AIX 5.2 local portscanner?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My network guys tell me that one of our local machines is sending out
port scans to a particular host.  The "attacking" machine is AIX 5.2.
I have been tcpdumping for 2 days and have not seen anything
significant.  I installed lsof and nothing is showing up.  For clarity
I installed this and am monitoring on the "attacking" machine.  Still
the port scans exist.  

Does anyone know of a tool that will definitively tell me what process
is causing this?


Re: AIX 5.2 local portscanner?

Quoted text here. Click to load it
It sounds like that machine has been rooted so you might want to try a root
kit. /

There is another one called rootkit hunter for BSD which is said to run on
AIX as well.

I haven't tried any of them so I can't comment on their efficiency.

Re: AIX 5.2 local portscanner?

In the Usenet newsgroup, in article

Quoted text here. Click to load it

Reference point:  Do they know WTF they are talking about?  What ports
source and destination?

Quoted text here. Click to load it

What is running on the AIX box?   Remember that lsof (and similar
tools) only look at a snapshot of what's going on at the moment you
hit the enter key - If the malware is (for example) sleeping at that
moment, you may not see it.  'ps' may be altered, but also try 'top'
and 'pstree'.

Quoted text here. Click to load it

Get a hub and another computer. Connect the hub between the AIX box
and the network, and attach the other computer running any kind of
packet sniffer it can  to the hub.  Do you see anything?

Quoted text here. Click to load it

If the box is r00ted, there really isn't that much you can run in
multi-user mode. You simply can't trust anything on the system, and
that includes the kernel and libraries, and everything else.  For what
it's worth, I don't think there has been anything on Bugtraq in the
past month.

You might have better luck in '' (though it has been
relatively quiet), or 'comp.unix.aix'.

        Old guy

Site Timeline