Skip to content
PortsDB

Port reference

Port 9000 (TCP) – PHP-FPM / SonarQube

Shared port for PHP-FPM FastCGI, the SonarQube web UI, and assorted development HTTP servers.

tcpRegisteredCommonly attacked

Default state

Open when PHP-FPM, SonarQube, or a dev server runs. PHP-FPM is meant for localhost only; exposing the FastCGI socket is dangerous.

Common attacks

  • Remote code execution via an exposed PHP-FPM FastCGI socket
  • Direct FastCGI requests bypassing the web server to run PHP
  • Unauthenticated SonarQube dashboards leaking source and tokens
  • Scanning dev HTTP servers for debug endpoints and secrets

Hardening

  • Bind PHP-FPM to a Unix socket or 127.0.0.1, never to a public interface
  • Never expose the FastCGI port to the internet
  • Authenticate SonarQube and change default admin credentials
  • Firewall 9000 to localhost/trusted hosts and patch the service
  • Disable or lock down dev servers in production

nmap snippet

nmap -p9000 --script http-title,fcgi,banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 9000?

Port 9000 is ambiguous — several common services default to it. Most often it is the PHP-FPM FastCGI socket that a web server (Nginx) talks to, but it is also the SonarQube web UI and a frequent choice for development HTTP servers. Always identify the actual service before assessing the port.

Why it matters for security

PHP-FPM speaks the FastCGI protocol with no authentication — it trusts whoever connects. It is meant to listen on localhost or a Unix socket; if 9000 is reachable over the network, the trust boundary is gone. SonarQube on 9000 exposes source-code insights and tokens, and dev servers often leak debug endpoints and secrets.

How it's attacked

Against an exposed PHP-FPM socket, attackers send crafted FastCGI requests directly, bypassing the web server, to execute arbitrary PHP and achieve remote code execution. On SonarQube they hit unauthenticated dashboards to harvest source and CI tokens, and they scan dev HTTP servers for debug routes, stack traces, and leaked credentials.

Hardening checklist

Bind PHP-FPM to a Unix socket or 127.0.0.1, never a public interface, and never expose the FastCGI port to the internet. Authenticate SonarQube and change default admin credentials. Firewall 9000 to localhost or trusted hosts, patch the service, and disable or lock down dev servers in production. Use the nmap snippet to identify what is actually listening on systems you are authorized to test. </content>

Related ports

Port 80Port 8080Port 443Port 9090

Frequently asked questions

What runs on port 9000?
Port 9000 is ambiguous. It is the default for PHP-FPM's FastCGI socket, the SonarQube web UI, and many development HTTP servers. Identify the actual service before assessing risk.
Why is exposing PHP-FPM on 9000 dangerous?
PHP-FPM speaks FastCGI with no authentication. If 9000 is reachable, an attacker can send crafted FastCGI requests to execute arbitrary PHP and gain RCE. Bind it to localhost or a Unix socket and firewall the port.