{"id":258,"date":"2007-06-29T03:12:00","date_gmt":"2007-06-29T03:12:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=258"},"modified":"2020-07-03T03:13:17","modified_gmt":"2020-07-03T03:13:17","slug":"hidden-ports-on-linux","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/06\/hidden-ports-on-linux\/","title":{"rendered":"Hidden ports on Linux"},"content":{"rendered":"\n

If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I may have figured out one of the possible causes today (and no, it is not a rootkit). To keep the story short: if you bind<\/em> any TCP port, but do not listen<\/em> on it, netstat will not show it at all (the same does not happen with UDP ports).<\/p>\n\n\n\n

Here is the idea. If you get this simple C program<\/a>, it will attempt to bind every TCP port from 1025 to 1050, but it will not listen on them. After it is done, if you do a netstat (or fuser or lsof) nothing will be shown. However, if you try to use the port, you will get an error saying that it is already in use.<\/p>\n\n\n\n

To reproduce, download the bind_ports.c<\/a> program, compile and execute it:<\/p>\n\n\n\n

dcid@copacabana:~$ wget http:\/\/www.ossec.net\/files\/other\/bind_ports.c<\/strong>
..
14:56:32 (309.92 KB\/s) \u2013 `bind_ports.c\u2019 saved [1371\/1371]<\/p>

dcid@copacabana:~$ gcc -o bind_ports bind_ports.c<\/strong>
dcid@copacabana:~$ .\/bind_ports &<\/strong>
[1] 11332<\/p>

Ports from 1025 to 1050 were bind..<\/p><\/blockquote>\n\n\n\n

After that, run netstat (or lsof or fuser) to see if the port is listed (it will not be):<\/p>\n\n\n\n

dcid@copacabana:~$ netstat -tan<\/strong>
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
\u2026<\/p><\/blockquote>\n\n\n\n

However, if you try to use the port, you will receive the \u201calready in use\u201d error (if using nc, it takes up to 10 seconds to fail).<\/p>\n\n\n\n

dcid@copacabana:~$ nc -l -p 1025<\/strong>
Can\u2019t grab 0.0.0.0:1025 with bind
dcid@copacabana:~$ nc -l -p 1026<\/strong>
Can\u2019t grab 0.0.0.0:1026 with bind
dcid@copacabana:~$ nc -p 1026 127.0.0.1 80<\/strong>
Can\u2019t grab 0.0.0.0:1026 with bind<\/p><\/blockquote>\n\n\n\n

Anyone has ideas why this happens? If I try the same thing on OpenBSD, netstat lists all the ports correctly.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I may have figured out one of the possible causes today (and no, it is not a rootkit). To keep the story short: if you bind any TCP port, but do not listen on it, netstat will not show it at all (the same does not […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/258"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=258"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/258\/revisions"}],"predecessor-version":[{"id":259,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/258\/revisions\/259"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}