Re: Lion Worm/crew.tgz

[Daniel Martin <dtmartin24 () HOME COM>]

Cooper <Cooper () LINUX-FAN COM> writes:

> John Jasen wrote:
<SNIP>
> > asp stream tcp nowait root /sbin/asp
>
> What is asp?

asp == "Address Search Protocol"

A very-little-used protocol which is designed to let someone search
for a specific machine using UDP packets; the idea is (as I understand
it) intended for the situation in which you wish to contact a machine
connecting to the internet through a dialup line and so don't know
what IP address this machine will get when it connects.  A client and
asp server can be found at http://www.brunettaeperin.it/stenio/

However, that's not at all relevant here.  First off, the real asp is
a udp protocol, but (like most assignments) both the tcp and udp port
numbers were assigned to it.  Secondly, asp was assigned the number
27374, and this just so happens to be the tcp port number that the
wildly popular SubSeven server listens on by default.  Because of
this, scans for the port 27374 are unreasonably common, and possibly
for that reason the ramen worm ran its worm-distribution server on
that port.  (Almost as an inside joke, or homage to the SubSeven
folks)  I'm willing to bet that that (worm distribution) is what port
27374/asp was used for on the box that had the inetd.conf snippet
shown above.  [*]

So, now, whenever you see port 27374 or "asp tcp" read that as you
would port number 31337 ("eleet"); it's just a number that seems to be
the current fad among the kiddies, with the added inducement that it
is a named port in many /etc/services files.  (Some inetd's won't
listen to any port not named in /etc/services)

[*] Can someone more knowledgable than I verify this timeline?  I
think I have it correct, but it's hard to search for references to
"Address Search Protocol" on the net, since you have to wade through
so many posts of people asking for explanations of probes.  I've never
seen a spec. for this protocol given anywhere.