The Broadband Guide
SG
search advanced

Port 9000 Details


known port assignments and vulnerabilities
threat/application/port search:
 search
Port(s) Protocol Service Details Source
9000 tcp trojans Buffalo LinkSystem Web access (unofficial), DBGp, SqueezeCenter web server & streaming, Play! Framework web server
Cisco WebEx
ManageEngine AssetExplorer (IT asset management software) uses port 9000 TCP by default
MIS Comunicator Sysdev MSS (Mobile Sales System) default port
SonarQube Web Server uses port 9000
Emidate

Games that use this port:
EverQuest World server
Dungeons & Dragons Online uses ports 9000-9010 (TCP/UDP)
Lord of the Rings Online uses ports 9000-9010

W32.Randex.CZZ [Symantec-2005-031510-5713-99] (2005.03.15) - network aware worm that attempts to connect to an IRC server on port 9000/tcp for remote instructions.
W32.Mytob.GK@mm [Symantec-2005-062814-3052-99] (2005.06.28) - mass-mailing worm that opens a backdoor on port 9000/tcp.
Netministrator trojan uses port 9000.

Gordano NTMail 6.0.3c allows a remote attacker to create a denial of service via a long (>= 255 characters) URL request to port 8000 or port 9000.
References: [CVE-2001-0585] [BID-2494]

Multiple KWORLD products could allow a remote attacker to bypass security restrictions, caused by the failure to validate communications on port 9000. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
References: [XFDB-101454]

Zhuhai RaySharp firmware has a hardcoded root password, which makes it easier for remote attackers to obtain access via a session on TCP port 23 or 9000.
References: [CVE-2015-8286]

Astoria ARV7510 could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104630]

Huawei HG553 could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104618]

Observa Telecom VH4032N could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104554]

Huawei HG556a could allow a remote attacker to gain unauthorized access to the system. By connecting to the 9000 port on the vulnerable device, a remote attacker could exploit this vulnerability to view, modify, delete and upload new files to the USB storage device.
References: [XFDB-104624]

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request.
References: [CVE-2018-17440], [EDB-45533]

WonderCMS is vulnerable to SSRF Vulnerability. In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. The theme/plugin installer does not sanitize the destination of github/gitlab url, so attacker can point the destination to localhost. When the attacker points the request to localhost, this leads to SSRF vulnerability. The highest impact leads to RCE with gopher scheme and FastCGI running on port 9000.
References: [EDB-49154]

Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.
References: [CVE-2021-20108]

Otris Update Manager 1.2.1.0 allows local users to achieve SYSTEM access via unauthenticated calls to exposed interfaces over a .NET named pipe. A remote attack may be possible as well, by leveraging WsHTTPBinding for HTTP traffic on TCP port 9000.
References: [CVE-2021-40376]

Trojan.Win32.Delf.bna / Information Disclosure - the malware listens on TCP port 9000 and has the option to set a password in "Config.ini". Third party attackers who can reach an infected system can view the password in the response, as the malware leaks it upon connecting.
References: [MVID-2021-0385]

Missing Authentication for Critical Function in SICK FX0-GENT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on TCP port 9000.
References: [CVE-2023-23452], [CVE-2023-23453], [XFDB-248005], [XFDB-248006]
SG
9000 udp games Asheron's Call
Zmodo DK4001, UDPCast
SG
9000 tcp Buffalo LinkSystem Web access (unofficial) Wikipedia
9000 tcp DBGp (unofficial) Wikipedia
9000 tcp SqueezeCenter web server & streaming (unofficial) Wikipedia
9000 udp UDPCast (unofficial) Wikipedia
9000 tcp trojan [trojan] Netministrator Trojans
9000 tcp Netministrator [trojan] Netministrator SANS
5060,9000-9015 udp applications 3CX Portforward
9000-9001, 9004-9005, 9012-9013 udp applications Asherons Call Portforward
2900-2910,9000-9010 udp applications Dungeons + Dragons Online Portforward
9000-9001,9010 tcp applications JetCast Portforward
2900-2910,9000-9010 udp applications Lord of the Rings Online Portforward
6073,6500,9000 tcp applications Railroad Tycoon III Portforward
9000 udp applications SightSpeed Portforward
9000 tcp,udp applications Tamago Portforward
9000 tcp AltaVista HTTP Server - may be an attempt to compromise an AltaVista HTTP (web) server. Bekkoame
9000 tcp threat Sendmail Switch SDAP Sendmail's "Switch" protocol listens on this TCP port. It also listens on port 8890. Bekkoame
9000 tcp threat W32.Esbot Bekkoame
9000 tcp threat W32.Mytob Bekkoame
9000 tcp threat W32.Randex Bekkoame
9000 udp threat Asheron's Call This port is used in Microsoft's massively-multiplayer game called "Asheron's Call". The game can continue to contact the player even after the player has logged out. Bekkoame
9000 tcp,udp cslistener CSlistener IANA
23 records found
jump to:
 go
previous next

Related ports: 23  8890  9001  9002  9010  9001  9004  9005  9008  9012  9013  

« back to SG Ports


External Resources
SANS ISC: port 9000

Notes:
Port numbers in computer networking represent communication endpoints. Ports are unsigned 16-bit integers (0-65535) that identify a specific process, or network service. IANA is responsible for internet protocol resources, including the registration of commonly used port numbers for well-known internet services.
Well Known Ports: 0 through 1023.
Registered Ports: 1024 through 49151.
Dynamic/Private : 49152 through 65535.

TCP ports use the Transmission Control Protocol, the most commonly used protocol on the Internet and any TCP/IP network. TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and that packets will be delivered in the same order in which they were sent. Guaranteed communication/delivery is the key difference between TCP and UDP.

UDP ports use the Datagram Protocol. Like TCP, UDP is used in combination with IP (the Internet Protocol) and facilitates the transmission of datagrams from one computer to applications on another computer, but unlike TCP, UDP is connectionless and does not guarantee reliable communication; it's up to the application that received the message to process any errors and verify correct delivery. UDP is often used with time-sensitive applications, such as audio/video streaming and realtime gaming, where dropping some packets is preferable to waiting for delayed data.

When troubleshooting unknown open ports, it is useful to find exactly what services/processes are listening to them. This can be accomplished in both Windows command prompt and Linux variants using the "netstat -aon" command. We also recommend runnig multiple anti-virus/anti-malware scans to rule out the possibility of active malicious software. For more detailed and personalized help please use our forums.

Please use the "Add Comment" button below to provide additional information or comments about port 9000.
  User Reviews/Comments:
    rate:
   avg:
by unixfreaxjp - 2016-08-25 09:49
TCP/9000 is used for the mail communication port of the internet Linux work dubbed Linux/PnScan (worm type).
The port TCP/9000 is used for the main CNC (control center) communication for inbound and outbound traffic with trhis ttrojan's specific protocol.
Worm Linux/PnScan is targeting Linux worm in architecture x86-32, mips, mipsel and arm. Detected firstly in the wild from September 2015. The worm was origined from Russia Federation criminal.

Reference of this Linux worm and its usage of TCP/9000
http://blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html
by anonymous - 2019-05-06 18:28
Also Cisco WebEx
by jmoleano - 2022-03-25 13:12
Default port for MIS Comunicator
Sysdev MSS (Mobile Sales System)
https://www.sysdevmss.com/
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About