[Wylug-help] Strange UDP port activity

[fluffy at fluffybacon.co.uk]

On Wed, 2005-02-02 at 10:35 +0000, Jason Lander wrote:
> Following up from what Jim and James said about your UDP port
> If it is an rpc service,
>
>   rpcinfo -p localhost
>
> will tell you which service it is.

First off thanks for your help. I'm still a bit dubious though,

Running 'rpcinfo -p localhost' gives the following;

program vers proto   port
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper

next, I tried killing off the rpc services (portmap, famd), and running
nmap again;

PORT      STATE         SERVICE    VERSION
68/udp    open|filtered dhcpclient
54147/udp open          unknown

At the same time I ran netstat to find out if nmap itself was holding
the port open;


Proto  Recv-Q  Send-Q Local Address    Foreign Address  State
User    Inode PID/Program name
udp   15960    0      0.0.0.0:68       0.0.0.0:*        0          11123
11124/dhcpcd
udp   0        0      127.0.0.1:32846  127.0.0.1:68     ESTABLISHED 0
25296   16204/nmap


According to which rpc services are off, and nmap is holding port 32846
open, not 54147.

the following services are running on this machine

X
X Font server
famd
portmap
vixie-cron
syslog-ng
samba

The reason I'm slightly worried by this is that according to my routers
logs this machine has been randomly(?) pinging hosts on the Internet.
SIUD is unset on /bin/ping and the machine has only one user (me).

Needless to say I have no idea whats going on, and have unplugged the
machine from the network.  Any further insights you might be able to
provide would be greatly appreciated.  This is very much a learning
experience for me, but mostly I hate mysteries.

Ciaran.