Security Incidents mailing list archives
Re: Lion Worm/crew.tgz
From: Daniel Martin <dtmartin24 () HOME COM>
Date: Mon, 26 Mar 2001 16:50:28 -0500
Cooper <Cooper () LINUX-FAN COM> writes:
John Jasen wrote:
<SNIP>
asp stream tcp nowait root /sbin/aspWhat is asp?
asp == "Address Search Protocol" A very-little-used protocol which is designed to let someone search for a specific machine using UDP packets; the idea is (as I understand it) intended for the situation in which you wish to contact a machine connecting to the internet through a dialup line and so don't know what IP address this machine will get when it connects. A client and asp server can be found at http://www.brunettaeperin.it/stenio/ However, that's not at all relevant here. First off, the real asp is a udp protocol, but (like most assignments) both the tcp and udp port numbers were assigned to it. Secondly, asp was assigned the number 27374, and this just so happens to be the tcp port number that the wildly popular SubSeven server listens on by default. Because of this, scans for the port 27374 are unreasonably common, and possibly for that reason the ramen worm ran its worm-distribution server on that port. (Almost as an inside joke, or homage to the SubSeven folks) I'm willing to bet that that (worm distribution) is what port 27374/asp was used for on the box that had the inetd.conf snippet shown above. [*] So, now, whenever you see port 27374 or "asp tcp" read that as you would port number 31337 ("eleet"); it's just a number that seems to be the current fad among the kiddies, with the added inducement that it is a named port in many /etc/services files. (Some inetd's won't listen to any port not named in /etc/services) [*] Can someone more knowledgable than I verify this timeline? I think I have it correct, but it's hard to search for references to "Address Search Protocol" on the net, since you have to wade through so many posts of people asking for explanations of probes. I've never seen a spec. for this protocol given anywhere.
Current thread:
- Re: Lion Worm/crew.tgz, (continued)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 23)
- Re: Lion Worm/crew.tgz Joshua Krage (Mar 23)
- Re: Lion Worm/crew.tgz Neil Long (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Daniel Martin (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Message not available
- Re: Lion Worm/crew.tgz Chris Keladis (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Lion Worm/crew.tgz/suspect bind versions Lawrence Frewin of Accommodation.com (Mar 24)
- Re: Lion Worm/crew.tgz/suspect bind versions Valdis Kletnieks (Mar 26)
- Re: Lion Worm/crew.tgz/suspect bind versions Lucian Hudin (Mar 27)
- Re: Lion Worm/crew.tgz/suspect bind versions Valdis Kletnieks (Mar 27)