Summary

The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by bots that attempt to propagate, an unpatched system would be infected by such a probe.

The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer "survival time". On the other hand users of high speed internet services and sensors located in datacenters are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your "survival time" will be much smaller.

A simple firewall will prevent almost all of these attacks. Many are looking for easy to exploit vulnerabilities, for example exposed ssh or telnet servers with weak passwords.

Survival Time Graph

Cumulative (Minutes)
Windows (Minutes)
   

Categories

Some applications may be available on more than one oprating system. However, if they are mostly used on a particular OS, or if exploits in the wild are targeting a specific OS using this application, we add them into the respectice's OS category.

For example, ssh servers are available for Windows and Unix. Most of the ssh scanning is looking for weak passwords, not for problems with a particular ssh implementation. However, most Unix installs enable ssh by default, while for Windows it is a third party add on. Sucessful ssh exploits reported to the ISC are so far limited to Unix. As a result, port 22 is assigned to 'Unix' for the purpose of this report. Port assignments may change over time.

  • Windows: Windows specific ports (e.g. File sharing)
  • Unix: Unix specific ports (e.g. dns, ssh)
  • Applications: Applications which are used (and vulnerable) on various operating systems
  • P2P: P2P afterglow, and other false postives
  • Backdoors: These ports are commonly used by backdoors and a system has to be infected with a trojan/virus in order to be vulnerable.

Not all ports are categorized, so the total will not add up to 100%. Over time, we will categorize more ports.

Currently Categorized Ports

PortServiceNameCategory
21 ftpFile Transfer [Control]Application
22 sshSSH Remote Login ProtocolUnix
23 telnetTelnetUnix
25 smtpSimple Mail TransferApplication
42 nameHost Name ServerWindows
53 domainDomain Name ServerUnix
80 wwwWorld Wide Web HTTPApplication
102 iso-tsapISO-TSAP Class 0SCADA
111 sunrpcportmapper rpcbindUnix
113 authident tap Authentication ServiceApplication
135 epmapDCE endpoint resolutionWindows
137 netbios-nsNETBIOS Name ServiceWindows
138 netbios-dgmNETBIOS Datagram ServiceWindows
139 netbios-ssnNETBIOS Session ServiceWindows
443 httpsHTTP protocol over TLS SSLApplication
445 microsoft-dsWin2k+ Server Message BlockWindows
502 asa-appl-protoasa-appl-protoSCADA
515 printerspoolerUnix
777 jconfigHummingbird Exceed jconfigSCADA
1025 win-rpcWindows RPCWindows
1026 win-rpcWindows RPCWindows
1027 icqicq instant messangerWindows
1089 ff-annuncFF AnnunciationSCADA
1090 ff-fmsFF Fieldbus Message SpecificationSCADA
1091 ff-smFF System ManagementSCADA
1433 ms-sql-sMicrosoft-SQL-ServerWindows
1434 ms-sql-mMicrosoft-SQL-MonitorWindows
1541 rds2rds2SCADA
1628 lontalk-normLonTalk normalSCADA
1629 lontalk-urgntLonTalk urgentSCADA
1911 mtpStarlight Networks Multimedia Transport ProtocolSCADA
2100 amiganetfsamiganetfsApplication
2222 sshalternative ssh (Cowrie)Unix
2223 rockwell-csp3Rockwell CSP3Unix
2234 directplayDirectPlayP2P
2323 3d-nfsdTelnet AlternativeUnix
2967 ssc-agentSymantec System CenterWindows
3389 ms-term-servicesMS Terminal ServicesWindows
4000 Connect-BackBackdoor[trojan] Connect-Back BackdoorSCADA
4444 metasploitMetasploit default listenerBackdoor
4662 eDonkey2000eDonkey2000 Server Default PortP2P
4672 eMuleeMule / eDonkey P2P SoftwareP2P
4840 opcua-tcpOPC UA Connection ProtocolSCADA
5050 mmccmultimedia conference control toolSCADA
5051 ita-agentITA AgentSCADA
5052 ita-managerITA ManagerSCADA
5065 ca-2Channel Access 2SCADA
5450 tiepieTiePie engineering data acquisitionSCADA
5554 sasser-ftp[trojan] Sasser Worm FTP ServerBackdoor
5900 vncVirtual Network ComputerApplication
5901 vnc-1Virtual Network Computer Display :1Application
6129 damewareDameware Remote AdminWindows
6346 gnutella-svcgnutella-svcP2P
6881 bittorrentBit Torrent P2PP2P
7561 emuleE-Mule P2PP2P
7571 emuleE-Mule P2PP2P
8001 vcom-tunnelVCOM TunnelSCADA
9898 dabber[trojan] Dabber Worm backdoorBackdoor
10000 BackupExecVeritas Backup ExecWindows
11001 metasysMetasysSCADA
13722 bpjava-msvcBP Java MSVC ProtocolSCADA
13724 vnetdVeritas Network UtilitySCADA
13782 bpcdVERITAS NetBackupSCADA
13783 vopiedVOPIED ProtnocolSCADA
18000 biimenuBeckman Instruments Inc.SCADA
20000 Millenium[trojan] MilleniumSCADA
34962 profinet-rtPROFInet RT UnicastSCADA
34963 profinet-rtmPROFInet RT MulticastSCADA
34964 profinet-cmPROFInet Context ManagerSCADA
34980 ethercatEtherCAT PortSCADA
38000 ivs-databaseInfoVista Server DatabaseSCADA
38001 ivs-insertionInfoVista Server InsertionSCADA
44818 rockwell-encapRockwell EncapsulationSCADA
45678 ebaEBA PRISESCADA
47808 bacnetBuilding Automation and Control NetworksSCADA