My server is performing port scans?

[muppsy007]

Hi there,

cPanel 11.25.0-S43473
WHM 11.25.0 - X 3.9
CENTOS 5.4 i686 standard

We have been notified by a respected national IT provider that our server had run prolonged port scans one of their servers during a 7 day period. Targeting ports in the 20000-30000 range.

I can find plenty of information on what port scans are and how to protect a server against them, however I can find very little on how to track down sofware or holes that may be being used to perform them.

I have installed CSF and rkhunter. I have changed my SSH port too.

Rkhunter scan returned zip.

lfd has been sending repeated emails warning of suspicious files in /tmp. All of these files are cached php (with .php extension) for one particular website. One concerning thing about this, is we have a dozen or so other sites using the same CMS, and their cache files are not being flagged at this stage.

The lfd alert looks like this:
File: /tmp/silverstripe-cache-home-monline-public_html/manifestClassParse-_home_monline_public_html_sapphire_api_RestfulServer.php
Reason: Script, file extension
Owner: nobody:nobody
Action: No action taken

I get 10 alerts for different files in that directory and then a final alert that says "Too many hits ... Directory watching disabled". I figure a reason why I'm not getting alerts for other sites is because it's getting disabled. So I add this particular site directory to csf.pignore as a test. I haven't seen any alerts come in at all for a while.

My question really is: Is there a direct method for tracking down whatever could be doing port scans from the server? There is absolutely nothing we have or do on that server that should be contacting this target server, especially on those ports.

Cheers
Aaron

[Spiral]

We have been notified by a respected national IT provider that our server had run prolonged port scans one of their servers during a 7 day period. Targeting ports in the 20000-30000 range.

Doesn't really mean much in itself ...

It is incredibly easy to spoof a port scan ....

much more so than you might realize ....

If a provider contacts the IP owners of every port scan detected based on their server and traffic log files alone then there is nothing that could be said other than they are complete "morons" since this is something really cannot be determined for certain without packet analysis.

It is indeed possible that your server is actually doing port scans or launching ddos attacks but it is doubtful as it is also equally possible that the report is completely false and the provider may not even know it!

Here is a real good tip off for you ---

Are you getting large numbers of reports regarding your server's IP being used abusively from many different and unique sources or just from a single source? That is a much better indicator to what is going on and that question should probably make you think.

If you are getting large numbers of reports FROM DIFFERENT SOURCES then you may have a problem and I most certainly can help you track that down and remedy the problem.

However, if you are only getting reports from a small handful of sources or less then there is a much higher probability that the report is bogus and those reporting that abuse are either knowingly making false reports or don't realize that their records can be manipulated!