Summary
The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by bots that attempt to propagate, an unpatched system would be infected by such a probe.
The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer "survival time". On the other hand users of high speed internet services and sensors located in datacenters are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your "survival time" will be much smaller.
A simple firewall will prevent almost all of these attacks. Many are looking for easy to exploit vulnerabilities, for example exposed ssh or telnet servers with weak passwords.
Survival Time Graph
Categories
Some applications may be available on more than one oprating system. However, if they are mostly used on a particular OS, or if exploits in the wild are targeting a specific OS using this application, we add them into the respectice's OS category.
For example, ssh servers are available for Windows and Unix. Most of the ssh scanning is looking for weak passwords, not for problems with a particular ssh implementation. However, most Unix installs enable ssh by default, while for Windows it is a third party add on. Sucessful ssh exploits reported to the ISC are so far limited to Unix. As a result, port 22 is assigned to 'Unix' for the purpose of this report. Port assignments may change over time.
- Windows: Windows specific ports (e.g. File sharing)
- Unix: Unix specific ports (e.g. dns, ssh)
- Applications: Applications which are used (and vulnerable) on various operating systems
- P2P: P2P afterglow, and other false postives
- Backdoors: These ports are commonly used by backdoors and a system has to be infected with a trojan/virus in order to be vulnerable.
Not all ports are categorized, so the total will not add up to 100%. Over time, we will categorize more ports.
Currently Categorized Ports
| Port | Service | Name | Category |
|---|---|---|---|
| 21 | ftp | File Transfer [Control] | Application |
| 22 | ssh | SSH Remote Login Protocol | Unix |
| 23 | telnet | Telnet | Unix |
| 25 | smtp | Simple Mail Transfer | Application |
| 42 | name | Host Name Server | Windows |
| 53 | domain | Domain Name Server | Unix |
| 80 | www | World Wide Web HTTP | Application |
| 102 | iso-tsap | ISO-TSAP Class 0 | SCADA |
| 111 | sunrpc | portmapper rpcbind | Unix |
| 113 | auth | ident tap Authentication Service | Application |
| 135 | epmap | DCE endpoint resolution | Windows |
| 137 | netbios-ns | NETBIOS Name Service | Windows |
| 138 | netbios-dgm | NETBIOS Datagram Service | Windows |
| 139 | netbios-ssn | NETBIOS Session Service | Windows |
| 443 | https | HTTP protocol over TLS SSL | Application |
| 445 | microsoft-ds | Win2k+ Server Message Block | Windows |
| 502 | asa-appl-proto | asa-appl-proto | SCADA |
| 515 | printer | spooler | Unix |
| 777 | jconfig | Hummingbird Exceed jconfig | SCADA |
| 1025 | win-rpc | Windows RPC | Windows |
| 1026 | win-rpc | Windows RPC | Windows |
| 1027 | icq | icq instant messanger | Windows |
| 1089 | ff-annunc | FF Annunciation | SCADA |
| 1090 | ff-fms | FF Fieldbus Message Specification | SCADA |
| 1091 | ff-sm | FF System Management | SCADA |
| 1433 | ms-sql-s | Microsoft-SQL-Server | Windows |
| 1434 | ms-sql-m | Microsoft-SQL-Monitor | Windows |
| 1541 | rds2 | rds2 | SCADA |
| 1628 | lontalk-norm | LonTalk normal | SCADA |
| 1629 | lontalk-urgnt | LonTalk urgent | SCADA |
| 1911 | mtp | Starlight Networks Multimedia Transport Protocol | SCADA |
| 2100 | amiganetfs | amiganetfs | Application |
| 2222 | ssh | alternative ssh (Cowrie) | Unix |
| 2223 | rockwell-csp3 | Rockwell CSP3 | Unix |
| 2234 | directplay | DirectPlay | P2P |
| 2323 | 3d-nfsd | Telnet Alternative | Unix |
| 2967 | ssc-agent | Symantec System Center | Windows |
| 3389 | ms-term-services | MS Terminal Services | Windows |
| 4000 | Connect-BackBackdoor | [trojan] Connect-Back Backdoor | SCADA |
| 4444 | metasploit | Metasploit default listener | Backdoor |
| 4662 | eDonkey2000 | eDonkey2000 Server Default Port | P2P |
| 4672 | eMule | eMule / eDonkey P2P Software | P2P |
| 4840 | opcua-tcp | OPC UA Connection Protocol | SCADA |
| 5050 | mmcc | multimedia conference control tool | SCADA |
| 5051 | ita-agent | ITA Agent | SCADA |
| 5052 | ita-manager | ITA Manager | SCADA |
| 5065 | ca-2 | Channel Access 2 | SCADA |
| 5450 | tiepie | TiePie engineering data acquisition | SCADA |
| 5554 | sasser-ftp | [trojan] Sasser Worm FTP Server | Backdoor |
| 5900 | vnc | Virtual Network Computer | Application |
| 5901 | vnc-1 | Virtual Network Computer Display :1 | Application |
| 6129 | dameware | Dameware Remote Admin | Windows |
| 6346 | gnutella-svc | gnutella-svc | P2P |
| 6881 | bittorrent | Bit Torrent P2P | P2P |
| 7561 | emule | E-Mule P2P | P2P |
| 7571 | emule | E-Mule P2P | P2P |
| 8001 | vcom-tunnel | VCOM Tunnel | SCADA |
| 9898 | dabber | [trojan] Dabber Worm backdoor | Backdoor |
| 10000 | BackupExec | Veritas Backup Exec | Windows |
| 11001 | metasys | Metasys | SCADA |
| 13722 | bpjava-msvc | BP Java MSVC Protocol | SCADA |
| 13724 | vnetd | Veritas Network Utility | SCADA |
| 13782 | bpcd | VERITAS NetBackup | SCADA |
| 13783 | vopied | VOPIED Protnocol | SCADA |
| 18000 | biimenu | Beckman Instruments Inc. | SCADA |
| 20000 | Millenium | [trojan] Millenium | SCADA |
| 34962 | profinet-rt | PROFInet RT Unicast | SCADA |
| 34963 | profinet-rtm | PROFInet RT Multicast | SCADA |
| 34964 | profinet-cm | PROFInet Context Manager | SCADA |
| 34980 | ethercat | EtherCAT Port | SCADA |
| 38000 | ivs-database | InfoVista Server Database | SCADA |
| 38001 | ivs-insertion | InfoVista Server Insertion | SCADA |
| 44818 | rockwell-encap | Rockwell Encapsulation | SCADA |
| 45678 | eba | EBA PRISE | SCADA |
| 47808 | bacnet | Building Automation and Control Networks | SCADA |
