| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 9524 |
tcp |
applications |
not scanned |
Lansweeper |
| 9527 |
tcp |
applications |
not scanned |
An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover RTSP credentials by connecting to TCP port 9527 and reading the InsertConnect field.
References: [CVE-2017-11633]
An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover a weakly encoded admin password by connecting to TCP port 9527 and reading the password field of the debugging information, e.g., nTBCS19C corresponds to a password of 123456.
References: [CVE-2017-11634] |
| 9530 |
tcp,udp |
applications |
not scanned |
HoverRace |
| 9531 |
tcp,udp |
applications |
not scanned |
HoverRace |
| 9533 |
tcp |
trojans |
Premium scan |
Backdoor.Lyshell [Symantec-2004-022818-3727-99] (2004.02.28) - a backdoor trojan horse that gives an attacker complete access to your computer. By default, the trojan runs as a service and listens on port 9533. |
| 9535 |
tcp,udp |
mngsuite |
not scanned |
Management Suite Remote Control (IANA official) |
| 9536 |
tcp |
trojan |
Premium scan |
Lula trojan
Surveillance buffering function (TCP/UDP) (IANA official) |
| 9555 |
tcp,udp |
applications |
not scanned |
Secure Planet VPN, Trispen@TheOffice, The Orange Box (UDP)
Sometimes used by Cisco NetFlow (usually on port 2055/udp) |
| 9559 |
tcp |
p4runtime |
not scanned |
IANA registered for: P4Runtime gRPC Service |
| 9561 |
tcp |
trojan |
Premium scan |
CRatPro trojan |
| 9563 |
tcp |
trojan |
Premium scan |
CRatPro trojan |
| 9565 |
udp |
games |
not scanned |
Burnout Paradise (PS3), developer: Criterion Games |
| 9570 |
udp |
games |
not scanned |
Burnout Paradise (PS3), developer: Criterion Games
FIFA Soccer 2009, NBA 2007 (TCP/UDP) also use this port |
| 9571 |
tcp |
espn |
not scanned |
ESPN streaming traffic, reaches out to fastcast.espn.com for streaming servers. |
| 9580 |
tcp |
trojan |
Premium scan |
TheefLE trojan |
| 9582 |
tcp |
fortiguard |
not scanned |
Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
|
| 9600 |
udp |
micromuse-ncpw |
not scanned |
IANA registered for MICROMUSE-NCPW
Factory Interface Network Service (FINS), a network protocol used by Omron programmable logic controllers |
| 9600 |
tcp |
applications |
not scanned |
The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication. They utilize the Omron FINS (9600/TCP) protocol for engineering purposes, including downloading projects and control logic to the PLC. This protocol has authentication flaws as reported in FSCT-2022-0057. Control logic is downloaded to PLC volatile memory using the FINS Program Area Read and Program Area Write commands or to non-volatile memory using other commands from where it can be loaded into volatile memory for execution. The logic that is loaded into and executed from the user program area exists in compiled object code form. Upon execution, these object codes are first passed to a dedicated ASIC that determines whether the object code is to be executed by the ASIC or the microprocessor. In the former case, the object code is interpreted by the ASIC whereas in the latter case the object code is passed to the microprocessor for object code interpretation by a ROM interpreter. In the abnormal case where the object code cannot be handled by either, an abnormal condition is triggered and the PLC is halted. The logic that is downloaded to the PLC does not seem to be cryptographically authenticated, thus allowing an attacker to manipulate transmitted object code to the PLC and either execute arbitrary object code commands on the ASIC or on the microprocessor interpreter.
References:[CVE-2022-31207] |
| 9604 |
tcp |
worm |
Members scan |
W32.Kibuv.Worm [Symantec-2004-051411-1858-99] (2004.05.14) - a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin [MS04-011]) and the DCOM RPC vulnerability described in (Microsoft Security Bulletin [MS03-026]). Starts an FTP server on TCP port 9604, also listens on TCP port 420, and attempts to exploit the DCOM RPC vulnerability on TCP port 135. |
| 9612 |
tcp |
trojans |
Premium scan |
Danton, Ghost |
| 9616 |
tcp |
erunbook_agent |
not scanned |
eRunbook Agent |
| 9617 |
tcp |
erunbook_server |
not scanned |
eRunbook Server |
| 9630 |
tcp |
peoctlr |
not scanned |
Peovica Controller |
| 9631 |
tcp |
peocoll |
not scanned |
Peovica Collector |
| 9632 |
udp |
mc-comm |
not scanned |
Mobile-C Communications |
| 9633 |
tcp |
winconnect |
not scanned |
Infoblox IPAM WinConnect connector port. Also uses port 4443 for Web GUI. |
| 9640 |
tcp |
pqsflows |
not scanned |
ProQueSys Flows Service |
| 9650 |
tcp,udp |
applications |
not scanned |
GeoVision TwinDVR with Webcam |
| 9666 |
tcp |
zoomcp |
not scanned |
Zoom Control Panel Game Server Management [Zoom_Control_Panel] (IANA official) |
| 9667 |
tcp,udp |
xmms2 |
not scanned |
Cross-platform Music Multiplexing System |
| 9668 |
tcp,udp |
client-wakeup |
not scanned |
tec5 Spectral Device Control Protocol |
| 9669 |
tcp |
applications |
not scanned |
VGG Image Search Engine VISE |
| 9675 |
tcp,udp |
applications |
not scanned |
Spiceworks Desktop, IT Helpdesk Software
In AXESS ACS (Auto Configuration Server) through 5.2.0, unsanitized user input in the TR069 API allows remote unauthenticated attackers to cause a permanent Denial of Service via crafted TR069 requests on TCP port 9675 or 7547. Rebooting does not resolve the permanent Denial of Service.
References: [CVE-2024-56316]
|
| 9676 |
tcp,udp |
applications |
not scanned |
Spiceworks Desktop, IT Helpdesk Software |
| 9689 |
tcp |
malware |
not scanned |
Backdoor.Win32.Zhangpo / Remote DoS - Zhangpo listens on TCP port 9689, sending a special character as a long string HTTP payload will DoS the backdoor.
References: [MVID-2021-0058] |
| 9694 |
tcp,udp |
client-wakeup |
not scanned |
T-Mobile Client Wakeup Message |
| 9695 |
tcp,udp |
ccnx |
not scanned |
Content Centric Networking |
| 9696 |
tcp |
trojans |
Premium scan |
Backdoor.Gholame [Symantec-2002-081414-0139-99] - remote access trojan, affects Windows, opens TCP ports 9696 and 9697 by default. |
| 9697 |
tcp |
trojan |
Premium scan |
Backdoor.Gholame [Symantec-2002-081414-0139-99] - remote access trojan, affects Windows, opens TCP ports 9696 and 9697 by default. |
| 9735 |
tcp |
applications |
not scanned |
Bitcoin Lightning Network |
| 9777 |
tcp,udp |
games |
not scanned |
Rainbow Six 3 Raven Shield: Athena Sword, Unreal Tournament
Backdoor.StealthEye [Symantec-2002-120514-5403-99] (2002.12.05) - a backdoor trojan coded in Visual Basic, gives an attacker unauthorized access to an infected computer. By default it opens ports 9777 and 9778. |
| 9778 |
tcp,udp |
trojans |
not scanned |
Backdoor.StealthEye [Symantec-2002-120514-5403-99] (2002.12.05) - a backdoor trojan coded in Visual Basic, gives an attacker unauthorized access to an infected computer. By default it opens ports 9777 and 9778. |
| 9789 |
tcp |
applications |
not scanned |
Lexmark Markvision Enterprise before 1.8 provides a diagnostic interface on TCP port 9789, which allows remote attackers to execute arbitrary code, change the configuration, or obtain sensitive fleet-management information via unspecified vectors.
References: [CVE-2013-3055], [SECUNIA-53185] |
| 9793 |
tcp,udp |
applications |
not scanned |
Moove |
| 9795 |
tcp,udp |
applications |
not scanned |
Moove |
| 9800 |
tcp,udp |
davsrc |
not scanned |
WebCT e-learning portal
WebDav Source Port (IANA official) |
| 9832 |
tcp |
applications |
not scanned |
Symantec Workspace Streaming could allow a remote attacker to execute arbitrary code on the system, caused by an error in the exposed EJBInvokerServlet and JMXInvokerServlet servlets within Apache Tomcat. By sending a specially-crafted object to TCP port 9832, an attacker could exploit this vulnerability to execute arbitrary code with SYSTEM privileges.
References: [XFDB-88300] |
| 9833 |
tcp |
applications |
not scanned |
Telindus router - default port for the 1100 series of Telindus ADSL routers, such as 1110 and 1120. |
| 9833 |
udp |
|
not scanned |
Telindus 1100 series ADSL router allows remote attackers to gain privileges to the device via a certain packet to UDP port 9833, which generates a reply that includes the router's password and other sensitive information in cleartext.
References: [CVE-2002-0949] [BID-4946] |
| 9842 |
tcp |
malware |
not scanned |
Backdoor.Win32.Wollf.m / Weak Hardcoded Password - the malware runs with SYSTEM integrity and listens on TCP port 9842. Authentication is required. However, the password "holybolt" is weak and hardcoded in the PE file in cleartext.
References: [MVID-2022-0477] |
| 9850 |
tcp |
applications |
not scanned |
Novell GroupWise is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the HTTP interface. By sending an overly long request to TCP port 9850, a remote attacker could overflow a buffer and execute arbitrary code on the system.
References: [CVE-2011-0334], [BID-49779] |
| 9863 |
tcp |
malware |
not scanned |
Backdoor.Win32.PsyRat.b / Unauthenticated Remote Command Execution - the PsyRAT 1.02 malware listens by default on TCP port 9863, but can be changed when building backdoor servers. Third-party attackers who can reach infected systems can execute commands made available by the backdoor. The backdoors cpuinfo command will leak system details including cleartext password.
References: [MVID-2021-0306] |
| 9867 |
tcp |
trojans |
Premium scan |
Backdoor.Sokeven [Symantec-2004-092214-2730-99] - remote access trojan. Affects all current Windows versions, opens a SOCKS proxy on port 9867 by default. Systems can get infected by visiting malicious website with Internet Explorer - exploits IE File Installation Vulnerability. |
| 9870 |
tcp |
trojan |
Premium scan |
Remote Computer Control Center |
| 9871 |
tcp |
trojans |
not scanned |
Backdoor.Theef [Symantec-2002-101115-3443-99] (2002.10.14) - a trojan that can allow unauthorized access to an infected computer. It opens port 9871 to listen for a connection. The trojan is written in Delphi |
| 9872-9874 |
tcp |
trojans |
Premium scan |
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp. |
| 9875 |
tcp,udp |
sapv1 |
not scanned |
EverQuest Chat server, Club Penguin Disney online game for kids
Portal of Doom (coded in Visual Basic, 03.1999) is a popular remote access trojan that uses ports 3700/tcp, 9872-9875/tcp, 10067/udp, 10167/udp.
PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file.
References: [CVE-2007-1804] [BID-23240] [SECUNIA-25787]
Session Announcement v1 (IANA official) |
| 9876 |
tcp |
session director |
Premium scan |
Session Director, True Image Remote Agent, Wireshark, nmap use this port.
Trojans that also use this port:
Cyber Attacker, Rux, Backdoor.Lolok
Backdoor.Lolok [Symantec-2002-120514-5802-99] is a backdoor Trojan that uses the mIRC client to give a hacker access to the computer. By default, it establishes an IRC connection to irc.tu-pac.net on port 9876. Usualy spreads through email attachments or disguised as a video file. Discovered on 12.05.2002.
Acronis True Image Windows Agent 1.0.0.54, allows remote attackers to cause a denial of service (crash) via a malformed packet to port 9876, which triggers a NULL pointer dereference
References: [CVE-2008-1280], [BID-28169]
An unauthenticated attacker can perform an out of bounds heap read in the IQ Service (TCP port 9876). This vulnerability has been resolved in firmware version 2.800.0000000.8.R.20241111.
References: [CVE-2024-52545]
|
| 9876 |
udp |
applications |
not scanned |
V Rising Dedicated server |
| 9877 |
tcp |
x510 |
Premium scan |
V Rising Dedicated server
Small Big Brother trojan
An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwards used in a separate web request issued by the application itself. This can be abused to conduct SSRF attacks against otherwise unreachable Acronis services that are bound to localhost such as the NotificationService on 127.0.0.1:30572.
References: [CVE-2020-16171], [EDB-49113]
The X.510 wrapper protocol [ITU-T X.510 / ISO/IEC 9584-11] (IANA official) |
| 9878 |
tcp |
trojan |
Premium scan |
Small Big Brother, TransScout trojans
Backdoor.Win32.Psychward.ds / Weak Hardcoded Password - the malware listens on TCP port 9878 and requires a password for remote user access. However, the backdoors password "nivag" is weak and hardcoded in plaintext within the executable.
References: [MVID-2021-0219]
|
| 9878 |
udp |
kca-service |
not scanned |
The KX509 Kerberized Certificate Issuance Protocol in Use in 2012 [IESG] [RFC 6717] (IANA official) |
| 9879 |
tcp |
trojan |
Premium scan |
Small Big Brother trojan |
| 9889 |
tcp,udp |
gt-proxy |
not scanned |
Port for Cable network related data proxy or repeater |
| 9890 |
tcp |
worm |
not scanned |
W32.Ircbrute.B [Symantec-2010-012711-2418-99] (2010.01.27) - a worm that spreads by copying itself to removable drives. It also opens a back door on the compromised computer. |
| 9897 |
udp |
applications |
not scanned |
Sony PlayStation Remote Play Video stream |
| 9898 |
tcp |
safeq |
Members scan |
YSoft SafeQ workflow software, Tripwire-File Integrity Monitoring Software
Dabber.A [Symantec-2004-051414-5013-99] (2004.05.14) and Dabber.B [Symantec-2004-060414-4404-99] (2004.06.04) - a worm that propagates by exploiting vulnerability in the FTP server component of W32.Sasser.Worm and its variants. It installs a backdoor on port 9898/tcp (if it fails, tries to listen on ports 9899-9999).
Backdoor.CrashCool [Symantec-2003-091308-3135-99] (2003.09.13) - a trojan horse that allows unauthorized access to the victim machine. By default it opens port 9898 for listening.
MonkeyCom (TCP/UDP) (IANA official). |
| 9899 |
tcp |
trojans |
Premium scan |
Ini-Killer, W32.dabber.a |
| 9899 |
udp |
sctp-tunneling |
not scanned |
SCTP TUNNELING (IANA official) [RFC 6951] |
| 9900 |
tcp,udp,sctp |
iua |
not scanned |
Unspecified vulnerability in Stack Group Bidding Protocol (SGBP) support in Cisco IOS 12.0 through 12.4 running on various Cisco products, when SGBP is enabled, allows remote attackers on the local network to cause a denial of service (device hang and network traffic loss) via a crafted UDP packet to port 9900.
References: [CVE-2006-0340], [BID-16303], [SECUNIA-18490]
Port is also IANA registered for IUA |
| 9901 |
udp,sctp |
enrp |
not scanned |
Enrp server channel [RFC 5353] (IANA official) |
| 9903 |
udp |
multicast-ping |
not scanned |
IANA registered for: Multicast Ping Protocol [RFC 6450] |
| 9919 |
tcp |
trojans |
Premium scan |
Kryptonic Ghost Command Pro, W32.dabber.a |
| 9920 |
tcp,udp |
games |
not scanned |
Football Manager Live |
| 9922 |
tcp |
applications |
not scanned |
Multiple Hanvon facial recognition (Face ID) devices could allow a remote attacker to bypass security restrictions, caused by a plain-text management protocol on TCP port 9922. An attacker could exploit this vulnerability to gain access to the device.
References: [CVE-2014-2938], [XFDB-93297], [OSVDB-107138] |
| 9925 |
tcp |
xybrid-cloud |
not scanned |
IANA registered for: XYBRID Cloud |
| 9940 |
tcp,udp |
applications |
not scanned |
iVisit |
| 9943 |
tcp,udp |
applications |
not scanned |
iVisit |
| 9944 |
tcp |
phala |
not scanned |
Phala network default ports: 9944, 18000, 19944 |
| 9945 |
tcp,udp |
applications |
not scanned |
iVisit |
| 9946 |
tcp |
games |
not scanned |
Medal of Honor 2010 |
| 9954 |
tcp |
hinp |
not scanned |
IANA registered for: HaloteC Instrument Network Protocol |
| 9955 |
tcp |
alljoyn-stm |
not scanned |
Contact Port for AllJoyn standard messaging [Qualcomm Innovation Center] (IANA official) |
| 9955 |
udp |
alljoyn-mcm |
not scanned |
Contact Port for AllJoyn multiplexed constrained messages [Qualcomm Innovation Center] (IANA official) |
| 9956 |
udp |
alljoyn |
not scanned |
Alljoyn Name Service [Qualcomm Innovation Center] (IANA official) |
| 9961 |
tcp,udp |
games |
not scanned |
Test Drive Unlimited |
| 9964 |
udp |
games |
not scanned |
Battlefield 2142 |
| 9969 |
tcp,udp |
streamtome |
not scanned |
ServeToMe server & StreamToMe streaming media player |
| 9971 |
tcp,udp |
streamtome |
not scanned |
ServeToMe server & StreamToMe streaming media player |
| 9978 |
tcp |
xybrid-rt |
not scanned |
XYBRID RT Server - Rx Networks Inc (IANA official) |
| 9979 |
tcp |
visweather |
not scanned |
The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only metrics data), therefore the potential impact related to this vulnerability is minimal. The CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component.
References: [CVE-2023-0296]
Valley Information Systems Weather station data (IANA official)
|
| 9981 |
tcp |
pumpkindb |
not scanned |
IANA registered for: Event sourcing database engine with a built-in programming language
TVHeadend HTTP server (web interface) also uses this port |
| 9982 |
tcp |
applications |
not scanned |
TVHeadend HTSP server (Streaming protocol) |
| 9987 |
udp |
applications |
not scanned |
TeamSpeak 3 server default (voice) port.
TS3 uses the following ports:
9987 UDP (default voice port)
10011 TCP (default serverquery port)
30033 TCP (default filetransfer port)
41144 TCP (default tsdns port)
TS3 also connects to: accounting.teamspeak.com:2008 (TCP for license checks) and weblist.teamspeak.com:2010 (UDP). TS3 weblist also uses ports 2011-2110 (UDP out, first available port in range).
Teamspeak Server is vulnerable to a denial of service, caused by multiple assertion errors in multiple commands. By sending a specially-crafted command to UDP port 9987, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-59521], [BID-40918], [SECUNIA-40230]
|
| 9988 |
tcp |
nsesrvr |
not scanned |
The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988.
References: [CVE-2019-14258]
IANA registered for: Software Essentials Secure HTTP server |
| 9989 |
tcp |
trojan |
Premium scan |
iNi-Killer trojan |
| 9990 |
tcp |
applications |
not scanned |
DOT.TUNES, RealSecure ISS system scanner
IANA registered for: OSM Applet Server
** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server.
References: [CVE-2018-10682] |
| 9991 |
tcp,udp |
osm-oev |
not scanned |
WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991.
References: [CVE-2018-7582], [EDB-44271]
IANA registered for: OSM Event Server |
| 9992 |
tcp,udp |
applications |
not scanned |
The Palace chat environment uses ports 9992-9998 |
| 9995 |
tcp,udp |
games |
not scanned |
Sometimes used by Cisco NetFlow (commonly on port 2055/udp).
Football Manager Live |
Shortcuts