Open services statistics

Each day malware infections and service vulnerabilities are reported to AISI members. Related AISI statistics are provided below.

Data is based on Coordinated Universal Time (UTC).

To compare between types, simply ‘de-select’ one or all types that you do not wish to see.  The dataset can also be downloaded as a .csv file - (open services).

How to interpret the data

There are a number of caveats to note when interpreting this data.

Often there are multiple observations for an individual IP address, including multiple observations under different categories. This has been largely removed from the data in the charts.

If there are observations relating to multiple categories on a given day for an IP address, that address is represented once in each category. So if an IP address is observed as an open service as well as hosting malware, the address is reported in both categories.

Services utilising a ‘dynamic’ IP address, such as a home router, may be represented more than once in the data over a 24-hour period if that dynamic IP has changed during that period.

A note about data variability

Caution should be applied when interpreting the charts, as they contain a set of constantly changing variables. In particular, the absence of data for a given day or week does not necessarily indicate a given compromise or cyber security threat has diminished, as other factors may have led to data becoming unavailable.

Open services

An IP address reported as an ‘open service’ identifies a network service that is ’openly’ accessible to the internet. An open service is a security threat to either the service owner ( for example enabling access to confidential data through a queryable database service) or other internet users (for example enabling the relay of spam through an open proxy). In some cases, such services are surreptitiously installed following a malware infection.

SMB

SMB is a service run on port 445 (TCP) that typically responds to requests for file sharing. Open SMB services can identify the system and organisation associated with these services, thereby potentially leaking sensitive information. If misconfigured, they can also provide remote access to a system. It is therefore recommended that public access to these services is removed.

IPMI

IPMI reports identify Intelligent Platform Management Interface (IPMI) services that are open on port 623 (UDP) and accessible from the internet. These services should not be accessible via the internet. Information about the risks, impact and solutions to this vulnerability can be found at the US-CERT website.

MEMCACHED

Memcached reports identify hosts that have their key-value stores running and are accessible on the internet on port 11211 (TCP). As memcached services do not support authentication they enable complete control over their key-value stores.

MONGODB

MongoDB reports identify hosts that have the MondgoDB NoSQL database running and accessible on the internet, without authentication enabled on port 27017 (TCP).

ELASTICSEARCH

ElasticSearch reports identify hosts that have the ElasticSearch instance running and accessible on the internet, without authentication enabled on port 9200 (TCP).

REDIS

Redis reports identify hosts that have their key-value stores running and accessible on the internet on port 6379 (TCP). As these services do not support authentication they enable complete control over their key-value stores.

PROXY

Proxy reports identify hosts that have HTTP proxies open and accessible on the internet without authentication. These can be abused for multiple purposes such as sending spam or performing fraudulent transactions.

XDMCP

XDMCP identifies hosts that have the X Display Manager service accessible from the open internet on port 177 (UDP). By having the XDMCP service exposed these hosts can potentially disclose information about the system or have the service abused to compromise the host. Additionally, the XDMCP can be used by malicious attackers as part of amplified Denial of Service attacks on other targets.

DB2

DB2 identifies hosts that have the DB2 Discovery Service accessible from the open internet on port 523 (UDP). The data field for this type includes the server name that the DB2 discovery service identifies itself as. By having the DB2 discovery service exposed these hosts can potentially disclose information about the system or have the service abused to compromise the host. Additionally, the DB2 discovery service can be used by malicious attackers as part of amplified Denial of Service Attacks on other targets.

HADOOP

Hadoop reports identify exposed Hadoop services accessible on port 50070 or 50075 (TCP). These openly accessible services can potentially disclose sensitive information or be abused to compromise the host or its data.

Where to get help

For open services, the appropriate action to mitigate the threat will depend on the type of threat. Information on how to mitigate the threat may be available from the service provider—for example, MongoDB provides information on how to secure MongoDB instances.

We welcome any feedback on this chart, please contact us at aisi [at] aisi.gov.au