Re: Mysterious udp packetsFrom: Dpk (email@example.com)
- Previous message: Scott Gifford: "Re: SFTP"
- In reply to: Don Felgar: "Mysterious udp packets"
- Next in thread: Don Felgar: "Re: Mysterious udp packets"
- Reply: Don Felgar: "Re: Mysterious udp packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Aug 2001 09:17:06 -0400 From: Dpk <firstname.lastname@example.org> To: Don Felgar <email@example.com> Subject: Re: Mysterious udp packets Message-ID: <20010817091706.F5582@egr.msu.edu>
On Thu, Aug 16, 2001 at 07:06:37PM -0700, Don Felgar wrote:
Last night I ran iptraf and happened to notice that approximately
once per second some process sends 28 bytes to port 37 (timeserver)
to a particular unfamiliar machine via UDP. The sending process
uses local port 1024, then 1025, then 1024 again and so forth.
There is no mention of the remote machine or the IP of the remote
machine anywhere under /etc/.
None of these commands:
fuser 1024/udp 1025/udp
lsof -i udp:1024
sees this activity, even during hundreds of iterations, I don't
know why. Could it be that sending 28 bytes is so atomic that the
operation never interleaves with the commands listed above? I'd
really rather not take this machine down, and it's hard to imagine
that this is a crack, but I'm running out of ideas.
I've tried shutting down most of these processes, but the udp
Probably this is something stupid, but I'm at the end of my rope.
Comment these lines in /etc/inetd.conf and execute "pkill -HUP inetd":
#time stream tcp nowait root internal
#time dgram udp wait root internal
The time port (37) is an internal service of inetd and can be used to
remotely retreive the time from your system (man rdate), which is a
convenient way to syncronize time between systems when NTP accuracy is
not needed. I not aware of any major damage caused by this service,
but definately disable it if you don't need it.
Hope this helps.
College of Engineering
Michigan State University