0
Auditing one of my systems, I found a process without name listening on localhost, port 52698.
# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 972/sshd
tcp 0 0 127.0.0.1:52698 0.0.0.0:* LISTEN 13940/0
tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 1043/nrpe
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1128/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 616/rpcbind
tcp6 0 0 :::22 :::* LISTEN 972/sshd
tcp6 0 0 ::1:52698 :::* LISTEN 13940/0
tcp6 0 0 :::443 :::* LISTEN 2354/apache2
tcp6 0 0 :::111 :::* LISTEN 616/rpcbind
tcp6 0 0 :::80 :::* LISTEN 2354/apache2
Trying to get information about the process in /proc, I got this:
/proc/13940# ls -l exe
lrwxrwxrwx 1 root root 0 May 16 06:25 exe -> /usr/sbin/sshd
/proc/13940# cat cmdline
sshd: ubuntu@pts/0
Looks like the sshd process opened this for some reason. Is this normal? Why sshd is opening this listening port?