stranges response for Linux => 2.2.15

[Eduardo Romero <edo () LINUX CL>]

Hi guys:

        I recently installed nPulse ( http://www.horsburgh.com ), that uses
nmap to simulate a backdoor test. nmap send the follow sintax for check UDP
bouncing:

/usr/bin/nmap -oM - -sU -p 1,52,53,2140,3150,10067,10167,31337 linux-machine

( things such BackOrifice, Doom, SubSeven, etc ). But some linux kernels
response are different:

(suppose domain only run in UDP  )

In a 2.2.13 Box:

Interesting ports on paine.xx.yy (111.222.333.1):
(The 7 ports scanned but not shown below are in state: closed)
Port       State       Service
53/udp     open        domain

Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds


But when you run over a 2.2.15 machine or higher :

Starting nmap V. 2.50 by fyodor () insecure org ( www.insecure.org/nmap/ )
Interesting ports on zz.yy (111.222.333.2):
Port       State       Service
1/udp      open        tcpmux
52/udp     open        xns-time
53/udp     open        domain
2140/udp   open        unknown
3150/udp   open        unknown
10067/udp  open        unknown
10167/udp  open        unknown
31337/udp  open        BackOrifice

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second


Now . it's seems a problem with nmap calls to open an UDP socket , or like
Linux response to o.k ,that in fact are really closed (yes.. really :) ).

It's a kernel bug (Solaris & MS_world don't show this problem), but
sometimes think a problem with RedHat distributions (mandrake and suse don't
response this).

Thanks in Advance

Edo.