From owner-freebsd-security  Wed Apr 30 07:18:30 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id HAA28279
          for security-outgoing; Wed, 30 Apr 1997 07:18:30 -0700 (PDT)
Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.170.28])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA28273
          for <security@freefall.FreeBSD.ORG>; Wed, 30 Apr 1997 07:18:27 -0700 (PDT)
Received: (from jmg@localhost)
          by hydrogen.nike.efn.org (8.8.4/8.8.4)
	  id HAA28777; Wed, 30 Apr 1997 07:17:01 -0700 (PDT)
Message-ID: <19970430071701.18377@hydrogen.nike.efn.org>
Date: Wed, 30 Apr 1997 07:17:01 -0700
From: John-Mark Gurney <jmg@hydrogen.nike.efn.org>
To: mark thompson <thompson@squirrel.tgsoft.com>
Cc: security@freefall.FreeBSD.ORG
Subject: Re: What's on Port 1024?
References: <19970430131517.11350.qmail@tgsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.69
In-Reply-To: <19970430131517.11350.qmail@tgsoft.com>; from mark thompson on Wed, Apr 30, 1997 at 01:15:17PM -0000
Reply-To: John-Mark Gurney <gurney_j@resnet.uoregon.edu>
Organization: Cu Networking
X-Operating-System: FreeBSD 2.2-960801-SNAP i386
X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31  96 7A 22 B3 D8 56 36 F4
X-Files: The truth is out there
X-URL: http://resnet.uoregon.edu/~gurney_j/
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

try to use my Reply-To instead of From...

mark thompson scribbled this message on Apr 30:
>    From: John-Mark Gurney <jmg@hydrogen.nike.efn.org>
>    Date: Fri, 25 Apr 1997 00:55:33 -0700
> 
>    joed@ksu.edu scribbled this message on Apr 24:
>    > I'm currently in the proccess of trying to lock down a FreeBSD workstation
>    > as a firewall, and noticed that my FreeBSD machine is listening to port 
>    > 1024.  I'm fairly stumped as to what this might be..  According to the 
>    > port number database (http://www.sockets.com/services.htm) 1024 is 
>    > reserved.
>    try: lsof | grep 1024
>    on my machine it returns a line like:
>    xdm         214     root    5u  inet   0xf17bbc00        0t0        TCP *:1024
> 
>    so it looks like the process is xdm....
> Interesting. On my machine (2.2.1) I have the following bits:
> 
> bash$ sudo lsof | grep UDP
> [skip...]
> inetd       139     root   18u  inet   0xf1a77b00        0t0        UDP *:1024
> inetd       139     root   19u  inet   0xf1a77a80        0t0        UDP *:blackjack
> [skip...]
> 
> blackjack is 1025. Since neither of these is in inetd.conf, i wonder
> whazzup?

hmm. run rpcinfo and see if they are bounded to anything... they would
probably be responsible for it...  of course mine starts at 1040 though...

now for a couple puzzlers...  Apache 1.2b3, bash 1.14.7(1)...
httpd      4431   nobody    7u  inet   0xf17dfd80        0t0        UDP *:2027
bash      28573      jmg    4u  inet   0xf1ad0e80        0t0        UDP *:3745

I've verified that these ports are listening (via netstat) so it isn't lsof
miss reading kernel structs...

-- 
  John-Mark
  Cu Networking                             Modem/FAX: +1 541 683 6954

  Live in Peace, destroy Micro$oft, support free software, run FreeBSD