The listening port in the >6000 range, is for X11 forwarding. In the
sshd_config file, you'll probably see something like "X11Forwarding
on". If you don't need it, then turn it off by setting it to "off"
and restart (kill -HUP) the sshd process. - Steve
On Wed, 14 Mar 2001 12:24:33 -0800 (PST), you wrote:
>is it possible that SSH is configured to do port forwarding for X or
>something like that?
>
>David Lang
>
>On Wed, 14 Mar 2001, Carric Dooley wrote:
>
>> Date: Wed, 14 Mar 2001 15:02:25 -0500 (EST)
>> From: Carric Dooley <[EMAIL PROTECTED]>
>> To: Jose Nazario <[EMAIL PROTECTED]>
>> Cc: Satish Ramaswamy <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>> Subject: Re: sshd
>>
>> No.. I have seen the exact same thing. I just happened to do a netstat
>> while connected to a new RH7 (wolverine beta runnin OpenSSH), and
>> immediately felt my stomach drop down around my socks. I started digging
>> around is lsof, and finally killed the process and <pop>, I was
>> disconnected. I then telnetted from an authorized machine, did a netstat
>> and lsof -i and the 6010 port was gone. When I reconnected via SSH, it
>> came right back. I just knew my brand new server had been hacked and I
>> was so pissed (as well as feeling stupid), and I was EVER so relieved to
>> find it was just SSH.
>>
>>
>> Carric Dooley
>> Senior Consultant
>> COM2:Interactive Media
>>
>> "But this one goes to eleven."
>> -- Nigel Tufnel
>>
>>
>> On Wed, 14 Mar 2001, Jose Nazario wrote:
>>
>> > On Wed, 14 Mar 2001, Satish Ramaswamy wrote:
>> >
>> > > I was talking abt sshd listening on the server rather that the client
>> > > viz inbound trafics.
>> >
>> > it shouldn't. none of my MANY boxes, using ssh.com and openssh sshd's,
>> > EVER do this, and this is on a SMACKLOAD of OS's, including IRIX, Solaris,
>> > OpenBSD, Linux (2.0, 2.2, 2.4, PPC, etc).
>> >
>> > maybe you have a rootkit installed? sshd's have been trojaned in the past
>> > few years, allowing for special access for the kiddies. this may be what
>> > you're looking at.
>> >
>> > ____________________________
>> > jose nazario [EMAIL PROTECTED]
>> > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
>> > PGP key ID 0xFD37F4E5 (pgp.mit.edu)
>> >
>> > -
>> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> > "unsubscribe firewalls" in the body of the message.]
>> >
>>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
