Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What's up with port 79 ? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's up with port 79 ?

 

ISC reader Yew reports that he is seeing a steady increase in probes to tcp/79 ("finger"). Our own DShield sensors confirm this observation, as is visible on the image below. It's been a while since we last had exploit attempts on tcp/79, and hardly anybody is using/running "finger" anymore these days. So .. what's up? Anyone got packets?

 


 

Daniel

367 Posts
ISC Handler
Looking at my logs, I see a spike yesterday....but that's really all. It looks like most of it was sourced from China and Taiwan. I don't have packets, but I might be able to post source IPs later.
Anonymous
Russian Federation, US, Ukrain, India, and Brazil as well starting and dropping off yesterday. Loooking into getting more info.
Anonymous
Has anyone also been seeing an uptic in tcp/179 ? I'm thinking the number can't be a coincidence. I'm actively seeing a pretty good bit from Europe, Asia, etc.
Anonymous
My guess is that yesterday's spike was a typo - someone's scanning for vulnerable BGP hosts today.
Sean

4 Posts
Got a tarpit up on 79, let's see what happens.
Yinette

12 Posts
Definitely seeing a large amount on 179, will attempt to capture some activity and send it in.
Yinette

12 Posts

Sign Up for Free or Log In to start participating in the conversation!