The Internet Storm Center is listing the following as the top ten attacked ports today:
| mydoom | 3127 |
| epmap | 135 |
| ms-sql-m | 1434 |
| netbios-ns | 137 |
| www | 80 |
| SubSeven | 27374 |
| microsoft-ds | 445 |
| socks | 1080 |
| squid-http | 3128 |
| amanda | 10080 |
Several of these ports are assoicated with the MyDoom worm. When a system is infected by the MyDoom.A variant of the worm, the worm opens TCP ports 3127 through 3198, which explains why both of those ports are listed in the top ten attacked ports for today. A later variant of the worm, MyDoom.B may use TCP ports 80, 1080, 3128, 8080 and 10080, which may be why all of those ports, but port 8080, appear in the top ten list for today, though I would expect port 80 attacks to be high even without this worm, since port 80 is the port most commonly used by webservers.
Ports 1080 and 10080, like port 80, have additional uses other than providing a mechanism for the MyDoom worm to provide a backdoor into systems. Port 80 is used for the socks protocol. Socks is an Internet Engineering Task Force (IETF) standard proxy protocol for IP applications. The Advanced Maryland Automatic Network Disk Archiver(AMANDA) uses UDP port 10080, but not TCP port 10080. Amanda is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape drive.
