Suspicious shadow listen port
Torbjorn.Wictorin at its.uu.se
Torbjorn.Wictorin at its.uu.se
Wed Apr 11 06:44:00 EST 2001
# netstat -an | grep LISTEN
tcp4 0 0 *.32785 *.* LISTEN
tcp4 0 0 130.238.4.133.22 *.* LISTEN
What in ?@# is 32785 ??
# lsof
...
sshd 11152 root 5u IPv4 0x7003ded8 0t0 TCP *:32785 (LISTEN)
sshd 11152 root 6u IPv4 0x7004ded8 0t0 TCP xxx.yyy.zzz.hhh:22 (LISTEN)
...
#cat /etc/sshd_config
Port 22
Protocol 2,1
ListenAddress xxx.yyy.zzz.hhh
ListenAddress xxx.yyy.zzz.XXX
....
OOPS, forgot to remove a old ListenAddress for a removed interface...
Did that and HUP-ed sshd
# lsof
...
sshd 11152 root 6u IPv4 0x7004ded8 0t0 TCP xxx.yyy.zzz.hhh:22 (LISTEN)
...
That is, a Listen config line for a non-existing address gives a
shadow port on ((-1 & 0x7fff) - 22).
Rather spooky...
cheers,
Torbjörn Wictorin, Uppsala univ.
More information about the openssh-unix-dev
mailing list