Summary
The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller.
The main issue here is of course that the time to download critical patches will exceed this survival time. In order to help users setup new systems, refer to our guide: Windows Vista: First Steps (a follow on to our guide "Windows XP: Surviving the First Day")
Survival Time Graph
Categories
Some applications may be available on more than one oprating system. However, if they are mostly used on a particular OS, or if exploits in the wild are targeting a specific OS using this application, we add them into the respectice's OS category.
For example, ssh servers are available for Windows and Unix. Most of the ssh scanning is looking for weak passwords, not for problems with a particular ssh implementation. However, most Unix installs enable ssh by default, while for Windows it is a third party add on. Sucessful ssh exploits reported to the ISC are so far limited to Unix. As a result, port 22 is assigned to 'Unix' for the purpose of this report. Port assignments may change over time.
- Windows: Windows specific ports (e.g. File sharing)
- Unix: Unix specific ports (e.g. dns, ssh)
- Applications: Applications which are used (and vulnerable) on various operating systems
- P2P: P2P afterglow, and other false postives
- Backdoors: These ports are commonly used by backdoors and a system has to be infected with a trojan/virus in order to be vulnerable.
Not all ports are categorized, so the total will not add up to 100%. Over time, we will categorize more ports.
Currently Categorized Ports
| Port | Service | Name | Category |
|---|---|---|---|
| 21 | ftp | File Transfer [Control] | Application |
| 22 | ssh | SSH Remote Login Protocol | Unix |
| 25 | smtp | Simple Mail Transfer | Application |
| 42 | name | Host Name Server | Windows |
| 53 | domain | Domain Name Server | Unix |
| 80 | www | World Wide Web HTTP | Application |
| 102 | iso-tsap | ISO-TSAP Class 0 | SCADA |
| 111 | sunrpc | portmapper rpcbind | Unix |
| 113 | auth | ident tap Authentication Service | Application |
| 135 | epmap | DCE endpoint resolution | Windows |
| 137 | netbios-ns | NETBIOS Name Service | Windows |
| 138 | netbios-dgm | NETBIOS Datagram Service | Windows |
| 139 | netbios-ssn | NETBIOS Session Service | Windows |
| 443 | https | HTTP protocol over TLS SSL | Application |
| 445 | microsoft-ds | Win2k+ Server Message Block | Windows |
| 502 | asa-appl-proto | asa-appl-proto | SCADA |
| 515 | printer | spooler | Unix |
| 777 | jconfig | Hummingbird Exceed jconfig | SCADA |
| 1025 | win-rpc | Windows RPC | Windows |
| 1026 | win-rpc | Windows RPC | Windows |
| 1027 | icq | icq instant messanger | Windows |
| 1089 | ff-annunc | FF Annunciation | SCADA |
| 1090 | ff-fms | FF Fieldbus Message Specification | SCADA |
| 1091 | ff-sm | FF System Management | SCADA |
| 1433 | ms-sql-s | Microsoft-SQL-Server | Windows |
| 1434 | ms-sql-m | Microsoft-SQL-Monitor | Windows |
| 1541 | rds2 | rds2 | SCADA |
| 1628 | lontalk-norm | LonTalk normal | SCADA |
| 1629 | lontalk-urgnt | LonTalk urgent | SCADA |
| 1911 | mtp | Starlight Networks Multimedia Transport Protocol | SCADA |
| 2100 | amiganetfs | amiganetfs | Application |
| 2222 | ssh | alternative ssh (Cowrie) | SCADA |
| 2234 | directplay | DirectPlay | P2P |
| 2967 | ssc-agent | Symantec System Center | Windows |
| 3389 | ms-term-services | MS Terminal Services | Windows |
| 4000 | Connect-BackBackdoor | [trojan] Connect-Back Backdoor | SCADA |
| 4444 | metasploit | Metasploit default listener | Backdoor |
| 4662 | eDonkey2000 | eDonkey2000 Server Default Port | P2P |
| 4672 | eMule | eMule / eDonkey P2P Software | P2P |
| 4840 | opcua-tcp | OPC UA Connection Protocol | SCADA |
| 5050 | mmcc | multimedia conference control tool | SCADA |
| 5051 | ita-agent | ITA Agent | SCADA |
| 5052 | ita-manager | ITA Manager | SCADA |
| 5065 | ca-2 | Channel Access 2 | SCADA |
| 5450 | tiepie | TiePie engineering data acquisition | SCADA |
| 5554 | sasser-ftp | [trojan] Sasser Worm FTP Server | Backdoor |
| 5900 | vnc | Virtual Network Computer | Application |
| 5901 | vnc-1 | Virtual Network Computer Display :1 | Application |
| 6129 | dameware | Dameware Remote Admin | Windows |
| 6346 | gnutella-svc | gnutella-svc | P2P |
| 6881 | bittorrent | Bit Torrent P2P | P2P |
| 7561 | emule | E-Mule P2P | P2P |
| 7571 | emule | E-Mule P2P | P2P |
| 8001 | vcom-tunnel | VCOM Tunnel | SCADA |
| 9898 | dabber | [trojan] Dabber Worm backdoor | Backdoor |
| 10000 | BackupExec | Veritas Backup Exec | Windows |
| 11001 | metasys | Metasys | SCADA |
| 13722 | bpjava-msvc | BP Java MSVC Protocol | SCADA |
| 13724 | vnetd | Veritas Network Utility | SCADA |
| 13782 | bpcd | VERITAS NetBackup | SCADA |
| 13783 | vopied | VOPIED Protnocol | SCADA |
| 18000 | biimenu | Beckman Instruments Inc. | SCADA |
| 20000 | Millenium | [trojan] Millenium | SCADA |
| 34962 | profinet-rt | PROFInet RT Unicast | SCADA |
| 34963 | profinet-rtm | PROFInet RT Multicast | SCADA |
| 34964 | profinet-cm | PROFInet Context Manager | SCADA |
| 34980 | ethercat | EtherCAT Port | SCADA |
| 38000 | ivs-database | InfoVista Server Database | SCADA |
| 38001 | ivs-insertion | InfoVista Server Insertion | SCADA |
| 44818 | rockwell-encap | Rockwell Encapsulation | SCADA |
| 45678 | eba | EBA PRISE | SCADA |
| 47808 | bacnet | Building Automation and Control Networks | SCADA |
