Re: Mysterious udp packets

From: Dpk (dpk@egr.msu.edu)
Date: 08/17/01


Date: Fri, 17 Aug 2001 09:17:06 -0400
From: Dpk <dpk@egr.msu.edu>
To: Don Felgar <dfelgar@rainierinternet.com>
Subject: Re: Mysterious udp packets
Message-ID: <20010817091706.F5582@egr.msu.edu>

On Thu, Aug 16, 2001 at 07:06:37PM -0700, Don Felgar wrote:

   Hello all,
   
   Last night I ran iptraf and happened to notice that approximately
   once per second some process sends 28 bytes to port 37 (timeserver)
   to a particular unfamiliar machine via UDP. The sending process
   uses local port 1024, then 1025, then 1024 again and so forth.
   
   There is no mention of the remote machine or the IP of the remote
   machine anywhere under /etc/.
   
   None of these commands:
    fuser 1024/udp 1025/udp
    netstat -u
    lsof -i udp:1024
   
   sees this activity, even during hundreds of iterations, I don't
   know why. Could it be that sending 28 bytes is so atomic that the
   operation never interleaves with the commands listed above? I'd
   really rather not take this machine down, and it's hard to imagine
   that this is a crack, but I'm running out of ideas.
   
   [snip]
   
   I've tried shutting down most of these processes, but the udp
   packets continue.
   
   Probably this is something stupid, but I'm at the end of my rope.
   
Comment these lines in /etc/inetd.conf and execute "pkill -HUP inetd":

#time stream tcp nowait root internal
#time dgram udp wait root internal

The time port (37) is an internal service of inetd and can be used to
remotely retreive the time from your system (man rdate), which is a
convenient way to syncronize time between systems when NTP accuracy is
not needed. I not aware of any major damage caused by this service,
but definately disable it if you don't need it.

Hope this helps.

Dennis Kelly
Network Administrator
College of Engineering
Michigan State University



Relevant Pages

  • Re: PORT 135 still open with Norton PF 2002
    ... Protocol: ... TCP or UDP ... Remote service: Any Service ...
    (comp.security.firewalls)
  • Dial-up ICS settings = Configuration Problems
    ... Primary WINS Server: 0.0.0.0 ... Remote Default Gateway: Yes ... UDP 0.0.0.0 Microsoft-DS System ... UDP 192.168.0.1 NetBIOS-NS System ...
    (microsoft.public.windowsxp.network_web)
  • Re: GetUdpTable Endpoints
    ... connectionless protocol. ... For instance, if you have an open UDP port, any computer can send UDP ... That is why the Win32 functions don't give you a "remote" computer ...
    (microsoft.public.win32.programmer.networks)
  • "active" IP address
    ... Each running application then try to connect to the UDP sender. ... remote applications will get from the socket accepted for connection. ... The problem is, on local host, how do I know that I should add the third ...
    (microsoft.public.win32.programmer.networks)