How to check if my machine has done a host/port sweep?
 

Hello

I have a Linux box (SuSE 8.2) working as a server to a local network, with several services running (DHCP, NIS, NFS, Postfix, etc.)
I've receveid an e-mail from an institutional organism alerting me that one of my machines has been compromised/infected and is scanning their networks or one of the users is scanning their networks. I have the exact time that this happened.
How can I see what happened? Which are the log files that should contain this information? What should I be looking for inside the logs?

Thanks very much in advance

Cheers

I've receveid an e-mail from an institutional organism alerting me that one of my machines has been compromised/infected and is scanning their networks or one of the users is scanning their networks. I have the exact time that this happened.
Be warned some reports can be fully or partially automated, bad guesses or whatever else. Sure you gotta take this seriously, but don't overreact unless specific information is given. Posting log excerpts or whatever "evidence" they sent would be cool.


How can I see what happened?
If you have or configured it: outbound firewall rules. Else you gotta catch the culprit by monitoring the wire with tcpdump or Snort. Remember if you use a libpcap sniffer like tcpdump Snort can read that back later on.


Which are the log files that should contain this information?
Unfortunately that depends on what you got. Sure if you haven't got firewall outbound logging you could correllate login times to find users on the system, but if it was an automated scan or alike this doesn't mean a thing.

Thanks for your help.

Sorry, but what do you mean by this? I have a simple firewall that all it does is IP masquerade and routing using iptables. You mean I should some how log everything that goes through the firewall?

I don't have none running on my system. This can be very helpfull for the future, but not for what happened in the past, correct?

Cheers