Suspicious shadow listen port

Torbjorn.Wictorin at its.uu.se Torbjorn.Wictorin at its.uu.se
Wed Apr 11 06:44:00 EST 2001



# netstat -an  | grep LISTEN

tcp4       0      0  *.32785                *.*                    LISTEN
tcp4       0      0  130.238.4.133.22       *.*                    LISTEN

What in ?@# is 32785 ??

# lsof
...
sshd 11152    root 5u  IPv4 0x7003ded8 0t0    TCP *:32785 (LISTEN)
sshd 11152    root 6u  IPv4 0x7004ded8 0t0    TCP xxx.yyy.zzz.hhh:22 (LISTEN)
...

#cat /etc/sshd_config

Port 22
Protocol 2,1
ListenAddress xxx.yyy.zzz.hhh
ListenAddress xxx.yyy.zzz.XXX
....

OOPS, forgot to remove a old ListenAddress for a removed interface...
Did that and HUP-ed sshd

# lsof

...
sshd 11152 root 6u  IPv4 0x7004ded8 0t0 TCP xxx.yyy.zzz.hhh:22 (LISTEN)
...


That is, a Listen config line for a non-existing address gives a
shadow port on ((-1 & 0x7fff) - 22).

Rather spooky...


cheers,
Torbjörn Wictorin, Uppsala univ.





More information about the openssh-unix-dev mailing list