is this evidence of a trojan?

tom_from_van · 08-24-2005, 09:32 AM

While experimenting with running localhost scans with Nmap, I scanned my udp ports and discovered a high-numbered one to be open. But I had no legit procs running that could be using it. I re-ran Nmap and disscovered that there was till a high numbered udp port open, but now it was on a different port! In fact, as you can see by the output below, every time Nmap scanned my localhost udp ports, this process changes ports. Netstat showed NOTHING, and being new to linux the only way I know to associate a process with a port is by using netstat.
Here is a file I created by making a cron job that ran "Nmap -sU -p 0-65535 localhost" every minute and appended the output to a file. As you can see, not only does the port change constantly, but the machine gradually slows down untill it takes longer than 1 minute to run the scan and then shortkly after that it jammed up(locked).
--------------------------------------------------

Nmap finished: 1 IP address (1 host up) scanned in 54.470 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
45817/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 57.894 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:15 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
57110/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 42.152 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:16 PDT

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:16 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
43031/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 55.069 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
44341/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 56.071 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:17 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
62552/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 41.406 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:18 PDT

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:18 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
62151/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 53.940 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
44769/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 59.416 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:19 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
47126/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 41.475 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:20 PDT

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:20 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
59124/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 56.989 seconds
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
52110/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 59.847 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:21 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
51384/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 41.373 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:22 PDT

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:22 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
39850/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 58.382 seconds

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:25 PDT

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:26 PDT

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-23 20:26 PDT

primo · 08-24-2005, 07:03 PM

You don't need to scan yourself to see your open/closed ports.
Run "netstat -tupln" to see them all, and the pid of with each daemon.
Use fuser(1) too

tom_from_van · 08-24-2005, 07:55 PM

I agree --- but what about when Nmap says that there IS a high, udp port open, and your "netstat -tupln" command says that there aren't any such udp ports open ... (as is the case) What then? Who do I believe and is there another way to determine port usage than these two commands?

TruckStuff · 08-24-2005, 08:14 PM

UDP and high numbered ports can be open if, for example, you are receiving a response to a DNS query. I wouldn't worry too much about it.

tom_from_van · 08-24-2005, 09:28 PM

" ... response to DNS query ... " --- hmmm, I'll betcha that's exactly what it is, given that traffic on this interface is like:

19:16:49.952951 IP me.34360 > pd1nsc1.st.vc.shawcable.net.domain: 37749+ PTR? 188.69.86.24.in-addr.arpa. (43)
19:16:49.959624 IP pd1nsc1.st.vc.shawcable.net.domain > me.34360: 37749 NXDomain* 0/0/0 (43)
19:16:49.960101 IP me.34360 > pd1nsc1.st.vc.shawcable.net.domain: 43547+ PTR? 186.86.86.24.in-addr.arpa. (43)
19:16:49.968363 IP pd1nsc1.st.vc.shawcable.net.domain > me.34360: 43547 1/0/0 (91)

Darn, I tried it. I ran tcpdump to see what ports were being used for DNS:

19:23:15.320394 IP me.34365 > pd1nsc1.st.vc.shawcable.net.domain: 63287+ PTR? 70.89.86.24.in-addr.arpa. (42)
19:23:15.343004 IP pd1nsc1.st.vc.shawcable.net.domain: me.34365: 63287 1/0/0 PTR[|domain]

and as you can see, the port is 34365 for the same interval the output from Nmap is:

[root@S0106000b6a7905f1 ~]# nmap -v -sU -p 0-65535 127.0.0.1
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-24 19:23 PDT
Initiating UDP Scan against localhost.localdomain (127.0.0.1) [65536 ports] at 19:23
Discovered open port 60116/udp on 127.0.0.1
The UDP Scan took 16.19s to scan 65536 total ports.
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
60116/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 16.917 seconds
Raw packets sent: 65570 (1.84MB) | Rcvd: 131080 (5.51MB)

60,116. It sounded good, but doesn't check out, unfortunately.

primo · 08-24-2005, 09:44 PM

What you're seeing is the source port being used by nmap.

Code:

# nmap -sU  --source_port 65533 -p 65530- localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-24 22:53 VET
Interesting ports on localhost (127.0.0.1):
PORT      STATE  SERVICE
65530/udp closed unknown
65531/udp closed unknown
65532/udp closed unknown
65533/udp open   unknown
65534/udp closed unknown
65535/udp closed unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.126 seconds

tom_from_van · 08-25-2005, 08:28 PM

Yes --- checks out, it's nmap's src port. thanks primo