How to detect my server is used as a port scanner?

Question

My Web Server is running Ubuntu 12.04.2 LTS with all security updates installed. It is used as a Web Proxy server that handles incoming requests on HTTP/80 HTTPS/443 but also retrieves web content from other servers using HTTP/HTTPS connections. The server also uses HTML5 WebSocket connection to send real-time updates to client users.

I have received a notification by three separate home users that my server allegedly performed a port scan on their ip-addresses. Unfortunately, I only know the date and time of the alleged portscan, but no destination IP or port. Also, I am unsure whether these are false alarms or my server has actually been compromised.

So far I have conducted a preliminary analysis using "netstat -anltp" to check if there is any suspicious traffic. When checking everything seems fine as there are only HTTP connections. In addition, I have executed "ps aux" to list all running processes, but I have to admit, I'm a bit lost at this point.

What are further steps that can be performed to detect suspicious traffic? What log files should be checked? What logs should be enabled to detect future suspicious outgoing traffic? What third-party tools can detect further outgoing portscans?

Answer 1

The tool that can detect outgoing portscans is tcpdump. Run tcpdump -i eth0 -w dump and then, with a lot of calm, read the dump details matching the packets sent in those dates.

Ask your users for their IPs also, if static.

Look to /var/log/auth.log and last -100 to see if someone abused your system, check for suspicious cron jobs, look into the /root directory if something strange appeared. In these cases a tool that hashize the system files (like tripwire) would be important.