Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC Port Trends


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The "Trend" is an attempt to put a number to the increase in activity for a given port.
Right now, I am comparing the last 24 hours to the last 30 days.
So if we see a rise in activity compared to the last 30 days, the trend is high.

The following formula is used to calculate the trend:

sqrt( (S-s)^2/s + (T-t)^2/t ) )
S: number of source IPs hitting this port last 24 hrs.
s: average number of source IPs hitting this port each day (last 30 days).
T/t: same for target IPs detecting scans on this port.
PortTrendService
279991tw-auth-key
60601x11
92001wap-wsp
58011vnc
151B2, netstat
60011x11
111systat
88801cddbp-alt
5432959postgres
2958compressnet, Death
513937Grlogin, login, who
2020936xinupageserver
23239043d-nfsd
5632902pcanywherestat
5001898BackDoorSetup, commplex-link, SocketsdesTroie
2433893codasrv-se
3390876dsc
2425808fjitsuappmgr
22222801DonaldDick, Prosiak, Ruler, RUXTheTIc.K
5010799Solo, telelpathstart, yahoo
8082781blackice
1911781mtp
79766BO2KDataPort, CDK, finger, Firehotcker
119765Happy99, nntp
6000761TheThing, x11
17735qotd
3000735hbci, InetSpy, ppp, RemoteShut, remoteware-cl
5555728personal-agent, rplay, ServeMe
1471690csdmbase
7777677cbt, FWTK-authsvr, GodMessage, oracle-portal, TheThing(modified), Tini
1998674x25-svc-port
1521672ncube-lm, oracle, oracle-tns
5800666vnc
2001659dc, DerSpherDerSpaeher, DerSpäher, TrojanCow, wizard
1723598pptp
8443595pcsync-ssl
111594sunrpc
8001590vcom-tunnel
3072588csd-monitor
9100588jetdirect
8081579blackice
1900568ssdp
9999555distinct, ThePrayer
13539daytime
88526BackDoor-AXC, kerberos
9000522cslistener, Netministrator
38293520NortonAntiVirus
138477Chode, netbios-dgm
4000474Connect-BackBackdoor, icq, SkyDance, terabase
465466smtps
9090452websm, zeus-admin
3444compressnet
8888395ddi-tcp-1, ddi-udp-1, sun-answerbook
5901392vnc-1
143373imap
11000361irisa, SennaSpy, SennaSpyTrojanGenerator
27015359halflife
1357SocketsdesTroie, tcpmux
110327pop-3, ProMailtrojan
389322ldap
10000273BackupExec, ndmp, OpwinTRojan
161255snmp
3306251mysql
2967230ssc-agent
21201AudioGalaxy, BackConstruction, BladeRunner, CattivikFTPServer, CCInvader, DarkFTP, DolyTrojan, Fore, FreddyK, ftp, InvisibleFTP, Juggernaut42, Larva, MotIvFTP, NetAdministrator, Ramen, RTB666, SennaSpyFTPserver, Traitor21, WebEx, WinCrash, [trojan]TheFlu
1080191socks, SubSeven2.2, WinHole
8000187irdmi
3128182ReverseWWWTunnel, RingZero, squid-http
1023177gs400-nas
5900138vnc
1024137Jade, kdm, Latinus, NetSpy, RAT
4899132radmin
443122https
8191docs-to-go, hosts2-ns, RemoConChubo
563185pcanywheredata
500073BackDoorSetup, BioNetLite, Blazer5, Bubbel, commplex-main, fics, ICKiller, pitou, Ra1d, SocketsdesTroie, upnp
143365ms-sql-s
143446ms-sql-m
13940Chode, GodMessageworm, Msinit, netbios-ssn, Netlog, Network, Qaz, Sadmind, SMBRelay
5336ADMworm, domain, Lion
13736Chode, Msinit, netbios-ns, Qaz
2534Ajan, Antigen, Barok, BSE, EmailPasswordSender, EPSII, Gip, Gris, Happy99, Hpteammail, Hybris, Iloveyou, Kuang2, MagicHorse, MBT, MBTMailBombingTrojan, MoscowEmailtrojan, Naebi, NewAptworm, ProMailtrojan, Shtirlitz, smtp, Stealth, Stukach, Tapiras, Terminator, WinPC, WinSpy
8025711trojan, 8085, AckCmd, BackEnd, BO2000Plug-Ins, Cafeini, CGIBackdoor, Executor, GodMessage, GodMessage4Creator, Hooker, http, IISworm, MTX, NCX, Noob, Ramen, ReverseWWWTunnel, RingZero, RTB666, Seeker, WANRemote, WebDownloader, WebServerCT, www
13523epmap, loc-srv
44516microsoft-ds
52226.64jabber
9956.46pop3s
9935.81imaps
1235.61NetController, ntp
5875.46submission
80223.7oa-system
6233.69aux_bus_shunt
192.84chargen
22222.82AMD, rockwell-csp2
33891.88ms-term-services
80801.77BrownOrifice, Genericbackdoor, http-alt, RemoConChubo, ReverseWWWTunnel, RingZero
221.74Adoresshd, pcanywhere, Shaft, ssh
231.6ADMworm, FireHacKer, MyVeryOwntrojan, RTB666, telnet, TelnetPro, TinyTelnetServer, TruvaAtl
50601.37sip