The ACMA

AISI Open Services statistics

Each day the ACMA reports observations of 'open services' to AISI members. The ACMA also provides daily reports of 'malware', 'vulnerable services', and 'other' cyber security observations to these members. Statistics related to these cyber security categories can be found at these links:

AISI malware statistics AISI Vulnerable Services statistics Other AISI cyber security observations

For the latest AISI and malware alerts, subscribe to the ACMA's Cybersecurity ebulletin.

The AISI open services data is updated daily, identifies the date the open service was observed and is based on Coordinated Universal Time (UTC).

To observe the trends in reports for an individual type or comparison between similar types, simply ‘de-select’ one or all types that you do not wish to view. The dataset can also be downloaded as a .csv file (open services).

Help in interpreting the AISI data

Often there are multiple observations for an individual IP address in this data, including multiple observations under different categories. This multiple IP address data has been largely removed from the data in the charts. 

If there are observations relating to multiple categories on a given day for a given IP address, that IP address will be represented once in each category i.e. if an IP address has been observed as an open service as well as malware, this address will be reported in both categories.

One fact to consider in the interpretation of this data is that a service utilizing a 'dynamic' IP address, such as a home router, may be represented more than once in the data over a 24-hour period if that dynamic IP has changed during that period.

A note about data variability

Caution should be applied when interpreting the charts, as their data contains a set of constantly changing variables. In particular, the absence of data for a given day or week does not necessarily indicate a given compromise or cyber security threat has diminished, as other factors may have led to data becoming unavailable. 

Brief description of an 'Open Service'

An IP address reported as an 'open service' identifies a network service that is ‘openly’ accessible to the Internet. An open service is a security threat to either the service owner (eg: enabling access to confidential data through a queryable database service) or other Internet users (e.g.: enabling the relay of spam through an open proxy). In some cases, such services are surreptitiously installed following a malware infection.

Type  Description
IPMI

IPMI reports identify Intelligent Platform Management Interface (IPMI) services that are open on port 623 (UDP) and accessible from the internet. These services should not be accessible via the internet. Information about the risks, impact and solutions to this vulnerability can be found at https://us-cert.gov/ncas/alerts/TA13-207A.

Memcached

Memcached reports identify hosts that have their key-value stores running and are accessible on the internet on port 11211 (TCP). As memcached services do not support authentication they enable complete control over their key-value stores.

MongoDB

MongoDB reports identify hosts that have the MondgoDB NoSQL database running and accessible on the internet, without authentication enabled on port 27017 (TCP).

ElasticSearch

ElasticSearch reports identify hosts that have the ElasticSearch instance running and accessible on the internet, without authentication enabled on port 9200 (TCP).

Redis

Redis reports identify hosts that have their key-value stores running and accessible on the internet on port 6379 (TCP). As these services do not support authentication they enable complete control over their key-value stores.

Proxy

Proxy reports identify hosts that have HTTP proxies open and accessible on the internet without authentication. These can be abused for multiple purposes such as sending spam or performing fraudulent transaction.

XDMCP

XDMCP identifies hosts that have the X Display Manager service accessible from the open internet on port 177 (UDP). By having the XDMCP service exposed these hosts can potentially disclose information about the system or have the service abused to compromise the host. Additionally, the XDMCP can be used by malicious attackers as part of amplified Denial of Service attacks on other targets.

DB2

DB2 identifies hosts that have the DB2 Discovery Service accessible from the open internet on port 523 (UDP). The data field for this type includes the server name the DB2 discovery service identifies itself as. By having the DB2 discovery service exposed these hosts can potentially disclose information about the system or have the service abused to compromise the host. Additionally, the DB2 discovery service can be used by malicious attackers as part of amplified Denial of Service attacks on other targets.

For open services, the appropriate action to mitigate the threat will depend on the type of threat. For further information on how to protect yourself online, we recommend that you visit Stay Smart Online.

We welcome any feedback on this chart. If you have any comments please send an email to aisi@acma.gov.au.

Back to top