Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
The "Trend" is an attempt to put a number to the increase in activity for a given port.
Right now, I am comparing the last 24 hours to the last 30 days.
So if we see a rise in activity compared to the last 30 days, the trend is high.
The following formula is used to calculate the trend:
sqrt( (S-s)^2/s + (T-t)^2/t ) )
S: number of source IPs hitting this port last 24 hrs.
s: average number of source IPs hitting this port each day (last 30 days).
T/t: same for target IPs detecting scans on this port.
| Port | Trend | Service |
|---|---|---|
| 22001 | 1 | optocontrol |
| 9200 | 1 | wap-wsp |
| 6673 | 1 | vision_elmd |
| 2368 | 1 | opentable |
| 4160 | 1 | jini-discovery |
| 31339 | 1 | NetSpy(DK), NetSpyDK |
| 27001 | 1 | flex-lm |
| 6671 | 1 | DeepThroat |
| 5902 | 1 | vnc-2 |
| 20222 | 1 | ipulse-ics |
| 18184 | 1 | opsec-lea |
| 29005 | 1 | starsiege |
| 5632 | 1 | pcanywherestat |
| 5631 | 962 | pcanywheredata |
| 27004 | 939 | flex-lm |
| 2 | 937 | compressnet, Death |
| 6665 | 932 | ircu |
| 2479 | 929 | ssm-els |
| 5432 | 911 | postgres |
| 6672 | 888 | vision_server |
| 54321 | 875 | BackOrifice2000, SchoolBus |
| 2323 | 865 | 3d-nfsd |
| 6670 | 862 | BackWebServer, DeepThroat, Foreplay, vocaltec-gold, WinNukeeXtreame |
| 39213 | 852 | Sygate |
| 3390 | 834 | dsc |
| 8009 | 818 | netware-rmgr |
| 2222 | 793 | AMD, rockwell-csp2 |
| 1084 | 788 | ansoft-lm-2 |
| 1083 | 778 | ansoft-lm-1, WinHole |
| 2001 | 777 | dc, DerSpherDerSpaeher, DerSpäher, TrojanCow, wizard |
| 1082 | 759 | amt-esd-prot, WinHole |
| 6668 | 755 | irc, ircu |
| 8082 | 752 | blackice |
| 587 | 731 | submission |
| 808 | 728 | WinHole |
| 2301 | 718 | compaqdiag, cpq-wbem |
| 1081 | 713 | pvuniwien, WinHole |
| 5800 | 710 | vnc |
| 5555 | 710 | personal-agent, rplay, ServeMe |
| 7 | 699 | echo |
| 995 | 683 | pop3s |
| 82 | 680 | xfer |
| 6669 | 648 | HostControl, ircu, Vampire |
| 7777 | 642 | cbt, FWTK-authsvr, GodMessage, oracle-portal, TheThing(modified), Tini |
| 6667 | 612 | DarkFTP, EGO, irc, ircu, kaitex, Maniacrootkit, Moses, ScheduleAgent, SubSeven, Subseven2.1.4DefCon8, TheThing, Trinity, WinSatan |
| 6060 | 599 | x11 |
| 8443 | 592 | pcsync-ssl |
| 7778 | 591 | interwise, UnReal_UT |
| 8081 | 589 | blackice |
| 65535 | 577 | Adoreworm, RC1trojan, Sins |
| 1900 | 564 | ssdp |
| 993 | 560 | imaps |
| 3072 | 557 | csd-monitor |
| 4001 | 543 | newoak |
| 9000 | 535 | cslistener, Netministrator |
| 88 | 510 | BackDoor-AXC, kerberos |
| 8008 | 484 | http-alt, novell-http |
| 27015 | 436 | halflife |
| 30017 | 425 | teleop |
| 9090 | 420 | websm, zeus-admin |
| 8888 | 389 | ddi-tcp-1, ddi-udp-1, sun-answerbook |
| 12345 | 380 | Adoresshd, Ashley, cron/crontab, FatBitchtrojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, NetBusToy, NetBusworm, PieBillGates, TMListen, ValvNet, WhackJob, X-bill |
| 5901 | 375 | vnc-1 |
| 500 | 374 | isakmp |
| 123 | 373 | NetController, ntp |
| 143 | 371 | imap |
| 1234 | 359 | hotline, search-agent, SubSevenJavaclient, UltorsTrojan |
| 1 | 351 | SocketsdesTroie, tcpmux |
| 110 | 326 | pop-3, ProMailtrojan |
| 6588 | 296 | AnalogX |
| 6666 | 267 | DarkConnection, DarkConnectionInside, irc-serv, ircu, NetBusworm, TCPShell.c |
| 3 | 262 | compressnet |
| 161 | 257 | snmp |
| 3306 | 245 | mysql |
| 21 | 202 | AudioGalaxy, BackConstruction, BladeRunner, CattivikFTPServer, CCInvader, DarkFTP, DolyTrojan, Fore, FreddyK, ftp, InvisibleFTP, Juggernaut42, Larva, MotIvFTP, NetAdministrator, Ramen, RTB666, SennaSpyFTPserver, Traitor21, WebEx, WinCrash, [trojan]TheFlu |
| 1080 | 183 | socks, SubSeven2.2, WinHole |
| 8000 | 176 | irdmi |
| 3128 | 173 | ReverseWWWTunnel, RingZero, squid-http |
| 1023 | 164 | gs400-nas |
| 22 | 161 | Adoresshd, pcanywhere, Shaft, ssh |
| 8080 | 159 | BrownOrifice, Genericbackdoor, http-alt, RemoConChubo, ReverseWWWTunnel, RingZero |
| 4899 | 136 | radmin |
| 5900 | 135 | vnc |
| 81 | 134 | docs-to-go, hosts2-ns, RemoConChubo |
| 1024 | 130 | Jade, kdm, Latinus, NetSpy, RAT |
| 443 | 123 | https |
| 5000 | 100 | BackDoorSetup, BioNetLite, Blazer5, Bubbel, commplex-main, fics, ICKiller, pitou, Ra1d, SocketsdesTroie, upnp |
| 3127 | 64 | ctx-bridge, mydoom |
| 1433 | 61 | ms-sql-s |
| 23 | 58 | ADMworm, FireHacKer, MyVeryOwntrojan, RTB666, telnet, TelnetPro, TinyTelnetServer, TruvaAtl |
| 25 | 48 | Ajan, Antigen, Barok, BSE, EmailPasswordSender, EPSII, Gip, Gris, Happy99, Hpteammail, Hybris, Iloveyou, Kuang2, MagicHorse, MBT, MBTMailBombingTrojan, MoscowEmailtrojan, Naebi, NewAptworm, ProMailtrojan, Shtirlitz, smtp, Stealth, Stukach, Tapiras, Terminator, WinPC, WinSpy |
| 5060 | 47 | sip |
| 1434 | 43 | ms-sql-m |
| 139 | 38 | Chode, GodMessageworm, Msinit, netbios-ssn, Netlog, Network, Qaz, Sadmind, SMBRelay |
| 53 | 36 | ADMworm, domain, Lion |
| 137 | 33 | Chode, Msinit, netbios-ns, Qaz |
| 80 | 24 | 711trojan, 8085, AckCmd, BackEnd, BO2000Plug-Ins, Cafeini, CGIBackdoor, Executor, GodMessage, GodMessage4Creator, Hooker, http, IISworm, MTX, NCX, Noob, Ramen, ReverseWWWTunnel, RingZero, RTB666, Seeker, WANRemote, WebDownloader, WebServerCT, www |
| 135 | 22 | epmap, loc-srv |
| 445 | 16 | microsoft-ds |
| 179 | 2.7 | bgp |
