Port 9989 sits in the registered port range (1024-49151) but has no official service assigned by IANA. It's blank space in the port registry. That doesn't mean it's unused.
What Lives Here (Unofficially)
Zerto Cloud Manager claimed this port for disaster recovery operations. The ZCM GUI and REST APIs connect over HTTPS on port 9989, allowing cloud service providers to manage virtual machine replication and disaster recovery across multiple sites.12
Access Zerto Cloud Manager by browsing to https://<ZCM_IP>:9989 and logging in with admin credentials. The ZCM functions as a "manager of managers," enabling multi-tenant disaster recovery where one cloud provider manages disaster recovery for multiple customers.3
Malware also uses port 9989. The Family KeyLogger trojan and other malware have been observed using this port for keylogging and system manipulation.4 The lack of standardization makes monitoring harder—port 9989 traffic could be legitimate disaster recovery management or malicious activity, and you need context to know which.
The Registered Port Range
Port 9989 belongs to the registered ports range (1024-49151). These ports can be registered with IANA for specific services, but registration is voluntary. Many ports in this range, including 9989, remain unassigned.
This creates ambiguity. Developers can use unassigned registered ports for custom applications without conflicts in their own environments, but there's no guarantee another application won't choose the same port. That's exactly what happened here—Zerto picked 9989 for disaster recovery, malware authors picked it for trojans, and both coexist in the wild.
Checking What's Listening
To see what's actually using port 9989 on your system:
Linux/macOS:
Windows:
If you see port 9989 open and you're not running Zerto, investigate. It could be legitimate custom software or something you don't want running.
Why Unassigned Ports Matter
The Internet has 65,535 ports per protocol. Only 1,024 are well-known. The registered range contains over 48,000 ports, and many are unassigned.
These unassigned ports are where custom software lives—internal applications, proprietary protocols, development servers, and yes, sometimes malware. They're the flexible space of the port system, claimed by whoever needs them without central coordination.
Port 9989 is a reminder that "unassigned" doesn't mean "unused." It means nobody asked permission. Zerto needed a port for disaster recovery management and chose 9989. It works because their customers configure their firewalls to allow it. No RFC, no IANA registration, just a decision and documentation.
That's how most of the registered range works. The official assignments are sparse. The actual use is dense, chaotic, and entirely dependent on what software you're running.
Frequently Asked Questions
Trang này có hữu ích không?