Greetings,

I am running AIX 4.3.3...i just tried nmap'ing this rs/6000 box from another machine and the
following ports appear to be open:

PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
22/tcp open ssh
25/tcp open smtp
37/tcp open time
199/tcp open smux
587/tcp open submission
683/tcp open unknown
684/tcp open unknown
2049/tcp open nfs
2401/tcp open cvspserver
6112/tcp open dtspc
32777/tcp open sometimes-rpc17


Now I know that ssh (22) and nfs (2049) should be running...but what the heck are the rest of
these? Any thoughts, using aix commands, on how to decipher them?? I know that i should not
be running any kind of cvs server...

I ran rkhunter (v: 1.1.2) and nothing indicated a rooted hit of any kind...all the typical commands
looked fine (ps, w, ls, etc...)


I also wanted to look at the routing table: netstat -rn

# netstat -rn
Routing tables
Destination Gateway Flags Refs Use If PMTU Exp Groups

Route Tree for Protocol Family 2 (Internet):
default 1XX.XXX.XX.X UGc 0 0 en1 - -
--- some lines deleted... ----
82.53.90.249 1XX.XXX.XX.X UGHW 1 17 en1 - -
127/8 127.0.0.1 U 3 114956 lo0 - -

note: 1XX.XXX.XX.X = my normal gateway IP address.

The IP ADDRESS: 82.53.90.249 seems odd...i did a whois -v on it and it came up in ITALY...
and I am NOT in Italy. Does this mean that the machine is 'routed' through this italian ip
address???

any help is greatly appreciated...


zepp

The entry you're looking at is a host entry (the H flag in UGHW), so all that routing entry is doing is telling the system that for traffic to 82.53.90.249, use your normal gateway as the gateway for the connection (the second field of the routing table is the gateway to use). Why you have a routing entry for some random host in Italy, I really couldn't tell you. You can always delete the entry from the routing table and keep an eye on it to see if it re-appears. But by itself, it isn't doing anything malicious that your system wouldn't normal do.

Moved: This thread is more suitable in the AIX Forum and has been moved accordingly to help your thread/question get the exposure it deserves.

thanks for help capt...

Any thoughts on the open ports? Anything I should look for?? I always have a more
difficult time parsing ports and determining the current "actionables" on aix boxes,
then in linux...

thanks to one and all that can help...

zepp

Take a look at /etc/inetd.conf and comment out all the un-needed services (time,daytime,echo,chargen,etc are common services in *nix that you can usually shutoff). I'm not an AIX-guy, so I'm not that familiar with it or it's NFS implementation. You might have some luck identifying the unknowns using lsof -i or netstat -pa and track them down by their PID number. This might give you a little more AIX-centric help than I can offer:

http://www.blacksheepnetworks.com/se...-services.html

Capt once again provides THIS user with a wealth of useful information.

I have closed many of the open ports and look forward to a better night sleep (this
time with just one eye open... )

If anyone else can provide further references/help with the aix security I am very
eager to learn...this os has constantly been a source of thorns in the side regarding
its security...largely due to inexperience. Thanks

zep

Glad I could help you out

Out of curiousity, how does is compare to other unixes that you've used (BSD, Solaris, IRIX, etc)?

(Un)fortunately i haven't had alot of experience with other Unixes...I've used IRIX
a bit, but haven't spent alot of time with it.

One other question:

after commenting out several lines in the /etc/inetd.conf file...i typed: refresh -s
inetd

and i got the error:

# 0513-056 Timeout waiting for command response. If you specified a foreign host, see the /etc/inittab file on the foreign host to verify that the SRC daemon
(srcmstr) was started with the -r flag to accept remote requests.

I've never seen this error before...I tried uncommenting the lines i commented
in /etc/inetd.conf and no luck...it remains there.

Any thoughts AIX'ers????