Re: Mysterious udp packets

From: Dpk (dpk@egr.msu.edu)
Date: 08/17/01


Date: Fri, 17 Aug 2001 09:17:06 -0400
From: Dpk <dpk@egr.msu.edu>
To: Don Felgar <dfelgar@rainierinternet.com>
Subject: Re: Mysterious udp packets
Message-ID: <20010817091706.F5582@egr.msu.edu>

On Thu, Aug 16, 2001 at 07:06:37PM -0700, Don Felgar wrote:

   Hello all,
   
   Last night I ran iptraf and happened to notice that approximately
   once per second some process sends 28 bytes to port 37 (timeserver)
   to a particular unfamiliar machine via UDP. The sending process
   uses local port 1024, then 1025, then 1024 again and so forth.
   
   There is no mention of the remote machine or the IP of the remote
   machine anywhere under /etc/.
   
   None of these commands:
    fuser 1024/udp 1025/udp
    netstat -u
    lsof -i udp:1024
   
   sees this activity, even during hundreds of iterations, I don't
   know why. Could it be that sending 28 bytes is so atomic that the
   operation never interleaves with the commands listed above? I'd
   really rather not take this machine down, and it's hard to imagine
   that this is a crack, but I'm running out of ideas.
   
   [snip]
   
   I've tried shutting down most of these processes, but the udp
   packets continue.
   
   Probably this is something stupid, but I'm at the end of my rope.
   
Comment these lines in /etc/inetd.conf and execute "pkill -HUP inetd":

#time stream tcp nowait root internal
#time dgram udp wait root internal

The time port (37) is an internal service of inetd and can be used to
remotely retreive the time from your system (man rdate), which is a
convenient way to syncronize time between systems when NTP accuracy is
not needed. I not aware of any major damage caused by this service,
but definately disable it if you don't need it.

Hope this helps.

Dennis Kelly
Network Administrator
College of Engineering
Michigan State University