10-12-2005, 08:04 PM
| | Re: AIX 5.2 local portscanner?
In the Usenet newsgroup alt.computer.security, in article
<firstname.lastname@example.org>, Tony Brown wrote:
>My network guys tell me that one of our local machines is sending out
>port scans to a particular host.
Reference point: Do they know *** they are talking about? What ports
source and destination?
>The "attacking" machine is AIX 5.2. I have been tcpdumping for 2 days
>and have not seen anything significant. I installed lsof and nothing
>is showing up.
What is running on the AIX box? Remember that lsof (and similar
tools) only look at a snapshot of what's going on at the moment you
hit the enter key - If the malware is (for example) sleeping at that
moment, you may not see it. 'ps' may be altered, but also try 'top'
>For clarity I installed this and am monitoring on the "attacking"
>machine. Still the port scans exist.
Get a hub and another computer. Connect the hub between the AIX box
and the network, and attach the other computer running any kind of
packet sniffer it can to the hub. Do you see anything?
>Does anyone know of a tool that will definitively tell me what process
>is causing this?
If the box is r00ted, there really isn't that much you can run in
multi-user mode. You simply can't trust anything on the system, and
that includes the kernel and libraries, and everything else. For what
it's worth, I don't think there has been anything on Bugtraq in the
You might have better luck in 'comp.security.unix' (though it has been
relatively quiet), or 'comp.unix.aix'.