Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
The "Trend" is an attempt to put a number to the increase in activity for a given port.
Right now, I am comparing the last 24 hours to the last 30 days.
So if we see a rise in activity compared to the last 30 days, the trend is high.
The following formula is used to calculate the trend:
sqrt( (S-s)^2/s + (T-t)^2/t ) )
S: number of source IPs hitting this port last 24 hrs.
s: average number of source IPs hitting this port each day (last 30 days).
T/t: same for target IPs detecting scans on this port.
| Port | Trend | Service |
|---|---|---|
| 5069 | 1 | i-net-2000-npr |
| 8074 | 1 | gadu-gadu |
| 27002 | 1 | flex-lm |
| 18000 | 1 | biimenu |
| 22800 | 1 | aws-brf |
| 13783 | 1 | vopied |
| 27004 | 1 | flex-lm |
| 518 | 1 | ntalk |
| 14237 | 1 | palm-hotsync |
| 9595 | 1 | pds |
| 18182 | 1 | opsec-ufp |
| 5768 | 1 | openmailpxy |
| 9797 | 1 | lcfd |
| 8161 | 1 | patrol-snmp |
| 464 | 1 | kpasswd |
| 25123 | 1 | Goy'ZTroJan |
| 48002 | 1 | nimhub |
| 5888 | 1 | Y3KRAT |
| 6515 | 1 | game-play, McAfee-http |
| 41 | 1 | DeepThroat, Foreplay, graphics |
| 9200 | 1 | wap-wsp |
| 6502 | 1 | boks_servm |
| 2880 | 1 | synapse |
| 6673 | 1 | vision_elmd |
| 2624 | 1 | aria |
| 2368 | 1 | opentable |
| 4160 | 1 | jini-discovery |
| 13821 | 1 | dsmcc-download |
| 7424 | 1 | HostControl |
| 2304 | 1 | attachmate-uts |
| 3328 | 1 | egptlm |
| 33568 | 1 | Lion, T0rnRootkit |
| 17449 | 1 | KidTerror |
| 5093 | 1 | sentinel-lm |
| 20023 | 1 | VPKiller |
| 49000 | 1 | FraggleRock |
| 4096 | 1 | bre |
| 6912 | 1 | ShitHeep |
| 45000 | 1 | cisco-ids |
| 47624 | 1 | directplaysrvr |
| 2112 | 1 | idonix-metanet, kip |
| 11111 | 1 | vce |
| 2638 | 1 | sybase, sybaseanywhere |
| 6015 | 1 | x11 |
| 3392 | 1 | efi-lm |
| 31338 | 1 | BackOrifice, ButtFunnel, DeepBO |
| 13782 | 1 | bpcd |
| 5678 | 1 | rrac |
| 27960 | 1 | quake3server |
| 22222 | 1 | DonaldDick, Prosiak, Ruler, RUXTheTIc.K |
| 11600 | 1 | tempest-port |
| 40423 | 1 | MastersParadise |
| 3390 | 1 | dsc |
| 5902 | 1 | vnc-2 |
| 3130 | 1 | icpv2, squid-ipc |
| 222 | 1 | rsh-spx |
| 2560 | 1 | labrat |
| 17569 | 1 | Infector |
| 30000 | 1 | Infector |
| 6144 | 1 | statsci1-lm |
| 6400 | 1 | info-aps, TheThing |
| 29005 | 1 | starsiege |
| 5632 | 1 | pcanywherestat |
| 2013 | 998 | raid-am, raid-cd |
| 1856 | 985 | fiorano-msgsvc |
| 17007 | 981 | isode-dua |
| 1971 | 980 | netop-school |
| 1917 | 979 | noagent |
| 5631 | 962 | pcanywheredata |
| 90 | 957 | dnsix |
| 32777 | 953 | sometimes-rpc17, sometimes-rpc18 |
| 18080 | 945 | puremessage |
| 7001 | 942 | afs3-callback, Freak2k, Freak88, NetSnooperGold |
| 631 | 938 | ipp |
| 2 | 937 | compressnet, Death |
| 2010 | 932 | nfr, pipe_server, search |
| 1600 | 925 | DirectConnection, issd, Shivka-Burka, ShivkaBurka |
| 41524 | 922 | ArcServe |
| 8192 | 897 | snapstream |
| 1536 | 897 | ampr-inter, W32bckdr |
| 427 | 894 | svrloc |
| 1604 | 892 | icabrowser |
| 6672 | 888 | vision_server |
| 12346 | 883 | FatBitchtrojan, GabanBus, NetBus, X-bill |
| 54321 | 875 | BackOrifice2000, SchoolBus |
| 2323 | 865 | 3d-nfsd |
| 6670 | 862 | BackWebServer, DeepThroat, Foreplay, vocaltec-gold, WinNukeeXtreame |
| 1920 | 860 | can-ferret |
| 2950 | 859 | esip |
| 29003 | 853 | starsiege |
| 39213 | 852 | Sygate |
| 2048 | 845 | dls-monitor |
| 32775 | 833 | sometimes-rpc13, sometimes-rpc14 |
| 1280 | 826 | pictrography |
| 5061 | 818 | sip-tls |
| 3001 | 797 | nessusd, redwood-broker |
| 2222 | 793 | AMD, rockwell-csp2 |
| 1084 | 788 | ansoft-lm-2 |
| 1083 | 778 | ansoft-lm-1, WinHole |
| 1088 | 770 | cplscrambler-al |
