Re: Lot of UDP ports opened
> Hi there,
Hello Jaques,
> There are box1 and box2 on the same LAN
>
> A daily cron does machine nmap each other.
>
> Some times, box1 finds a lot of opened UDP ports opened on box2.
>
> Both machines are debian stable doing security updates.
>
> Both rkhunter and chkrootkit are running on it and finds nothing.
>
> Box2 nmapping herself shows a normal situation.
>
> A reboot turns box2 to normal behavior.
>
> Any idea ?
>
> Thanks, Jacques
>
I'm not sure if this list is the right one to discuss this type of
problem. ( maybe it's best suited for the debian-user list? Could someone
direct me to the right policy on this ?? ).
However, have you tried sniffing the traffic to see what it is/could be?
If you are unsure what a port is used for, you can search isc.sans.org for
rather up-to-date port information (registered services, worms/trojans...)
that are using that port.
Or alternatively use the search ports function on www.snort.org, or google.
You could install lsof (ls open files) and use it to find which
process(es) are keeping the ports open.
Do a netstat -a[n] and look what is connected/connecting to those ports.
I don't have a debian box at hand right now, but try to see if the UDP
ports get closed after updating is completed. Although it seems unlikely
this process would need to open UDP ports on your machine at all.
Good luck,
Roger
--
Under capitalism, man exploits man.
Under communism, it's just the opposite.
J.K.Galbraith
Reply to: