The response was instant. SERVICE: DBC_BROADCAST_PORT. STATUS: DORMANT. CARGO: SECURED.
"Start capture," he muttered.
As Alex monitored the traffic, they noticed a strange set of "bad requests" hitting the port—someone was trying to force their way in by sending invalid commands to the Microsoft IIS server listening there. Alex quickly realized that while 9998 is often used for legitimate staging and developer tools at sites like PentestPad , it had become an open window for an attacker.
The screen erupted. File names. Thousands of them. Transaction logs, yes, but also scanned passports, voice recordings, and image files labeled with coordinates. tcp port 9998
Understanding TCP Port 9998: Common Uses, Security, and Troubleshooting
Beyond SCADA, port 9998 appears in several enterprise and developer contexts:
He typed back: IDENTIFY.
It was the most boring sentence he could write for the most terrifying five minutes of his life. He grabbed his coffee, now cold, and took a sip. The neon sign outside flickered again, but for the first time all night, the server room felt quiet.
: In some configurations, Splunk indexers may listen on Port 9998 to receive data from forwarders, particularly when Port 9997 is unavailable or dedicated to other tasks.
TCP port 9998 is a perfect example of why port-based security alone is insufficient. It has legitimate, critical roles in power grids and water treatment plants via DNP3, yet it is also a favored hiding spot for RATs and backdoors. The difference between safe and malicious is entirely contextual: asset type, traffic pattern, and business need. The response was instant
"I'm not the architect," Elias whispered to the empty room. "I'm just the janitor."
If you see port 9998 open on a device in an industrial control system (ICS) environment, it is likely benign and critical for operations.