|
Security Incidents
mailing list archives
Re: what's listening on udp 161?
From: Conor McGrath <conormc () uchicago edu>
Date: Wed, 13 Feb 2002 17:10:56 -0600
Quarantine once said:
Hi all. WinMap is reporting 161/udp open on several of my Win2K servers.
The problem is that SNMP isn't installed on these machines, and I don't know
of anything else that would be accepting traffic on that port. Here's the
result of a netstat -a -n -p udp on one of the machines:
Active Connections
Proto Local Address
UDP 0.0.0.0:135
UDP 0.0.0.0:445
UDP 0.0.0.0:1034
UDP 0.0.0.0:1251
UDP 0.0.0.0:1434
UDP 0.0.0.0:2344
UDP 0.0.0.0:3456
UDP 0.0.0.0:6050
UDP xxx.xxx.xxx.xxx:137
UDP xxx.xxx.xxx.xxx:138
UDP xxx.xxx.xxx.xxx:500
UDP xxx.xxx.xxx.xxx:41524
I've confirmed that on a machine with the SNMP service installed and
started, the same netstat command shows UDP 0.0.0.0:161. Can anybody
explain this to me?
From the nmap man page:
UDP scans: This method is used to determine which UDP
(User Datagram Protocol, RFC 768) ports are open on a
host. The technique is to send 0 byte udp packets to
each port on the target machine. If we receive an ICMP
port unreachable message, then the port is closed.
Otherwise we assume it is open.
Therefore, if your hosts are not allowing ICMP in and/or out, you will
get a false positive. Try scanning the machine(s) for all UDP ports
( -p1- is the argument for that on the Unix nmap) and I'll bet you
get a report showing them all open.
-Conor
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
