Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
The "Trend" is an attempt to put a number to the increase in activity for a given port.
Right now, I am comparing the last 24 hours to the last 30 days.
So if we see a rise in activity compared to the last 30 days, the trend is high.
The following formula is used to calculate the trend:
sqrt( (S-s)^2/s + (T-t)^2/t ) )
S: number of source IPs hitting this port last 24 hrs.
s: average number of source IPs hitting this port each day (last 30 days).
T/t: same for target IPs detecting scans on this port.
| Port | Trend | Service |
|---|---|---|
| 9200 | 1 | wap-wsp |
| 4160 | 1 | jini-discovery |
| 6671 | 1 | DeepThroat |
| 2 | 937 | compressnet, Death |
| 2323 | 865 | 3d-nfsd |
| 6670 | 862 | BackWebServer, DeepThroat, Foreplay, vocaltec-gold, WinNukeeXtreame |
| 8009 | 818 | netware-rmgr |
| 2222 | 793 | AMD, rockwell-csp2 |
| 6668 | 755 | irc, ircu |
| 8082 | 752 | blackice |
| 808 | 728 | WinHole |
| 2301 | 718 | compaqdiag, cpq-wbem |
| 7777 | 715 | cbt, FWTK-authsvr, GodMessage, oracle-portal, TheThing(modified), Tini |
| 179 | 702 | bgp |
| 7 | 699 | echo |
| 995 | 683 | pop3s |
| 82 | 680 | xfer |
| 8443 | 604 | pcsync-ssl |
| 993 | 596 | imaps |
| 8081 | 589 | blackice |
| 1900 | 564 | ssdp |
| 3072 | 557 | csd-monitor |
| 88 | 510 | BackDoor-AXC, kerberos |
| 5060 | 505 | sip |
| 27015 | 436 | halflife |
| 9090 | 420 | websm, zeus-admin |
| 1234 | 416 | hotline, search-agent, SubSevenJavaclient, UltorsTrojan |
| 8888 | 389 | ddi-tcp-1, ddi-udp-1, sun-answerbook |
| 12345 | 380 | Adoresshd, Ashley, cron/crontab, FatBitchtrojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus, NetBusToy, NetBusworm, PieBillGates, TMListen, ValvNet, WhackJob, X-bill |
| 5901 | 375 | vnc-1 |
| 500 | 374 | isakmp |
| 123 | 373 | NetController, ntp |
| 143 | 371 | imap |
| 1 | 351 | SocketsdesTroie, tcpmux |
| 110 | 337 | pop-3, ProMailtrojan |
| 6666 | 267 | DarkConnection, DarkConnectionInside, irc-serv, ircu, NetBusworm, TCPShell.c |
| 161 | 257 | snmp |
| 3306 | 245 | mysql |
| 21 | 202 | AudioGalaxy, BackConstruction, BladeRunner, CattivikFTPServer, CCInvader, DarkFTP, DolyTrojan, Fore, FreddyK, ftp, InvisibleFTP, Juggernaut42, Larva, MotIvFTP, NetAdministrator, Ramen, RTB666, SennaSpyFTPserver, Traitor21, WebEx, WinCrash, [trojan]TheFlu |
| 1080 | 183 | socks, SubSeven2.2, WinHole |
| 8000 | 176 | irdmi |
| 3128 | 173 | ReverseWWWTunnel, RingZero, squid-http |
| 1023 | 164 | gs400-nas |
| 22 | 161 | Adoresshd, pcanywhere, Shaft, ssh |
| 8080 | 159 | BrownOrifice, Genericbackdoor, http-alt, RemoConChubo, ReverseWWWTunnel, RingZero |
| 4899 | 136 | radmin |
| 5900 | 135 | vnc |
| 81 | 134 | docs-to-go, hosts2-ns, RemoConChubo |
| 1024 | 130 | Jade, kdm, Latinus, NetSpy, RAT |
| 443 | 123 | https |
| 5000 | 100 | BackDoorSetup, BioNetLite, Blazer5, Bubbel, commplex-main, fics, ICKiller, pitou, Ra1d, SocketsdesTroie, upnp |
| 1433 | 61 | ms-sql-s |
| 23 | 58 | ADMworm, FireHacKer, MyVeryOwntrojan, RTB666, telnet, TelnetPro, TinyTelnetServer, TruvaAtl |
| 25 | 48 | Ajan, Antigen, Barok, BSE, EmailPasswordSender, EPSII, Gip, Gris, Happy99, Hpteammail, Hybris, Iloveyou, Kuang2, MagicHorse, MBT, MBTMailBombingTrojan, MoscowEmailtrojan, Naebi, NewAptworm, ProMailtrojan, Shtirlitz, smtp, Stealth, Stukach, Tapiras, Terminator, WinPC, WinSpy |
| 1434 | 43 | ms-sql-m |
| 139 | 38 | Chode, GodMessageworm, Msinit, netbios-ssn, Netlog, Network, Qaz, Sadmind, SMBRelay |
| 53 | 36 | ADMworm, domain, Lion |
| 137 | 33 | Chode, Msinit, netbios-ns, Qaz |
| 80 | 24 | 711trojan, 8085, AckCmd, BackEnd, BO2000Plug-Ins, Cafeini, CGIBackdoor, Executor, GodMessage, GodMessage4Creator, Hooker, http, IISworm, MTX, NCX, Noob, Ramen, ReverseWWWTunnel, RingZero, RTB666, Seeker, WANRemote, WebDownloader, WebServerCT, www |
| 135 | 22 | epmap, loc-srv |
| 445 | 16 | microsoft-ds |
| 3389 | 2.13 | ms-term-services |
| 26262 | 0.83 | k3software-svr |
