Port(s) |
Protocol |
Service |
Scan level |
Description |
9640 |
tcp |
pqsflows |
not scanned |
ProQueSys Flows Service |
9650 |
tcp,udp |
applications |
not scanned |
GeoVision TwinDVR with Webcam |
9666 |
tcp |
zoomcp |
not scanned |
Zoom Control Panel Game Server Management [Zoom_Control_Panel] (IANA official) |
9667 |
tcp,udp |
xmms2 |
not scanned |
Cross-platform Music Multiplexing System |
9668 |
tcp,udp |
client-wakeup |
not scanned |
tec5 Spectral Device Control Protocol |
9669 |
tcp |
applications |
not scanned |
VGG Image Search Engine VISE |
9675 |
tcp,udp |
applications |
not scanned |
Spiceworks Desktop, IT Helpdesk Software |
9676 |
tcp,udp |
applications |
not scanned |
Spiceworks Desktop, IT Helpdesk Software |
9689 |
tcp |
malware |
not scanned |
Backdoor.Win32.Zhangpo / Remote DoS - Zhangpo listens on TCP port 9689, sending a special character as a long string HTTP payload will DoS the backdoor.
References: [MVID-2021-0058] |
9694 |
tcp,udp |
client-wakeup |
not scanned |
T-Mobile Client Wakeup Message |
9695 |
tcp,udp |
ccnx |
not scanned |
Content Centric Networking |
9696 |
tcp |
trojans |
Premium scan |
Backdoor.Gholame [Symantec-2002-081414-0139-99] - remote access trojan, affects Windows, opens TCP ports 9696 and 9697 by default. |
9697 |
tcp |
trojan |
Premium scan |
Backdoor.Gholame [Symantec-2002-081414-0139-99] - remote access trojan, affects Windows, opens TCP ports 9696 and 9697 by default. |
9735 |
tcp |
applications |
not scanned |
Bitcoin Lightning Network |
9777 |
tcp,udp |
games |
not scanned |
Rainbow Six 3 Raven Shield: Athena Sword, Unreal Tournament
Backdoor.StealthEye [Symantec-2002-120514-5403-99] (2002.12.05) - a backdoor trojan coded in Visual Basic, gives an attacker unauthorized access to an infected computer. By default it opens ports 9777 and 9778. |
9778 |
tcp,udp |
trojans |
not scanned |
Backdoor.StealthEye [Symantec-2002-120514-5403-99] (2002.12.05) - a backdoor trojan coded in Visual Basic, gives an attacker unauthorized access to an infected computer. By default it opens ports 9777 and 9778. |
9789 |
tcp |
applications |
not scanned |
Lexmark Markvision Enterprise before 1.8 provides a diagnostic interface on TCP port 9789, which allows remote attackers to execute arbitrary code, change the configuration, or obtain sensitive fleet-management information via unspecified vectors.
References: [CVE-2013-3055], [SECUNIA-53185] |
9793 |
tcp,udp |
applications |
not scanned |
Moove |
9795 |
tcp,udp |
applications |
not scanned |
Moove |
9800 |
tcp,udp |
davsrc |
not scanned |
WebCT e-learning portal
WebDav Source Port (IANA official) |
9832 |
tcp |
applications |
not scanned |
Symantec Workspace Streaming could allow a remote attacker to execute arbitrary code on the system, caused by an error in the exposed EJBInvokerServlet and JMXInvokerServlet servlets within Apache Tomcat. By sending a specially-crafted object to TCP port 9832, an attacker could exploit this vulnerability to execute arbitrary code with SYSTEM privileges.
References: [XFDB-88300] |
9833 |
tcp |
applications |
not scanned |
Telindus router - default port for the 1100 series of Telindus ADSL routers, such as 1110 and 1120. |
9833 |
udp |
|
not scanned |
Telindus 1100 series ADSL router allows remote attackers to gain privileges to the device via a certain packet to UDP port 9833, which generates a reply that includes the router's password and other sensitive information in cleartext.
References: [CVE-2002-0949] [BID-4946] |
9842 |
tcp |
malware |
not scanned |
Backdoor.Win32.Wollf.m / Weak Hardcoded Password - the malware runs with SYSTEM integrity and listens on TCP port 9842. Authentication is required. However, the password "holybolt" is weak and hardcoded in the PE file in cleartext.
References: [MVID-2022-0477] |
9850 |
tcp |
applications |
not scanned |
Novell GroupWise is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the HTTP interface. By sending an overly long request to TCP port 9850, a remote attacker could overflow a buffer and execute arbitrary code on the system.
References: [CVE-2011-0334], [BID-49779] |
9863 |
tcp |
malware |
not scanned |
Backdoor.Win32.PsyRat.b / Unauthenticated Remote Command Execution - the PsyRAT 1.02 malware listens by default on TCP port 9863, but can be changed when building backdoor servers. Third-party attackers who can reach infected systems can execute commands made available by the backdoor. The backdoors cpuinfo command will leak system details including cleartext password.
References: [MVID-2021-0306] |
9867 |
tcp |
trojans |
Premium scan |
Backdoor.Sokeven [Symantec-2004-092214-2730-99] - remote access trojan. Affects all current Windows versions, opens a SOCKS proxy on port 9867 by default. Systems can get infected by visiting malicious website with Internet Explorer - exploits IE File Installation Vulnerability. |
9870 |
tcp |
trojan |
Premium scan |
Remote Computer Control Center |
9871 |
tcp |
trojans |
not scanned |
Backdoor.Theef [Symantec-2002-101115-3443-99] (2002.10.14) - a trojan that can allow unauthorized access to an infected computer. It opens port 9871 to listen for a connection. The trojan is written in Delphi |
9872-9874 |
tcp |
trojans |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
9875 |
tcp,udp |
sapv1 |
not scanned |
EverQuest Chat server, Club Penguin Disney online game for kids
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file.
References: [CVE-2007-1804] [BID-23240] [SECUNIA-25787]
Session Announcement v1 (IANA official) |
9876 |
tcp |
session director |
Premium scan |
Session Director, True Image Remote Agent, Wireshark, nmap use this port.
Trojans that also use this port:
Cyber Attacker, Rux, Backdoor.Lolok
Backdoor.Lolok [Symantec-2002-120514-5802-99] is a backdoor Trojan that uses the mIRC client to give a hacker access to the computer. By default, it establishes an IRC connection to irc.tu-pac.net on port 9876. Usualy spreads through email attachments or disguised as a video file. Discovered on 12.05.2002.
Acronis True Image Windows Agent 1.0.0.54, allows remote attackers to cause a denial of service (crash) via a malformed packet to port 9876, which triggers a NULL pointer dereference
References: [CVE-2008-1280], [BID-28169] |
9877 |
tcp |
x510 |
Premium scan |
Small Big Brother trojan
An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwards used in a separate web request issued by the application itself. This can be abused to conduct SSRF attacks against otherwise unreachable Acronis services that are bound to localhost such as the NotificationService on 127.0.0.1:30572.
References: [CVE-2020-16171], [EDB-49113]
IANA registered for: The X.510 wrapper protocol [ITU-T X.510 / ISO/IEC 9584-11] |
9878 |
tcp |
trojan |
Premium scan |
Small Big Brother, TransScout trojans
Backdoor.Win32.Psychward.ds / Weak Hardcoded Password - the malware listens on TCP port 9878 and requires a password for remote user access. However, the backdoors password "nivag" is weak and hardcoded in plaintext within the executable.
References: [MVID-2021-0219]
|
9878 |
udp |
kca-service |
not scanned |
The KX509 Kerberized Certificate Issuance Protocol in Use in 2012 [IESG] [RFC 6717] (IANA official) |
9879 |
tcp |
trojan |
Premium scan |
Small Big Brother trojan |
9889 |
tcp,udp |
gt-proxy |
not scanned |
Port for Cable network related data proxy or repeater |
9890 |
tcp |
worm |
not scanned |
W32.Ircbrute.B [Symantec-2010-012711-2418-99] (2010.01.27) - a worm that spreads by copying itself to removable drives. It also opens a back door on the compromised computer. |
9897 |
udp |
applications |
not scanned |
Sony PlayStation Remote Play Video stream |
9898 |
tcp |
safeq |
Members scan |
YSoft SafeQ workflow software, Tripwire-File Integrity Monitoring Software
Dabber.A [Symantec-2004-051414-5013-99] (2004.05.14) and Dabber.B [Symantec-2004-060414-4404-99] (2004.06.04) - a worm that propagates by exploiting vulnerability in the FTP server component of W32.Sasser.Worm and its variants. It installs a backdoor on port 9898/tcp (if it fails, tries to listen on ports 9899-9999).
Backdoor.CrashCool [Symantec-2003-091308-3135-99] (2003.09.13) - a trojan horse that allows unauthorized access to the victim machine. By default it opens port 9898 for listening.
MonkeyCom (TCP/UDP) (IANA official). |
9899 |
tcp |
trojans |
Premium scan |
Ini-Killer, W32.dabber.a |
9899 |
udp |
sctp-tunneling |
not scanned |
SCTP TUNNELING (IANA official) [RFC 6951] |
9900 |
tcp,udp,sctp |
iua |
not scanned |
Unspecified vulnerability in Stack Group Bidding Protocol (SGBP) support in Cisco IOS 12.0 through 12.4 running on various Cisco products, when SGBP is enabled, allows remote attackers on the local network to cause a denial of service (device hang and network traffic loss) via a crafted UDP packet to port 9900.
References: [CVE-2006-0340], [BID-16303], [SECUNIA-18490]
Port is also IANA registered for IUA |
9901 |
udp,sctp |
enrp |
not scanned |
Enrp server channel [RFC 5353] (IANA official) |
9903 |
udp |
multicast-ping |
not scanned |
IANA registered for: Multicast Ping Protocol [RFC 6450] |
9919 |
tcp |
trojans |
Premium scan |
Kryptonic Ghost Command Pro, W32.dabber.a |
9920 |
tcp,udp |
games |
not scanned |
Football Manager Live |
9922 |
tcp |
applications |
not scanned |
Multiple Hanvon facial recognition (Face ID) devices could allow a remote attacker to bypass security restrictions, caused by a plain-text management protocol on TCP port 9922. An attacker could exploit this vulnerability to gain access to the device.
References: [CVE-2014-2938], [XFDB-93297], [OSVDB-107138] |
9925 |
tcp |
xybrid-cloud |
not scanned |
IANA registered for: XYBRID Cloud |
9940 |
tcp,udp |
applications |
not scanned |
iVisit |
9943 |
tcp,udp |
applications |
not scanned |
iVisit |
9944 |
tcp |
phala |
not scanned |
Phala network default ports: 9944, 18000, 19944 |
9945 |
tcp,udp |
applications |
not scanned |
iVisit |
9946 |
tcp |
games |
not scanned |
Medal of Honor 2010 |
9954 |
tcp |
hinp |
not scanned |
IANA registered for: HaloteC Instrument Network Protocol |
9955 |
tcp |
alljoyn-stm |
not scanned |
Contact Port for AllJoyn standard messaging [Qualcomm Innovation Center] (IANA official) |
9955 |
udp |
alljoyn-mcm |
not scanned |
Contact Port for AllJoyn multiplexed constrained messages [Qualcomm Innovation Center] (IANA official) |
9956 |
udp |
alljoyn |
not scanned |
Alljoyn Name Service [Qualcomm Innovation Center] (IANA official) |
9961 |
tcp,udp |
games |
not scanned |
Test Drive Unlimited |
9964 |
udp |
games |
not scanned |
Battlefield 2142 |
9969 |
tcp,udp |
streamtome |
not scanned |
ServeToMe server & StreamToMe streaming media player |
9971 |
tcp,udp |
streamtome |
not scanned |
ServeToMe server & StreamToMe streaming media player |
9978 |
tcp |
xybrid-rt |
not scanned |
XYBRID RT Server - Rx Networks Inc (IANA official) |
9979 |
tcp |
visweather |
not scanned |
The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only metrics data), therefore the potential impact related to this vulnerability is minimal. The CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component.
References: [CVE-2023-0296]
Valley Information Systems Weather station data (IANA official)
|
9981 |
tcp |
pumpkindb |
not scanned |
IANA registered for: Event sourcing database engine with a built-in programming language
TVHeadend HTTP server (web interface) also uses this port |
9982 |
tcp |
applications |
not scanned |
TVHeadend HTSP server (Streaming protocol) |
9987 |
udp |
applications |
not scanned |
TeamSpeak 3 server default (voice) port.
TS3 uses the following ports:
9987 UDP (default voice port)
10011 TCP (default serverquery port)
30033 TCP (default filetransfer port)
41144 TCP (default tsdns port)
TS3 also connects to: accounting.teamspeak.com:2008 (TCP for license checks) and weblist.teamspeak.com:2010 (UDP). TS3 weblist also uses ports 2011-2110 (UDP out, first available port in range).
Teamspeak Server is vulnerable to a denial of service, caused by multiple assertion errors in multiple commands. By sending a specially-crafted command to UDP port 9987, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-59521], [BID-40918], [SECUNIA-40230]
|
9988 |
tcp |
nsesrvr |
not scanned |
The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988.
References: [CVE-2019-14258]
IANA registered for: Software Essentials Secure HTTP server |
9989 |
tcp |
trojan |
Premium scan |
iNi-Killer trojan |
9990 |
tcp |
applications |
not scanned |
DOT.TUNES, RealSecure ISS system scanner
IANA registered for: OSM Applet Server
** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server.
References: [CVE-2018-10682] |
9991 |
tcp,udp |
osm-oev |
not scanned |
WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991.
References: [CVE-2018-7582], [EDB-44271]
IANA registered for: OSM Event Server |
9992 |
tcp,udp |
applications |
not scanned |
The Palace chat environment uses ports 9992-9998 |
9995 |
tcp,udp |
games |
not scanned |
Sometimes used by Cisco NetFlow (commonly on port 2055/udp).
Football Manager Live |
9996 |
tcp |
trojans |
Members scan |
Football Manager Live (TCP/UDP), Ryan's App Trading Software (TCP/UDP), The Palace Virtual Reality Chat software (TCP/UDP)
W32.dabber.a trojan
W32.Sasser.Worm [Symantec-2004-050116-1831-99] - remote access trojan. Affects all current Windows versions, attemts to exploit a vulnerability addressed in Microsoft Security Bulletin [MS04-011]. There are some issues associated with using the [MS04-011] update discussed here: MS KB 835732.
Trojan runs a FTP server on port 5554 on infected systems and attempts to connect to random IPs on TCP port 445. If a connection is established, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. |
9997 |
tcp |
splunk |
Premium scan |
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Football Manager Live also uses port 9997 (TCP/UDP).
Malware that uses this port: W32.dabber.a trojan
Backdoor.Win32.SVC / Remote Stack Buffer Overflow - the malware listens on TCP port 9997. Third-party attackers who can reach an infected system can make an specially crafted HTTP GET request to trigger a classic stack buffer overflow overwriting ECX, EIP registers and structured exception handler (SEH).
References: [MVID-2022-0446]
Backdoor.Win32.SVC / Directory Traversal - the malware listens on TCP port 9997. Third-party attackers who can reach an infected host can read any file on the system using "../" path traversal characters to break out of the root dir.
References: [MVID-2022-0447] |
9998 |
tcp |
totalbill |
Premium scan |
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
Lighttpd server port 9998/tcp open to LAN only on some ASUS routers.
Totalbill (billing and provisioning system for ISPs by Aptis Software) listens on port 9998/tcp (by default) and allows full control over the software. An exploit script for this software has been published in 2000.
Common Palace chat environment, Football Manager Live also use port 9998 (TCP/UDP).
Malware using this port: W32.dabber.a trojan |
9999 |
tcp |
crypto |
Premium scan |
Football Manager Live (TCP/UDP), Warzone 2100 (TCP/UDP), Ultima, TP-Link Smart Outlet remote console access, Hydranode—edonkey2000 TELNET control, Lantronix UDS-10/UDS100 RS-485 to Ethernet Converter TELNET control, Urchin Web Analytics
Dash cryptocurrency uses port 9999.
Common cryptocurrency ports (TCP):
Bitcoin: 8333
Litecoin: 9333
Dash: 9999
Dogecoin: 22556
Ethereum: 30303
Port vulnerabilities and malware that uses this port:
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] (2005.01.17) - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
Backdoor.Lateda.C [Symantec-2005-033112-4545-99] (2005.03.31) - backdoor trojan with remote access capabilities. Connects to an IRC server on the l33t.freeshellz.org domain on port 5232/tcp, opens a backdoor on port 9999/tcp.
The remote web management interface of Aprelium Technologies Abyss Web Server 1.1.2 and earlier does not log connection attempts to the web management port (9999), which allows remote attackers to mount brute force attacks on the administration console without detection.
References: [CVE-2003-1363] [BID-6842]
Firefly Media Server is vulnerable to a denial of service, caused by multiple NULL pointer dereference errors in the firefly.exe binary file. By sending a specially-crafted packet to TCP Port 9999 with a malformed header, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [EDB-23574]
This vulnerability allows remote attackers to execute arbitrary code on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the control service, which listens on TCP port 9999 by default. The issue results from the lack of authentication prior to allowing alterations to the system configuration. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10493.
References: [CVE-2020-10920]
The Prayer 1 trojan horse (TCP)
distinct (TCP/UDP) (IANA official) |
9999 |
udp |
infosvr |
Premium scan |
Several Asus router models use a service called infosvr that listens on UDP port 9999 with root privileges and contains unauthenticated command execution vulnerability. See [CVE-2014-9583]
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
References: [CVE-2014-9583], [XFDB-100054] |
10000 |
tcp |
multiple |
Basic scan |
Applications that use this port:
Webmin - web-based system administration tool, BackupExec, Ericsson Account Manager (avim).
The Matrix Online, Everquest Online Adventures, BitTornado, Viatalk, Dungeon Fighter Online (TCP/UDP), FIFA Manager 10 (TCP/UDP)
QuickTime Streaming Server 4 also uses ports 10000-20000 (TCP).
Dumaru.Y [Symantec-2004-012316-2557-99] (2004.01.23) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Other trojans that use this port: Oracle, TCP Door, XHX, OpwinTRojan
The default configuration of the New Atlanta BlueDragon administrative interface in MediaCAST 8 and earlier enables external TCP connections to port 10000, instead of connections only from 127.0.0.1, which makes it easier for remote attackers to have an unspecified impact via a TCP session.
References: [CVE-2011-2077]
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a buffer overflow in observiced.exe that allows remote attackers to execute arbitrary code via vectors related to a "reverse lookup of connections" to TCP port 10000.
References: [CVE-2010-0072]
The web interface in BitTorrent allows remote attackers to execute arbitrary commands by leveraging knowledge of the pairing values and a crafted request to port 10000.
References: [CVE-2014-8515], [XFDB-99764]
By using port 10000 TCP in VERITAS Backup Exec Remote Agent, a remote attacker may be able to gain access to, and retrieve arbitrary files from a target system.
References: [CVE-2005-2611], [BID-14551]
Siemens RUGGEDCOM ROX I (all versions) allow an authenticated user to bypass access restrictions in the web interface at port 10000/TCP to obtain privileged file system access or change configuration settings.
References: [CVE-2017-2689], [BID-97170]
Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability in the integrated web server at port 10000/TCP which is prone to reflected Cross-Site Scripting attacks if an unsuspecting user is induced to click on a malicious link.
References: [CVE-2017-2687], [BID-97170]
Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability that could allow an authenticated user to read arbitrary files through the web interface at port 10000/TCP and access sensitive information.
References: [CVE-2017-2686], [BID-97170]
An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data.
References: [CVE-2017-2876], [CVE-2017-2875]
The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode."
References: [CVE-2019-9484]
Backdoor.Win32.Dumador.C / Remote Stack Buffer Overflow (SEH) - the malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).
Network Data Management Protocol (TCP/UDP) (IANA official) |
10001 |
tcp |
scp |
Premium scan |
Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming
Lantronix UDS-10/UDS100 RS-485 to Ethernet Converter default port
Qualys Cloud Agent
Seafile Windows Server uses these TCP ports: 8000 (seahub web interface), 8082 (seafile server), 10001 (ccnet), 12001 (seaf-server).
Tonido NAS remote access software uses port 10001
Veeam Agent Computer uses port 10001/TCP
Games that use 10001 (TCP/UDP):
Dungeon Fighter Online, MVP BAseball, Tera
IPFS (InterPlanetary File System) - FiveM and RedM game mods use this port
Backdoor.Zdemon.126 [Symantec-2003-050512-3204-99] (2003.05.05) - remote access trojan, affects all current Windows versions.
Lula trojan
The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116.
References: [CVE-2014-2609]
A missing error check exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 could allow an attacker to reset the user accounts to factory defaults, without authentication.
References: [CVE-2017-2877]
SCP Configuration Port (IANA official) |
10001 |
udp |
ubiquity |
not scanned |
Ubiquity Networks uses port 10001/UDP for its AirControl management discovery protocol |
10002 |
tcp |
trojans |
Premium scan |
Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming
Backdoor.Zdemon.126 [Symantec-2003-050512-3204-99] (2003.05.05) - remote access trojan, 05.2003
Lula trojan
Backdoor.Win32.Tonerok.d / Unauthenticated Remote Command Execution - the malware listens on TCP port 10002 and drops an executable named "svchost.exe" under Windows dir. Third-party attackers who can reach an infected system can execute commands made available by the backdoor.
References: [MVID-2021-0226]
Trojan-Dropper.Win32.Googite.b / Unauthenticated Remote Command Execution - the malware listens on TCP ports 3388, 4488 and 10002 and drops executables under both Windows and SysWOW64 dirs. Third-party attackers who can reach infected systems can connect to port 10002 and run commands made available by the backdoor to retrieve information etc.
References: [MVID-2021-0254]
Trojan-Dropper.Win32.Krepper.a / Unauthenticated Remote Command Execution - the malware listens on TCP port 10002 and drops several executables under Windows dir. Third-party attackers who can reach infected systems can connect to port 10002 and run commands made available by the backdoor to retrieve information etc
References: [MVID-2021-0260]
Backdoor.Win32.Avstral.e / Unauthenticated Remote Command Execution - the malware listens on TCP port 10002. Third-party adversaries who can reach an infected host can run commands made available by the backdoor.
References: [MVID-2022-0529]
SCP Configuration Port (IANA official) |
10003 |
tcp |
veeam |
Premium scan |
Veeam Backup and replication suite uses these ports, in addition to common 80, 443, etc.:
6160 TCP - Veeam installer service
6165 TCP - WAN accelerator
6180 TCP/UDP - Veeam cloud gateway
6169, 8190, 8191 TCP - used by SP backup server
10003 TCP - communication with Veeam backup service
The port is also used by ForeScout SecureConnector - a lightweight agent that creates a secure connection with the ForeScout CounterACT RemoteControl appliance and enables internet-based compliance management.
Lula trojan
|
10005 |
tcp |
trojan |
Premium scan |
OpwinTRojan
A vulnerability has been identified in LOGO!8 BM (All versions). Unencrypted storage of passwords in the project could allow an attacker with access to port 10005/tcp to obtain passwords of the device. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality of the device. At the time of advisory publication no public exploitation of this security vulnerability was known
References: [CVE-2019-10921],[CVE-2019-10920], [CVE-2019-10919], [BID-108382]
A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). An attacker with network access to port 10005/tcp of the LOGO! device could cause a Denial-of-Service condition by sending specially crafted packets. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2019-6571]
A vulnerability has been identified in LOGO!8 BM (All versions). Unencrypted storage of passwords in the project could allow an attacker with access to port 10005/tcp to obtain passwords of the device. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality of the device. At the time of advisory publication no public exploitation of this security vulnerability was known
References: [CVE-2019-10921]
A vulnerability has been identified in LOGO!8 BM (All versions). Project data stored on the device, which is accessible via port 10005/tcp, can be decrypted due to a hardcoded encryption key. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2019-10920], [BID-108382]
A vulnerability has been identified in LOGO!8 BM (All versions). Attackers with access to port 10005/tcp could perform device reconfigurations and obtain project files from the devices. The system manual recommends to protect access to this port. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2019-10919] |
10006 |
tcp |
games |
not scanned |
Veeam Agent for Linux v.6 uses these ports:
137-139, 445 tcp/udp - SMB(CIFS) shared folder
2500-3300 tcp - range of ports used for Veeam agent backup jobs
10006 tcp - backup server communication
10808 tcp - loopback port utilized for internal traffic only
Game: Dungeon Fighter Online, developer: Neople |
10007 |
tcp |
games |
not scanned |
RF Online |
10008 |
tcp |
worm |
Premium scan |
In early 2001, many exploit scripts for DNS TSIG name overflow would place a root shell on this port.
Cheese Worm (2001) - spreads and scans other machines through port 10008/tcp.
LionWorm uses this port.
See also CERT: IN-2001-05
IANA registered for: Octopus Multiplexer
|
10009 |
tcp,udp |
applications |
not scanned |
IANA registered for: Cross Fire, a multiplayer online First Person Shooter |
10010 |
tcp |
rxapi |
not scanned |
ooRexx rxapi services |
10011 |
tcp |
applications |
Premium scan |
TeamSpeak 3 default serverquery port.
TS3 uses the following ports:
9987 UDP (default voice port)
10011 TCP (default serverquery port)
30033 TCP (default filetransfer port)
41144 TCP (default tsdns port)
TS3 also connects to: accounting.teamspeak.com:2008 (TCP for license checks) and weblist.teamspeak.com:2010 (UDP). TS3 weblist also uses ports 2011-2110 (UDP out, first available port in range).
|
10012 |
tcp |
apps |
Premium scan |
Absen's Android-based LED wall uses port 10012/tcp
Amanda trojan (2010) |
10013 |
tcp |
trojan |
Premium scan |
Amanda trojan |
10017 |
tcp,udp |
applications |
not scanned |
AIX,NeXT, HPUX-rexd daemon control |
10019 |
tcp,udp |
applications |
not scanned |
Revo DVRNS |
10020 |
tcp |
abb-hw |
not scanned |
Proofpoint (email protection service) uses port 10020 TCP to access their SaaS servers
IANA registered for: Hardware configuration and maintenance |
10022 |
tcp |
intouch |
not scanned |
Gecko In.Touch (also in.touch 2) spa controller |
10023 |
udp |
cefd-vmp |
not scanned |
Comtech EF-Data's Vipersat Management Protocol - a feature-rich, automated bandwidth, capacity, and network management system with a high degree of configuration automation. [Comtech] (IANA official) |
10024 |
tcp |
applications |
not scanned |
IANA registered for: Zimbra smtp [mta] - to amavis from postfix |
10025 |
tcp |
applications |
not scanned |
IANA registered for: Ximbra smtp [mta] - back to postfix from amavis |
10027 |
tcp |
trojans |
Premium scan |
W32.Mytob.JW@mm [Symantec-2005-100312-4423-99] (2005.10.03) - a mass-mailing worm with backdoor capabilities that lowers security settings on the compromised computer. Opens a backdoor and listens for remote commands on port 8000/tcp. Also uses port 10027/tcp to download a copy of the worm.
Default port for IBM WebSphere Portal Application Server Administrative Console |