While experimenting with running localhost scans with Nmap, I scanned my udp ports and discovered a high-numbered one to be open. But I had no legit procs running that could be using it. I re-ran Nmap and disscovered that there was till a high numbered udp port open, but now it was on a different port! In fact, as you can see by the output below, every time Nmap scanned my localhost udp ports, this process changes ports. Netstat showed NOTHING, and being new to linux the only way I know to associate a process with a port is by using netstat.
Here is a file I created by making a cron job that ran "Nmap -sU -p 0-65535 localhost" every minute and appended the output to a file. As you can see, not only does the port change constantly, but the machine gradually slows down untill it takes longer than 1 minute to run the scan and then shortkly after that it jammed up(locked).
--------------------------------------------------
Nmap finished: 1 IP address (1 host up) scanned in 54.470 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
45817/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 57.894 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:15 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
57110/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 42.152 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:16 PDT
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:16 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
43031/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 55.069 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
44341/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 56.071 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:17 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
62552/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 41.406 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:18 PDT
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:18 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
62151/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 53.940 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
44769/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 59.416 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:19 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
47126/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 41.475 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:20 PDT
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:20 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
59124/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 56.989 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
52110/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 59.847 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:21 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
51384/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 41.373 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:22 PDT
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:22 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
39850/udp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 58.382 seconds
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:25 PDT
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:26 PDT
Starting nmap 3.81 (
http://www.insecure.org/nmap/ ) at 2005-08-23 20:26 PDT