mediumexperimentalLinuxOCINetworkT1071.001

Linux Agent Opening Listener Port

Detects AI agent processes binding to network ports as a listener, which may indicate the agent has established an unauthorized service endpoint for receiving commands or relaying inter-agent communication.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aiinter-agentlistenerbackdoorlinuxociowasp-asi07

Problem Statement

An AI agent opening a network listener creates an unauthorized service endpoint that could accept commands from an attacker. This is a classic C2 callback mechanism and indicates the agent has been compromised and is functioning as a backdoor on the OCI instance.

Sample Logs

{"timestamp":"2025-01-10T15:20:00Z","computer_name":"oci-worker-30","user":"agent_svc","image":"/usr/bin/python3","source_ip":"0.0.0.0","source_port":4444,"initiated":false}

Required Fields

image

source_ip

source_port

user

computer_name

False Positives

·Agent API servers that intentionally listen for incoming requests as part of a service architecture
·Jupyter notebooks and development servers that bind to ports for interactive use

Tuning Guidance

Maintain an allowlist of approved listener ports per agent service. Alert on any listener port not in the allowlist, especially ephemeral high ports.