WHM 11.25.0 - X 3.9
CENTOS 5.4 i686 standard
We have been notified by a respected national IT provider that our server had run prolonged port scans one of their servers during a 7 day period. Targeting ports in the 20000-30000 range.
I can find plenty of information on what port scans are and how to protect a server against them, however I can find very little on how to track down sofware or holes that may be being used to perform them.
I have installed CSF and rkhunter. I have changed my SSH port too.
Rkhunter scan returned zip.
lfd has been sending repeated emails warning of suspicious files in /tmp. All of these files are cached php (with .php extension) for one particular website. One concerning thing about this, is we have a dozen or so other sites using the same CMS, and their cache files are not being flagged at this stage.
The lfd alert looks like this:
Reason: Script, file extension
Action: No action taken
I get 10 alerts for different files in that directory and then a final alert that says "Too many hits ... Directory watching disabled". I figure a reason why I'm not getting alerts for other sites is because it's getting disabled. So I add this particular site directory to csf.pignore as a test. I haven't seen any alerts come in at all for a while.
My question really is: Is there a direct method for tracking down whatever could be doing port scans from the server? There is absolutely nothing we have or do on that server that should be contacting this target server, especially on those ports.