Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: What's up with port 79 ? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's up with port 79 ?


ISC reader Yew reports that he is seeing a steady increase in probes to tcp/79 ("finger"). Our own DShield sensors confirm this observation, as is visible on the image below. It's been a while since we last had exploit attempts on tcp/79, and hardly anybody is using/running "finger" anymore these days. So .. what's up? Anyone got packets?




385 Posts
ISC Handler
Jun 27th 2012
Looking at my logs, I see a spike yesterday....but that's really all. It looks like most of it was sourced from China and Taiwan. I don't have packets, but I might be able to post source IPs later.
Russian Federation, US, Ukrain, India, and Brazil as well starting and dropping off yesterday. Loooking into getting more info.
Has anyone also been seeing an uptic in tcp/179 ? I'm thinking the number can't be a coincidence. I'm actively seeing a pretty good bit from Europe, Asia, etc.
My guess is that yesterday's spike was a typo - someone's scanning for vulnerable BGP hosts today.

4 Posts
Got a tarpit up on 79, let's see what happens.

12 Posts
Definitely seeing a large amount on 179, will attempt to capture some activity and send it in.

12 Posts

Sign Up for Free or Log In to start participating in the conversation!