AV/IPS
9582/TCP - Cloud App DB (flow.fortinet.net)
|
| 8889 |
tcp |
|
Premium scan |
Siemens Polarion ALM, NeterraProxy (Netera IPTV Proxy), MAMP Server, Earthland Relams 2 Server (AU1_1)
Games using this port: Command & Conquer Theater of War, Blitzkrieg (TCP/UDP)
W32.Axatak [Symantec-2002-082217-5638-99] - password stealing virus with remote access trojan capabilities. Affects all current Windows versions, uses ports 8888 and 8889.
3Com NBX V3000 could allow a remote attacker to gain unauthorized access to the device using an open port. Port 8889 is open by default and provides access to the VxWorks WDB debug service (wdbrpc). An attacker could connect to this port to obtain sensitive information.
References: [XFDB-84786]
Google Chrome OS could allow a local attacker to execute arbitrary commands on the system, caused by improper access control in the garcon service control. By sending specially-crafted arguments to TCP port 8889, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
References: [XFDB-149836], [EDB-45407]
ddi-tcp-1 NewsEDGE server (IANA official) |
| 8890 |
tcp |
sdap |
not scanned |
Sendmail Switch SDAP protocol listens on ports 8890 and 9000 TCP.
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
Test Drive Unlimited [game]
Desktop Data TCP 2 |
| 8891 |
tcp |
idsd |
not scanned |
Apple Final Cut Server
Desktop Data TCP 3: NESS application
opendkim default port (may also use ports 12345,54321) |
| 8892 |
tcp |
citrix |
not scanned |
Citrix XenServer clustering uses these ports: 5404, 5405 UDP, and 8892, 21064 TCP
IANA registered for: Desktop Data 4: FARM product |
| 8897 |
tcp |
trojan |
Premium scan |
HackOffice, Armageddon trojans |
| 8899 |
tcp |
qnap |
Members scan |
QNAP NAS - Real-time Remote Replication Server (RTRR Server) runs a service on port 8899 by default. QNAP NAS uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)
An unspecified vulnerability allows sending crafted client requests to OracleVM ovs-agent over 8899/TCP that could result in command injection with root privileges on the system.
References: [XFDB-62482]
Network port 8899 open in WiFi firmware of BCC101/BCC102/BCC50 products, that allows an attacker to connect to the device via same WiFi network.
References: [CVE-2023-49722]
Malware that uses this port: Last trojan
ospf-lite (IANA official) |
| 8899 |
udp |
malware |
not scanned |
Backdoor.Win32.Singu.a / Remote Stack Buffer Overflow (UDP Datagram) - the malware listens on UDP ports 2211 and 8899. Third-party attackers who can reach an infected host can send a specially crafted UDP packet to port 8899, triggering a classic buffer overflow overwriting ECX and EIP registers.
References: [MVID-2021-0221] |
| 8900 |
tcp |
trojans |
Premium scan |
W32.Mytob.EV@mm [Symantec-2005-061516-2055-99] (2005.06.15) - mass mailing worm that uses its own SMTP engine. Opens a backdoor and listens for remote commands via IRC on port 8900/tcp. |
| 8908 |
tcp |
dpp |
not scanned |
IANA registered for: WFA Device Provisioning Protocol |
| 8910 |
tcp |
trojan |
not scanned |
W32.IRCBot.BPP [Symantec-2007-030713-4246-99] (2007.03.07) - a Trojan horse that opens a back door to a remote IRC server and creates a spam email relay.
Port is also IANA registered for manyone-http |
| 8937 |
tcp |
twds |
not scanned |
Transaction Warehouse Data Service |
| 8953 |
tcp |
ub-dns-control |
not scanned |
Unbound dns nameserver control [NLnet Labs Support] (IANA official)
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.
References: [CVE-2024-1488] |
| 8961 |
tcp |
trojans |
not scanned |
Backdoor.Peers [Symantec-2003-050514-4221-99] (2003.05.05) - a backdoor trojan horse that gives a hacker remote access to your computer. |
| 8976 |
tcp |
applications |
not scanned |
HP Operations Agent for NonStop is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ELinkService process. By sending a specially-crafted HEALTH packet to TCP port 7771 or 8976, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-77930], [BID-55161], [OSVDB-84854] |
| 8980 |
tcp,udp |
nod-provider |
not scanned |
Network of Devices Provider (IANA official) |
| 8981 |
udp |
nod-client |
not scanned |
Network of Devices Client (IANA official) |
| 8983 |
tcp |
applications |
not scanned |
IANA registered for: Apache Solr 1.4 |
| 8988 |
tcp |
trojan |
Premium scan |
BackHack trojan |
| 8989 |
tcp |
trojan |
Premium scan |
Rcon (Recon), Xcon trojans |
| 8997 |
tcp |
rainmachine |
not scanned |
Rainmachine smart sprinkler control mobile app uses port 8997 to send verification emails.
IANA registered for: Oracle Messaging Server Event Notification Service |
| 8998 |
tcp |
canto-roboflow |
not scanned |
I2P Monotone Repository
Canto RoboFlow Control - a software that enables an organization to automate sophisticated, multi-step digital asset processes (IANA official) |
| 9000 |
tcp |
trojans |
Members scan |
Buffalo LinkSystem Web access (unofficial), DBGp, SqueezeCenter web server & streaming, Play! Framework web server
Cisco WebEx
ManageEngine AssetExplorer (IT asset management software) uses port 9000 TCP by default
MIS Comunicator Sysdev MSS (Mobile Sales System) default port
SonarQube Web Server uses port 9000
Emidate
Games that use this port:
EverQuest World server
Dungeons & Dragons Online uses ports 9000-9010 (TCP/UDP)
Lord of the Rings Online uses ports 9000-9010
W32.Randex.CZZ [Symantec-2005-031510-5713-99] (2005.03.15) - network aware worm that attempts to connect to an IRC server on port 9000/tcp for remote instructions.
W32.Mytob.GK@mm [Symantec-2005-062814-3052-99] (2005.06.28) - mass-mailing worm that opens a backdoor on port 9000/tcp.
Netministrator trojan uses port 9000.
Gordano NTMail 6.0.3c allows a remote attacker to create a denial of service via a long (>= 255 characters) URL request to port 8000 or port 9000.
References: [CVE-2001-0585] [BID-2494]
Multiple KWORLD products could allow a remote attacker to bypass security restrictions, caused by the failure to validate communications on port 9000. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
References: [XFDB-101454]
Zhuhai RaySharp firmware has a hardcoded root password, which makes it easier for remote attackers to obtain access via a session on TCP port 23 or 9000.
References: [CVE-2015-8286]
Astoria ARV7510 could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104630]
Huawei HG553 could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104618]
Observa Telecom VH4032N could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104554]
Huawei HG556a could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104624]
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request.
References: [CVE-2018-17440], [EDB-45533]
WonderCMS is vulnerable to SSRF Vulnerability. In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. The theme/plugin installer does not sanitize the destination of github/gitlab url, so attacker can point the destination to localhost. When the attacker points the request to localhost, this leads to SSRF vulnerability. The highest impact leads to RCE with gopher scheme and FastCGI running on port 9000.
References: [EDB-49154]
Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.
References: [CVE-2021-20108]
Otris Update Manager 1.2.1.0 allows local users to achieve SYSTEM access via unauthenticated calls to exposed interfaces over a .NET named pipe. A remote attack may be possible as well, by leveraging WsHTTPBinding for HTTP traffic on TCP port 9000.
References: [CVE-2021-40376]
Trojan.Win32.Delf.bna / Information Disclosure - the malware listens on TCP port 9000 and has the option to set a password in "Config.ini". Third party attackers who can reach an infected system can view the password in the response, as the malware leaks it upon connecting.
References: [MVID-2021-0385]
Missing Authentication for Critical Function in SICK FX0-GENT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on TCP port 9000.
References: [CVE-2023-23452], [CVE-2023-23453], [XFDB-248005], [XFDB-248006] |
| 9000 |
udp |
games |
not scanned |
Asheron's Call
Zmodo DK4001, UDPCast |
| 9001 |
tcp,udp |
games |
not scanned |
Citrix HTML5 video redirection WebSocketService listens on port 9001 TCP.
Microsoft SharePoint authoring environment, Cisco-xremote router configuration, Tor network default, DBGp (TCP), Emidate, HSQLDB default port (TCP).
Games using this port: Asheron's Call uses port 9001 UDP.
Buffer overflow in the lm_tcp service in Invensys Wonderware InBatch 8.1 and 9.0, as used in Invensys Foxboro I/A Series Batch 8.1 and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted request to port 9001.
References: [CVE-2010-4557], [EDB-15707]
ETL Service Manager (IANA official) |
| 9002 |
tcp,udp |
dynamid |
Premium scan |
Newforma Server comms, Emidate (TCP)
Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow.
References: [CVE-2011-2738] [BID-49644] [BID-49627] [OSVDB-75442] [SECUNIA-46053]
DynamID authentication (IANA official) |
| 9003 |
tcp,udp |
applications |
not scanned |
Xdebug default client port
Hasselblad CFV II 50 C (digital back for V system cameras) opens port 9003 in WiFi mode.
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
References: [CVE-2019-3906], [BID-106552]
Backdoor.Win32.FTP.Lana.01.d / Weak Hardcoded Credentials - the malware listens in TCP port 9003. The credentials "admin" and "secret" are weak and stored in plaintext with the executable.
References: [MVID-2022-0539]
Backdoor.Win32.FTP.Lana.01.d / Port Bounce Scan - the malware listens on TCP port 9003. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0540] |
| 9004 |
udp |
games |
not scanned |
Asheron's Call |
| 9004 |
tcp |
applications |
not scanned |
Citrix NetScaler appliance uses port 9004 TCP for RFS and Thales HSM
Cisco Unified Communications Manager (CUCM) 8.6 before 8.6(2a)su2, 8.6 BE3k before 8.6(4) BE3k, and 9.x before 9.0(1) allows remote attackers to cause a denial of service (CPU consumption and GUI and voice outages) via malformed packets to unused UDP ports, aka Bug ID CSCtx43337.
References: [CVE-2013-1133] [CVE-2013-1134] [SECUNIA-52408] |
| 9005 |
udp |
games |
not scanned |
Asheron's Call
Golem Inter-System RPC (IANA official) |
| 9006 |
tcp,udp |
applications |
not scanned |
Tomcat Standalone, JBOSS (J2EE) |
| 9008 |
udp |
games |
not scanned |
Asheron's Call |
| 9008 |
tcp |
applications |
not scanned |
Zerto VRA encrypted communications listener
Open Grid Services Server (IANA official) |
| 9009 |
tcp,udp |
pichat |
not scanned |
Pichat Server - Peer to peer chat software (IANA official) |
| 9010 |
tcp |
applications |
Members scan |
Applications that use this port: JetCast, TISERVICEMANAGEMENT Numara Track-It!
Dungeons & Dragons Online uses ports 9000-9010
Lord of the Rings Online uses ports 9000-9010
Ghidra - open source reverse engineering suite of tools developed by the NSA, uses the following ports: 13100 TCP - default server port, 9010 TCP - optional jvisualvm port (dcom sun management jmxremote), 18200 TCP - optional java debug port.
Backdoor.Tumag [Symantec-2004-032112-1138-99] (2004.03.21) - allows unauthorized remote access to an infected computer. By default, the backdoor listens on TCP port 9010.
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.
References: [CVE-2014-4872]
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.
References: [CVE-2016-6599]
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.
References: [CVE-2016-6598]
Secure Data Replicator Protocol (IANA official) |
| 9011 |
udp |
d-star |
not scanned |
IANA registered for: D-Star Routing digital voice+data for amateur radio |
| 9012 |
udp |
games |
not scanned |
Asheron's Call |
| 9013 |
udp |
games |
not scanned |
Asheron's Call |
| 9020 |
udp |
surfcontrol |
not scanned |
Juniper Networks SurfControl URL Filtering
Sony PlayStation could allow a local attacker to execute arbitrary code on the system, caused by an error in the kernel loader. By sending a specially crafted payload to port 9020, an attacker could exploit this vulnerability to execute arbitrary code on the system.
References: [XFDB-136997] |
| 9020 |
tcp |
tambora |
not scanned |
WiT WiT Services
TAMBORA (TCP/UDP) (IANA official) |
| 9021 |
tcp |
applications |
not scanned |
cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or 9021) in NetWin SurgeFTP version 23f2 has XSS via the classid, domainid, or username parameter.
References: [CVE-2017-17933] |
| 9025 |
udp |
netflow |
not scanned |
Sometimes used by Cisco NetFlow (usually on port 2055/udp)
Secure Web Access (IANA official) |
| 9025 |
tcp |
applications |
not scanned |
WiT WiT Services |
| 9030 |
tcp |
trojans |
Members scan |
Tor often used
W32.Beagle.BY@mm [Symantec-2005-080411-1425-99] (2005.08.04) - a mass-mailing worm that uses its own SMTP engine. It opens a backdoor on the compromised computer and listens for remote commands on port 9030/tcp. |
| 9034 |
tcp,udp |
applications |
not scanned |
The udpserver in H3C Magic R100 V200R004 and V100R005 has the 9034 port opened, allowing attackers to execute arbitrary commands.
References: [CVE-2022-34598] |
| 9035 |
tcp |
trojans |
Members scan |
Citrix admin workstation connects to EdgeSightAgent using port 9035 TCP to access real-time data.
W32.Beagle.CK@mm [Symantec-2005-100615-0020-99] (2005.10.06) - a mass-mailing worm with backdoor capabilities. Uses its own SMTP engine, stops some anti-virus and security related processes. Opens a backdoor and listens for remote commands on port 9035/tcp.
Port also used by W32.Beagle.CL@mm [Symantec-2005-100711-5834-99] (2005.10.07)
Constructor.Win32.SS.11.c / Unauthenticated Open Proxy - the malware listens on TCP port 9035. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0311] |
| 9040 |
tcp |
trojans |
Premium scan |
Trojan.Mitglieder.R [Symantec-2005-070117-2559-99] (2005.07.01) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp. |
| 9042 |
tcp |
applications |
not scanned |
Apache Cassandra native protocol clients |
| 9043 |
tcp |
applications |
not scanned |
WebSphere Application Server Administration Console secure
Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.0 allows remote attackers to cause a denial of service (CPU consumption and monitoring outage) via malformed TLS messages to TCP port (1) 9043 or (2) 9443, aka Bug ID CSCuc07155.
References: [CVE-2013-1135] |
| 9050 |
tcp |
versiera |
not scanned |
Tor
Versiera Agent Listener (IANA official) |
| 9051 |
tcp |
fio-cmgmt |
not scanned |
Tor
Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact via HTTP POST data containing commands without valid authentication, as demonstrated by an HTML form (1) hosted on a web site or (2) injected by a Tor exit node.
References: [CVE-2007-4174] [BID-25188] [SECUNIA-26301] [OSVDB-36271]
Fusion-io Central Manager Service (IANA official) |
| 9060 |
tcp |
CardWeb-IO |
not scanned |
WebSphere Application Server Administration Console
CardWeb request-response I/O exchange (IANA official) |
| 9060 |
udp |
CardWeb-RT |
not scanned |
CardWeb realtime device data (IANA official) |
| 9075 |
tcp |
applications |
not scanned |
A vulnerability in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS Software could allow an unauthenticated, remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device. This vulnerability exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests. An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075. A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration. For example, the attacker could add a user account without the device administrator knowing.
References: [CVE-2021-1361] |
| 9078 |
tcp |
apps |
not scanned |
Ring Doorbell uses TCP ports 80, 443, 5228, 15064. In addition, it may use a random UDP port, and outbound TCP ports 7078, 9078, 9998, 9999, 15063 |
| 9080 |
tcp,udp |
applications |
not scanned |
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure)
ToutVirtual VirtualIQ Pro 3.2 build 7882 does not restrict access to the /status URI on port 9080, which allows remote attackers to obtain sensitive Tomcat information via a direct request.
References: [CVE-2009-4844]
LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080.
References: [CVE-2018-16706]
WebSphere Application Server HTTP Transport (port 1) default
Groove Collaboration Software GLRPC (IANA official) |
| 9081 |
tcp |
applications |
not scanned |
IBM License Metric Tool ports
1433 TCP - SQL server connection
9081 TCP - HTTPS web browser connections to server
50000 TCP - DB2 server connection
52311 TCP - BigFix clients and console connect to the server
Port also used by IBM WebSphere Portal |
| 9082 |
sctp |
lcs-ap |
not scanned |
LCS Application Protocol |
| 9083 |
tcp |
emc-pp-mgmtsvc |
not scanned |
EMC PowerPath Mgmt Service |
| 9084 |
tcp,udp,sctp |
aurora |
not scanned |
vSphere Client Update Manager (VUM) uses port 9084/TCP
PC-Telephone Webphone
IBM AURORA Performance Visualizer (IANA official)
|
| 9087 |
tcp,udp |
applications |
not scanned |
The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. A malicious actor with network access to port 9087 on vCenter Server may exploit this issue to delete non critical files.
References: [CVE-2021-22018] |
| 9089 |
tcp,udp |
games |
not scanned |
Blitzkrieg, developer: Nival Interactive |
| 9090 |
tcp |
servers |
Members scan |
Cherokee Web Server Admin Panel, Aphex Remote Packet Sniffer, SqueezeCenter control (CLI), Webwasher, Secure Web, McAfee Web Gateway - Default Proxy Port, Openfire Administration Console
Linux browser-based server administration platform (Cockpit Fedora, Arch Linux, CentOS, RHEL) - listens on port 9090 tcp by default (both HTTP and HTTPS connections).
Symantec Endpoint Protection Manager (SEPM) uses this port for initial HTTP communication between a remote management console and the SEPM to display the login screen.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations
RTSP proxy for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service via a GET request to port 9090 followed by a series of carriage returns, which causes proxy.nlm to ABEND.
References: [CVE-2002-0781]
Multiple HP Intelligent Management Center products could allow a remote attacker to execute arbitrary code on the system, caused by an error in the iNOdeMngChecker.exe component. An attacker could exploit this vulnerability to execute arbitrary code on the system with SYSTEM-level privileges.
References: [XFDB-68348]
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging purposes. If a password is set via the `--grpc-preshared-key` then the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. This issue has been fixed in version 1.19.1. ### Impact All deployments abiding by the recommended best practices for production usage are **NOT affected**: - Authzed's SpiceDB Serverless - Authzed's SpiceDB Dedicated - SpiceDB Operator Users configuring SpiceDB via environment variables are **NOT affected**. Users **MAY be affected** if they expose their metrics port to an untrusted network and are configuring `--grpc-preshared-key` via command-line flag. ### Patches TODO ### Workarounds To workaround this issue you can do one of the following: - Configure the preshared key via an environment variable (e.g. `SPICEDB_GRPC_PRESHARED_KEY=yoursecret spicedb serve`) - Reconfigure the `--metrics-addr` flag to bind to a trusted network (e.g. `--metrics-addr=localhost:9090`) - Disable the metrics service via the flag (e.g. `--metrics-enabled=false`) - Adopt one of the recommended deployment models: [Authzed's managed services](https://authzed.com/pricing) or the [SpiceDB Operator](https://github.com/authzed/spicedb-operator) ### References - [GitHub Security Advisory issued for SpiceDB](https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6) - [Go issue #22085](https://github.com/golang/go/issues/22085) for documenting the risks of exposing pprof to the internet - [Go issue #42834](https://github.com/golang/go/issues/42834) discusses preventing pprof registration to the default serve mux - [semgrep rule go.lang.security.audit.net.pprof.pprof-debug-exposure](https://semgrep.dev/r?q=go.lang.security.audit.net.pprof) checks for a variation of this issue ### Credit We'd like to thank Amit Laish, a security researcher at GE Vernova for responsibly disclosing this vulnerability.
References: [CVE-2023-29193]
WebSM (IANA official) |
| 9090 |
udp |
applications |
not scanned |
MPM SIP HP-180W Wireless IP Phone WE.00.17 allows remote attackers to obtain sensitive information and possibly cause a denial of service via a direct connection to UDP port 9090, which is undocumented and does not require authentication.
References: [CVE-2006-0360], [BID-16285], [SECUNIA-18512]
ZyXel P2000W VoIP 802.11b Wireless Phone running firmware WV.00.02 allows remote attackers to obtain sensitive information, such as MAC address and software version, by directly accessing UDP port 9090.
References: [CVE-2006-0302] [BID-16285] [SECUNIA-18511] [OSVDB-22516] |
| 9091 |
tcp,udp |
apps |
not scanned |
Citrix NetScaler appliance Command Center Server uses ports 9091, 9092, 9094 TCP for communication between client and server, mapping/discovery/administration/configuration management.
Championship Manager 4, Transmission (BitTorrent client) Web Interface, Eyemax DVS-9000 (TCP), Openfire Administration Console (SSL Secured) (TCP)
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| 9092 |
tcp,udp |
apps |
not scanned |
Amazon AWS MSK uses these TCP ports:
9092, 9094 - TLS
9096, 9196 - ASL/SCRAM
9098, 9198 - IAM access control
Citrix NetScaler appliance Command Center Server uses ports 9091, 9092, 9094 TCP for communication between client and server, mapping/discovery/administration/configuration management.
Championship Manager 4
Apache Kafka - A Distributed Streaming Platform also uses this port (TCP) |
| 9093 |
tcp,udp |
apps |
not scanned |
Championship Manager 03-04
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations
Copycat database replication service [Microtec Informatique] (IANA official) |
| 9094 |
tcp,udp |
apps |
not scanned |
Amazon AWS MSK uses these TCP ports:
9092, 9094 - TLS
9096, 9196 - ASL/SCRAM
9098, 9198 - IAM access control
Citrix NetScaler appliance Command Center Server uses ports 9091, 9092, 9094 TCP for communication between client and server, mapping/discovery/administration/configuration management.
Championship Manager 03-04
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| 9095 |
tcp,udp |
applications |
not scanned |
Citrix Orchestration uses port 9095 TCP
Directory traversal vulnerability in Remote Console Applet in Halycon Software iASP 1.0.9 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTP request to port 9095.
References: [CVE-2002-2292], [BID-6394] |
| 9096 |
tcp |
aws |
not scanned |
Amazon AWS MSK uses these TCP ports:
9092, 9094 - TLS
9096, 9196 - ASL/SCRAM
9098, 9198 - IAM access control |
| 9098 |
tcp |
aws |
not scanned |
Amazon AWS MSK uses these TCP ports:
9092, 9094 - TLS
9096, 9196 - ASL/SCRAM
9098, 9198 - IAM access control |
| 9099 |
tcp |
|
not scanned |
HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.
References: [CVE-1999-1062] |
| 9100 |
udp |
games |
not scanned |
Company Of Heroes, Tom Clancy's Splinter Cell: Conviction |
| 9100 |
tcp |
applications |
not scanned |
Abacast peer-to-peer audio and video streaming, PDL Data Stream
9100/tcp - Prometheus Node exporter.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations
The default configuration of some HP Printers and HP Digital Sender enables the Remote Firmware Update (RFU) setting, which allows remote attackers to execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update.
References: [CVE-2011-4161] [BID-51324]
Kyocera 3830 (aka FS-3830N) printers have a back door that allows remote attackers to read and alter configuration settings via strings that begin with "!R!SIOP0", as demonstrated using (1) a connection to to TCP port 9100 or (2) the UNIX lp command.
References: [CVE-2006-0788] [BID-16685] [SECUNIA-18896] [OSVDB-23245]
HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.
References: [CVE-1999-1062]
On EPSON WF-2750 printers with firmware JP02I2, there is no filtering of print jobs. Remote attackers can send print jobs directly to the printer via TCP port 9100.
References: [CVE-2018-14900]
p910nd on Inteno IOPSYS 2.0 through 4.2.0 allows remote attackers to read, or append data to, arbitrary files via requests on TCP port 9100.
References: [CVE-2018-10123], [EDB-44635] |
| 9101 |
udp |
games |
not scanned |
Company of Heroes: Opposing Fronts
Bacula Director (TCP/UDP) (IANA official) |
| 9101 |
tcp |
prometheus |
not scanned |
HP JetDirect card
9101/tcp - Prometheus HAProxy exporter.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| 9102 |
tcp,udp |
bacula-fd |
not scanned |
Splinter Cell Splinter Cell Chaos Theory (game)
HP JetDirect card
Bacula File Daemon (IANA official) |
| 9103 |
udp |
games |
not scanned |
Supreme Commander, Tom Clancy's Splinter Cell: Conviction
Blood Bowl also uses this port (TCP/UDP)
Settlers 7 game ports: 13005, 13200 TCP and 3544, 9103, 13005, 21000-29999 UDP
Bacula Storage Daemon (TCP/UDP) (IANA official) |
| 9103 |
tcp |
prometheus |
not scanned |
9103/tcp - Prometheus Collectd exporter.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| 9104 |
tcp |
apps |
not scanned |
9104/tcp - Prometheus MySQLd exporter.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations
HP JetDirect card
PeerWire (IANA official) |
| 9105 |
tcp,udp |
xadmin |
not scanned |
Xadmin Control Service
Operation Flashpoint: Dragon Rising also uses port 9105 (UDP), developer: Codemasters
9105/tcp - Prometheus Mesos exporter.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| 9106 |
tcp |
astergate |
not scanned |
Astergate Control Service
9106/tcp - Prometheus CloudWatch exporter.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| 9106 |
udp |
astergate-disc |
not scanned |
Astergate Discovery Service |
| 9107 |
tcp |
astergatefax |
not scanned |
AstergateFax Control Service
9107/tcp - Prometheus Consul exporter.
Prometheus (open-source system monitoring) uses these TCP ports:
9090 (server)
9091 (Pushgateway)
9093 (Alertmanager)
9094 (Alertmanager clustering)
9100-9563 - Prometheus Exporters
See: https://github.com/prometheus/prometheus/wiki/Default-port-allocations |
| 9110 |
udp |
applications |
not scanned |
SSMP Message protocol
Compuware DriverStudio Remote Control service (DSRsvc.exe) 2.7 and 3.0 beta 2 allows remote attackers to cause a denial of service (reboot) via a UDP packet sent directly to port 9110.
References: [CVE-2005-3035], [BID-14838] |
| 9111 |
tcp |
hexxorecore |
not scanned |
HP StorageWorks File Migration Agent (FMA) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the HsmCfgSvc.exe service when processing CIFS archive names. By sending a specially-crafted packet to TCP port 9111, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-77089], [BID-54595]
IANA registered for: Multiple Purpose, Distributed Message Bus (TCP/UDP) |
| 9112 |
tcp |
applications |
not scanned |
Eyemax DVS-9000 |
| 9117 |
tcp |
|
Premium scan |
Jackett (Linux proxy server for http query translations) uses port 9117 by default
Massaker trojan [Symantec-2003-011614-4100-99] |
