Each day malware infections and service vulnerabilities are reported to AISI members. Related AISI statistics are provided below.
Data is based on Coordinated Universal Time (UTC).
To compare between types, simply ‘de-select’ one or all types that you do not wish to see. The dataset can also be downloaded as a .csv file - (open services).
How to interpret the data
There are a number of caveats to note when interpreting this data.
Often there are multiple observations for an individual IP address, including multiple observations under different categories. This has been largely removed from the data in the charts.
If there are observations relating to multiple categories on a given day for an IP address, that address is represented once in each category. So if an IP address is observed as an open service as well as hosting malware, the address is reported in both categories.
Services utilising a ‘dynamic’ IP address, such as a home router, may be represented more than once in the data over a 24-hour period if that dynamic IP has changed during that period.
A note about data variability
Caution should be applied when interpreting the charts, as they contain a set of constantly changing variables. In particular, the absence of data for a given day or week does not necessarily indicate a given compromise or cyber security threat has diminished, as other factors may have led to data becoming unavailable.
An IP address reported as an ‘open service’ identifies a network service that is ’openly’ accessible to the internet. An open service is a security threat to either the service owner ( for example enabling access to confidential data through a queryable database service) or other internet users (for example enabling the relay of spam through an open proxy). In some cases, such services are surreptitiously installed following a malware infection.
SMI reports identify CISCO Smart Install devices/switches installed with potentially insecure authentication. This can enable a remote attacker to execute high privilege commands on the device, such as installing a new IOS image. It is recommended that Smart Install be disabled on production systems. Further information about Cisco Smart Install Protocol Misuse.
DB2 identifies hosts that have the DB2 Discovery Service accessible from the open internet on port 523 (UDP). The data field for this type includes the server name that the DB2 discovery service identifies itself as. By having the DB2 discovery service exposed these hosts can potentially disclose information about the system or have the service abused to compromise the host. Additionally, the DB2 discovery service can be used by malicious attackers as part of amplified Denial of Service Attacks on other targets.
ElasticSearch reports identify hosts that have the ElasticSearch instance running and accessible on the internet, without authentication enabled on port 9200 (TCP).
Hadoop reports identify exposed Hadoop services accessible on port 50070 or 50075 (TCP). These openly accessible services can potentially disclose sensitive information or be abused to compromise the host or its data.
IPMI reports identify Intelligent Platform Management Interface (IPMI) services that are open on port 623 (UDP) and accessible from the internet. These services should not be accessible via the internet. Information about the risks, impact and solutions to this vulnerability can be found at the US-CERT website.
Memcached reports identify hosts that have their key-value stores running and are accessible on the internet on port 11211 (TCP). As memcached services do not support authentication they enable complete control over their key-value stores.
MongoDB reports identify hosts that have the MondgoDB NoSQL database running and accessible on the internet, without authentication enabled on port 27017 (TCP).
Proxy reports identify hosts that have HTTP proxies open and accessible on the internet without authentication. These can be abused for multiple purposes such as sending spam or performing fraudulent transactions.
Redis reports identify hosts that have their key-value stores running and accessible on the internet on port 6379 (TCP). As these services do not support authentication they enable complete control over their key-value stores.
SMB is a service run on port 445 (TCP) that typically responds to requests for file sharing. Open SMB services can identify the system and organisation associated with these services, thereby potentially leaking sensitive information. If misconfigured, they can also provide remote access to a system. It is therefore recommended that public access to these services is removed.
As Telnet provides no encryption, an accessible telnet port may provide remote access to sensitive communications. Public access to telnet services should be removed or replaced with more secure alternatives.
XDMCP identifies hosts that have the X Display Manager service accessible from the open internet on port 177 (UDP). By having the XDMCP service exposed these hosts can potentially disclose information about the system or have the service abused to compromise the host. Additionally, the XDMCP can be used by malicious attackers as part of amplified Denial of Service attacks on other targets.
Where to get help
For open services, the appropriate action to mitigate the threat will depend on the type of threat. Information on how to mitigate the threat may be available from the service provider—for example, MongoDB provides information on how to secure MongoDB instances.
We welcome any feedback on this chart, please contact us at aisi [at] aisi.gov.au