пятница, 28 октября 2016 г.

Internet scanning activity

Recently I have analyzed scanning activity from the Internet on our ASBR routers.

Here are the most popular TCP ports being scanned (>1% of all scan attempts):
PortServicePercentPurpose
22ssh12.6877Shell access
23telnet9.4989Shell access
1433SQL server7.13683Data compromise, exploits
21320SpyBot proxy5.80395Spam
3389Remote Desktop5.71959Desktop access
3128Squid Proxy3.88055Spam
8080potential HTML proxy3.82993Spam
3306MySQL3.74557Data compromise
445SMB1.56909File compromise
103?1.48473
8888potential HTML proxy?1.45099Spam
110POP31.36663E-Mail compromise, spam
20FTP-data1.33288FTP exploit?
8000DVR control port1.14729DVR access
3398?1.14729
79finger1.13042User identity leak
789?1.09668
3397?1.0798
119nntp1.06293NNTP exploit
3396?1.04606
21FTP1.04606File compromise
465smtps1.02919Spam

Some ports and their purpose are unknown to me.

P.S. I have found this useful resource on port scanning statistics.

P.P.S. Top scanning providers: chinanet.cn.net (21%), cnnic.cn (10%), chinaunicom.cn (8%), chinamobile.com (3%).