[jaktet]

I would imagine the amount of time someone spends “investigating” a port like 3306 is the amount of time it takes for the existing automated software to run a check to see if the mysql server is vulnerable. So unless the service on 3306 is able to spoof a vulnerable mysql server, they don’t care if it’s real or not. They just care if their tool reports a vulnerable service.

[robertlagrant]

Why would they only care about that if they're trying to hack into a system?

[jaktet]

Unless they are specifically targeting that system my assumption would be that they are just looking for open ports for known services, then if found checking if exploits work or not, and if not move on. I could very well be wrong but from a practical standpoint I can’t imagine this service mattering to someone that is running a program to scan for open ports with vulnerabilities.

[robertlagrant]

I might just be regurgitating the article, but isn't the point that it can massively increase the time and effort it takes to scan a system for valid vulnerabilities?

[jaktet]

What I’m saying though is that if I were running a script like this, unless I’m targeting a specific ip, I would just be scanning known ports for known vulnerabilities. I wouldn’t be scanning every single port.