Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Survival Time

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.

The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller.

The main issue here is of course that the time to download critical patches will exceed this survival time. In order to help users setup new systems, refer to our guide: Windows Vista: First Steps (a follow on to our guide "Windows XP: Surviving the First Day")

Survival Time Graph

Cumulative (Minutes)
Windows (Minutes)


Some applications may be available on more then one oprating system. However, if they are mostly used on a particular OS, or if exploits in the wild are targeting a specific OS using this application, we add them into the respectice's OS category.

For example, ssh servers are available for Windows and Unix. Most of the ssh scanning is looking for weak passwords, not for problems with a particular ssh implementation. However, most Unix installs enable ssh by default, while for Windows it is a third party add on. Sucessful ssh exploits reported to the ISC are so far limited to Unix. As a result, port 22 is assigned to 'Unix' for the purpose of this report. Port assignments may change over time.

  • Windows: Windows specific ports (e.g. File sharing)
  • Unix: Unix specific ports (e.g. dns, ssh)
  • Applications: Applications which are used (and vulnerable) on various operating systems
  • P2P: P2P afterglow, and other false postives
  • Backdoors: These ports are commonly used by backdoors and a system has to be infected with a trojan/virus in order to be vulnerable.

Not all ports are categorized, so the total will not add up to 100%. Over time, we will categorize more ports.

Currently Categorized Ports

21 ftpFile Transfer [Control]Application
22 sshSSH Remote Login ProtocolUnix
25 smtpSimple Mail TransferApplication
42 nameHost Name ServerWindows
53 domainDomain Name ServerUnix
80 wwwWorld Wide Web HTTPApplication
102 iso-tsapISO-TSAP Class 0SCADA
111 sunrpcportmapper rpcbindUnix
113 authident tap Authentication ServiceApplication
135 epmapDCE endpoint resolutionWindows
137 netbios-nsNETBIOS Name ServiceWindows
138 netbios-dgmNETBIOS Datagram ServiceWindows
139 netbios-ssnNETBIOS Session ServiceWindows
443 httpsHTTP protocol over TLS SSLApplication
445 microsoft-dsWin2k+ Server Message BlockWindows
502 asa-appl-protoSCADA
515 printerspoolerUnix
777 jconfigHummingbird Exceed jconfigSCADA
1025 win-rpcWindows RPCWindows
1026 win-rpcWindows RPCWindows
1027 icqicq instant messangerWindows
1089 ff-annuncFF AnnunciationSCADA
1090 ff-fmsFF Fieldbus Message SpecificationSCADA
1091 ff-smFF System ManagementSCADA
1433 ms-sql-sMicrosoft-SQL-ServerWindows
1434 ms-sql-mMicrosoft-SQL-MonitorWindows
1541 rds2SCADA
1628 lontalk-normLonTalk normalSCADA
1629 lontalk-urgntLonTalk urgentSCADA
1911 mtpStarlight Networks Multimedia Transport ProtocolSCADA
2100 amiganetfsamiganetfsApplication
2222 AMD[trojan] Rootshell left by AMD exploitSCADA
2234 directplayDirectPlayP2P
2967 ssc-agentSymantec System CenterWindows
3389 ms-term-servicesMS Terminal ServicesWindows
4000 Connect-BackBackdoor[trojan] Connect-Back BackdoorSCADA
4444 CrackDown[trojan] CrackDownBackdoor
4662 eDonkey2000eDonkey2000 Server Default PortP2P
4672 eMuleeMule / eDonkey P2P SoftwareP2P
5050 mmccmultimedia conference control toolSCADA
5051 ita-agentITA AgentSCADA
5052 ita-managerITA ManagerSCADA
5554 sasser-ftp[trojan] Sasser Worm FTP ServerBackdoor
5900 vncVirtual Network ComputerApplication
5901 vnc-1Virtual Network Computer Display :1Application
6129 damewareDameware Remote AdminWindows
6346 gnutella-svcgnutella-svcP2P
6881 bittorrentBit Torrent P2PP2P
7561 emuleE-Mule P2PP2P
7571 emuleE-Mule P2PP2P
8001 vcom-tunnelVCOM TunnelSCADA
9898 dabber[trojan] Dabber Worm backdoorBackdoor
10000 BackupExecVeritas Backup ExecWindows
11001 metasysMetasysSCADA
13722 bpjava-msvcBP Java MSVC ProtocolSCADA
13724 vnetdVeritas Network UtilitySCADA
13782 bpcdVERITAS NetBackupSCADA
13783 vopiedVOPIED ProtnocolSCADA
18000 biimenuBeckman Instruments Inc.SCADA
20000 Millenium[trojan] MilleniumSCADA
44818 rockwell-encapRockwell EncapsulationSCADA
47808 bacnetBuilding Automation and Control NetworksSCADA

Click to view this page Translation to Ukraining - not hosted by ISC

Click to view this page Translation to Kazakh - not hosted by ISC