[Wylug-help] Strange UDP port activity
Jim Jackson
jj at comp.leeds.ac.uk
Wed Feb 2 09:50:02 GMT 2005
On Wed, 2 Feb 2005, fluffy at fluffybacon.co.uk wrote:
> Can anyone tell me what's happening here?
>
> nmap -sU -sV -p- 127.0.0.1
>
> Interesting ports on localhost.localdomain (127.0.0.1):
> (The 65532 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE VERSION
> 68/udp open|filtered dhcpclient
> 111/udp open rpcbind 2 (rpc #100000)
> 50682/udp open unknown
>
> ------------------------
>
> Interesting ports on localhost.localdomain (127.0.0.1):
> (The 65532 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE VERSION
> 68/udp open|filtered dhcpclient
> 111/udp open rpcbind 2 (rpc #100000)
> 62421/udp open unknown
>
> -----------------------
>
> The port number changes EVERY TIME I run nmap, netstat shows nothing and
> both rkhunter and chkrootkit say nothing suspicious is going on.
>
> As the port number keeps changing, I can't use fuser to find out what's
> running on these random ports
RPC services of somesort.
You need to check out how RPC works - check out
http://www.faqs.org/docs/linux_network/x-087-2-appl.rpc.html or similar.
If you are really worried - just kill off rpcbind and you should find that
the random udp port usage disappears. Mind you some things may stop
functioning depending on your setup.
> ...... and before I reformat the machine I was
> just wondering if anyone else could help?
>
Err.... you were going to reformat because of this?????????
Jim
More information about the Wylug-help
mailing list