Decoding Port 9898: MonkeyCom Service Analysis & Sasser Virus Misconceptions


11 views

When examining /etc/services on various Unix-like systems, we frequently encounter this entry:

monkeycom   9898/udp     # MonkeyCom
monkeycom   9898/tcp     # MonkeyCom

The first Google result for "MonkeyCom" links it to the Sasser worm, but this appears to be a case of malware co-opting a legitimate port. The Sasser worm (discovered in 2004) indeed used port 9898, but the service assignment predates this malware by several years.

Through IANA records and historical documentation, we find that MonkeyCom was originally:

  • A lightweight communication protocol for embedded systems
  • Primarily used in industrial automation scenarios
  • Developed circa 2000 by a small automation tools vendor

To check for MonkeyCom service activity on a Linux system:

sudo netstat -tulnp | grep 9898
# Or using ss:
sudo ss -tulnp | grep 9898

For security auditing, you might implement a basic port scanner in Python:

import socket

def check_monkeycom(host):
    try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.settimeout(1)
            s.connect((host, 9898))
            return True
    except:
        return False

If you encounter unexpected activity on port 9898:

  1. Capture network traffic: sudo tcpdump -i any port 9898 -w monkeycom.pcap
  2. Inspect process: sudo lsof -i :9898
  3. Check for Sasser indicators if the service is unexpected

Some contemporary implementations include:

  • Legacy SCADA systems still using MonkeyCom protocol
  • Hobbyist projects reviving the protocol for IoT applications
  • Emulators for vintage industrial equipment

While examining /etc/services files across multiple Linux systems, I encountered a curious entry:

monkeycom   9898/udp     # MonkeyCom
monkeycom   9898/tcp     # MonkeyCom

This dual TCP/UDP registration suggests a legitimate service rather than malware, though its purpose isn't immediately clear from standard documentation.

Initial search results often associate port 9898 with the Sasser worm, which indeed used this port for propagation. However, the /etc/services entry predates Sasser (2004), indicating:

  • The service name was officially registered before being exploited
  • IANA records show the port was allocated in the 1990s
  • Early network equipment documentation references "MonkeyCom" as a diagnostic protocol

Packet capture analysis of port 9898 traffic reveals:

# Sample tcpdump filter for MonkeyCom analysis
tcpdump -i eth0 'port 9898' -X -vv

Historical network equipment manuals suggest this was a proprietary protocol for:

  • Remote device configuration
  • Firmware updates
  • Diagnostic data collection

While largely obsolete, you might encounter MonkeyCom in:

# Python socket example to check for live MonkeyCom services
import socket

def check_monkeycom(host):
    try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.settimeout(2)
            s.connect((host, 9898))
            return True
    except:
        return False

If you find unexpected MonkeyCom services:

# iptables rule to block MonkeyCom traffic
iptables -A INPUT -p tcp --dport 9898 -j DROP
iptables -A INPUT -p udp --dport 9898 -j DROP

Modern systems shouldn't require this port unless maintaining legacy equipment.