Skip to content
PortsDB

Port reference

Port 8009 (TCP) – AJP (Apache JServ Protocol)

Binary AJP connector that lets a front-end web server proxy requests to a Tomcat backend.

tcpRegisteredCommonly attacked

Default state

Open on default Tomcat installs (AJP connector enabled). Meant for internal use, but historically bound to all interfaces and exposed.

Common attacks

  • Ghostcat (CVE-2020-1938) arbitrary file read of webapp files
  • Remote code execution by combining file upload with the AJP flaw
  • Reading configuration and credentials from WEB-INF
  • Scanning for exposed AJP connectors alongside 8080 web apps

CVE-2020-1938

Hardening

  • Disable the AJP connector if you don't use a front-end proxy
  • Bind AJP to localhost (address="127.0.0.1") and never expose it
  • Set a requiredSecret on the connector and patch Tomcat
  • Firewall 8009 to allowed reverse-proxy hosts only
  • Audit WEB-INF contents for secrets

nmap snippet

nmap -p8009 --script ajp-methods,http-vuln-cve2020-1938 <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 8009?

Port 8009 is the default for AJP (Apache JServ Protocol), the binary connector that lets a front-end web server (Apache httpd, Nginx) proxy requests to a Tomcat backend. It pairs with the HTTP connector on 8080 and is meant strictly for internal server-to-server traffic, not direct client access.

Why it matters for security

AJP trusts the front-end proxy and exposes powerful request attributes. When the connector is bound to all interfaces and reachable, that trust can be abused. Default Tomcat installs historically enabled AJP on every interface, turning an internal-only protocol into an internet-facing one — the conditions that made Ghostcat so widespread.

How it's attacked

Ghostcat (CVE-2020-1938) lets an attacker read arbitrary files inside the web app, including WEB-INF configuration and credentials. By chaining the file read with the ability to upload a file (e.g. an uploads directory), attackers escalate to remote code execution. Scanners look for exposed 8009 next to 8080 web apps to fingerprint vulnerable Tomcat.

Hardening checklist

Disable the AJP connector entirely if you don't front Tomcat with a proxy. If you need it, bind it to localhost (address="127.0.0.1"), set a requiredSecret, and firewall 8009 to allowed reverse-proxy hosts only. Patch Tomcat to a fixed version and audit WEB-INF for secrets. Use the nmap snippet to test for the Ghostcat flaw on systems you are authorized to test. </content>

Related ports

Port 8080Port 8443Port 80Port 443

Frequently asked questions

What is port 8009 used for?
It runs AJP (Apache JServ Protocol), the binary connector Tomcat uses to receive proxied requests from a front-end web server like Apache httpd or Nginx. It is intended for internal traffic only.
What is Ghostcat (CVE-2020-1938)?
Ghostcat is an AJP flaw that lets attackers read arbitrary files inside a Tomcat web app (such as WEB-INF) and, combined with file upload, achieve RCE. Disable or restrict the AJP connector and patch Tomcat.