Security Incidents mailing list archives
Re: what's listening on udp 161?
From: Conor McGrath <conormc () uchicago edu>
Date: Wed, 13 Feb 2002 17:10:56 -0600
Quarantine once said:
Hi all. WinMap is reporting 161/udp open on several of my Win2K servers. The problem is that SNMP isn't installed on these machines, and I don't know of anything else that would be accepting traffic on that port. Here's the result of a netstat -a -n -p udp on one of the machines: Active Connections Proto Local Address UDP 0.0.0.0:135 UDP 0.0.0.0:445 UDP 0.0.0.0:1034 UDP 0.0.0.0:1251 UDP 0.0.0.0:1434 UDP 0.0.0.0:2344 UDP 0.0.0.0:3456 UDP 0.0.0.0:6050 UDP xxx.xxx.xxx.xxx:137 UDP xxx.xxx.xxx.xxx:138 UDP xxx.xxx.xxx.xxx:500 UDP xxx.xxx.xxx.xxx:41524 I've confirmed that on a machine with the SNMP service installed and started, the same netstat command shows UDP 0.0.0.0:161. Can anybody explain this to me?
From the nmap man page: UDP scans: This method is used to determine which UDP (User Datagram Protocol, RFC 768) ports are open on a host. The technique is to send 0 byte udp packets to each port on the target machine. If we receive an ICMP port unreachable message, then the port is closed. Otherwise we assume it is open. Therefore, if your hosts are not allowing ICMP in and/or out, you will get a false positive. Try scanning the machine(s) for all UDP ports ( -p1- is the argument for that on the Unix nmap) and I'll bet you get a report showing them all open. -Conor ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- what's listening on udp 161? Quarantine (Feb 13)
- Re: what's listening on udp 161? Conor McGrath (Feb 13)
- <Possible follow-ups>
- RE: what's listening on udp 161? Smith, Steve (Feb 13)
- RE: what's listening on udp 161? Adcock, Matt (Feb 13)