Strange listening port

Auditing one of my systems, I found a process without name listening on localhost, port 52698.

# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      972/sshd        
tcp        0      0 127.0.0.1:52698         0.0.0.0:*               LISTEN      13940/0         
tcp        0      0 0.0.0.0:5666            0.0.0.0:*               LISTEN      1043/nrpe       
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1128/mysqld     
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      616/rpcbind     
tcp6       0      0 :::22                   :::*                    LISTEN      972/sshd        
tcp6       0      0 ::1:52698               :::*                    LISTEN      13940/0         
tcp6       0      0 :::443                  :::*                    LISTEN      2354/apache2    
tcp6       0      0 :::111                  :::*                    LISTEN      616/rpcbind     
tcp6       0      0 :::80                   :::*                    LISTEN      2354/apache2

Trying to get information about the process in /proc, I got this:

/proc/13940# ls -l exe
lrwxrwxrwx 1 root root 0 May 16 06:25 exe -> /usr/sbin/sshd

/proc/13940# cat cmdline 
sshd: ubuntu@pts/0

Looks like the sshd process opened this for some reason. Is this normal? Why sshd is opening this listening port?

Victor Henriquez

Posted 2016-05-16T11:05:33.653

Reputation: 143

Answers

It may be remote port forwarding. Somebody used -R flag while ssh-ing into your system. See man ssh:

-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.

Note: it works with TCP ports, not UDP.

I think the user who created the tunnel is also the owner of /proc/13940. That's a clue if you need to investigate it further.

Kamil Maciorowski

Posted 2016-05-16T11:05:33.653

Reputation: 38 429

In this specific case, I think is the X11 forwarding. You must have enabled it either using -X or -Y flags, or the correspondent options in .ss/config. Just try to disable it and login again, and I am mostly sure it will be gone.

flix

Posted 2016-05-16T11:05:33.653

Reputation: 25