You are not logged in.
Got a call from our security team. They noticed one of my AIX servers had sent a single TCP packet to each port from 32768 through 65536, sequentially.
Since the connections do not persist and happen so fast, is there any way to track the packets with PID to a specific destination as they're being sent?
I don't know much about AIX... On Linux, you could probably do it with iptables...
Or, there's stuff like "atop" that you can run to periodically collect various system
activity (including network activity) for later lookups to retroactively determine culprits
at certain times of day... But, lacking that, all I can really think of is a script that
repeatedly calls "lsof", looking for anything opening up network sockets, and logging
them for later lookups... It may be using just regular TCP sockets and doing a
simple connect(), or it may be a fancier port-scanner a la "nmap", which uses a raw
socket or similar to forge TCP SYNs, so that your own network stack doesn't even
know about them at all... So, you'd need to look for both TCP and raw (or if AIX has
an equivalent to Linux packet sockets, look for those too)... Or, maybe you could
use tcpdump with an appropriate BPF filter to sniff for only the outbound packets you
are looking for, and whenever it produces output, THEN do an "lsof" looking for
sockets... Or, just dump all of "ps", and see if anything looks out of place... (Of
course, if this is the result of your machine being rooted and this is some kind of
worm trying to spread, you may never actually see the offending process, because
it's hidden by rootkit or something...)
Thanks for the reply. Yes, the first thought that came to mind was something malicious, but it may just be bad behavior of one of the apps.
I did find 'netactview' on SourceForge. I may delve into that and strip out all the GUI "stuff." IBM provides a linux toolkit for AIX, but you could spends years chasing down RPM dependencies for some of that stuff (Gnome, ORBit, etc).
I've also been considering using the internal audit subsystem, but don't know if that will result in a PID/cmd.
Just at a guess, I'd say it might be looking for RPC servers... Don't they traditionally
sit on high ports like that? It's certainly not your standard SSH worm or anything,
anyway, if all it's scanning is ports 32K to 64K...