Spike in activity with port 3379 (SOCORFS)


My personal IPs on AWS are being scanned for 3379. Apparently, this is SOCORFS, registered to one Hugo Charbonneau. This port is getting scanned a lot more often in recent months: https://isc.sans.edu/port.html?port=3379

Does anyone know what this is? It’s possible someone found a vulnerability in this protocol and we’re not yet publicly aware of it.

UPDATE: I reached out to Hugo, will update if I have information from him.

UPDATE 2: Hugo used to work at Socomar International (over 20 years ago), which was a company who built technology for ship tracking. SOCORFS may be “Soco RFS”. Socomar was dissolved in 2006 though. All content I could find online was that it’s unlikely that this company’s products are widely used today. So, there’s a good chance port 3379 is actually being used for something else, nothing related to SOCORFS.