Threat Level: green Handler on Duty: Chris Mohan

SANS ISC Port Trends


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The "Trend" is an attempt to put a number to the increase in activity for a given port.
Right now, I am comparing the last 24 hours to the last 30 days.
So if we see a rise in activity compared to the last 30 days, the trend is high.

The following formula is used to calculate the trend:

sqrt( (S-s)^2/s + (T-t)^2/t ) )
S: number of source IPs hitting this port last 24 hrs.
s: average number of source IPs hitting this port each day (last 30 days).
T/t: same for target IPs detecting scans on this port.
PortTrendService
4211ariel2, TCPWrappers, TCPWrapperstrojan
80221oa-system
52231jabber-ssl
6981olsr
2201imap3
279991tw-auth-key
61441statsci1-lm
81921snapstream
270051flex-lm
58011vnc
23681opentable
28161lbc-watchdog
22001ici
2561fw1-sync, rap
59021vnc-2
2221rsh-spx
25601labrat
431whois
1792988ibm-dt-2
5631956pcanywheredata
2937compressnet, Death
3390936dsc
2020924xinupageserver
4242915VirtualHackingMachine, vrml-multi-use
3391911savant
22222894DonaldDick, Prosiak, Ruler, RUXTheTIc.K
2048893dls-monitor
5222883jabber
7001874afs3-callback, Freak2k, Freak88, NetSnooperGold
2067859dlswpn
2628858dict
2014832raid-sf, troff
8009828netware-rmgr
8082791blackice
1344786icap
79774BO2KDataPort, CDK, finger, Firehotcker
119772Happy99, nntp
2425766fjitsuappmgr
2121759scientia-ssdb
3000744hbci, InetSpy, ppp, RemoteShut, remoteware-cl
1480742pacerforum
6000740TheThing, x11
5555704personal-agent, rplay, ServeMe
1998701x25-svc-port
1471698csdmbase
5800696vnc
1521685ncube-lm, oracle, oracle-tns
3129682MastersParadise
7777682cbt, FWTK-authsvr, GodMessage, oracle-portal, TheThing(modified), Tini
1720673h323hostcall
1723605pptp
111597sunrpc
8001597vcom-tunnel, [ICS] WellinTech KingView 6.53
3072596csd-monitor
9100596jetdirect
8443587pcsync-ssl
9999561distinct, ThePrayer
9000544cslistener, Netministrator
587538submission
8181503biblioTECH, Erkez.D, http-alt, ipswitch, pix-devmng, Zafi.D
465470smtps
9090459websm, zeus-admin
138452Chode, netbios-dgm
20000401dnp, Millenium, [ICS] DNP3
8888400ddi-tcp-1, ddi-udp-1, sun-answerbook
5901396vnc-1
500396isakmp
7778387interwise, UnReal_UT
143373imap
1234370hotline, search-agent, SubSevenJavaclient, UltorsTrojan
27015356halflife
110338pop-3, ProMailtrojan
389328ldap
161258snmp
3306254mysql
8880236cddbp-alt
21203AudioGalaxy, BackConstruction, BladeRunner, CattivikFTPServer, CCInvader, DarkFTP, DolyTrojan, Fore, FreddyK, ftp, InvisibleFTP, Juggernaut42, Larva, MotIvFTP, NetAdministrator, Ramen, RTB666, SennaSpyFTPserver, Traitor21, WebEx, WinCrash, [trojan]TheFlu
1080197socks, SubSeven2.2, WinHole
8000190irdmi
1023181gs400-nas
1024139Jade, kdm, Latinus, NetSpy, RAT
5900139vnc
443124https, [ICS] OPC UA XML
995120pop3s
8193docs-to-go, hosts2-ns, RemoConChubo
500074BackDoorSetup, BioNetLite, Blazer5, Bubbel, commplex-main, fics, ICKiller, pitou, Ra1d, SocketsdesTroie, upnp
143366ms-sql-s
102565blackjack, FraggleRock, listen, md5Backdoor, NetSpy, RemoteStorm, shoppro, win-rpc
2550Ajan, Antigen, Barok, BSE, EmailPasswordSender, EPSII, Gip, Gris, Happy99, Hpteammail, Hybris, Iloveyou, Kuang2, MagicHorse, MBT, MBTMailBombingTrojan, MoscowEmailtrojan, Naebi, NewAptworm, ProMailtrojan, Shtirlitz, smtp, Stealth, Stukach, Tapiras, Terminator, WinPC, WinSpy
143447ms-sql-m
13941Chode, GodMessageworm, Msinit, netbios-ssn, Netlog, Network, Qaz, Sadmind, SMBRelay
102638nterm, win-rpc
13736Chode, Msinit, netbios-ns, Qaz
5336ADMworm, domain, Lion
312833ReverseWWWTunnel, RingZero, squid-http
338925ms-term-services
8025711trojan, 8085, 9418, AckCmd, BackEnd, BO2000Plug-Ins, Cafeini, CGIBackdoor, Executor, GodMessage, GodMessage4Creator, Hooker, http, IISworm, MTX, NCX, Noob, Ramen, ReverseWWWTunnel, RingZero, RTB666, Seeker, WANRemote, WebDownloader, WebServerCT, www, [ICS] OPC UA XML
808025BrownOrifice, Genericbackdoor, http-alt, RemoConChubo, ReverseWWWTunnel, RingZero
13524epmap, loc-srv
2324ADMworm, FireHacKer, MyVeryOwntrojan, RTB666, telnet, TelnetPro, TinyTelnetServer, TruvaAtl