hello, i realized that PSAD is reporting a continuous streak of scan attempts, only they are not scans coming from the outside but scans originating from my lan IP (192.168.16.2) and directed to the outside, if i got that right, which makes me seriously think of being compromised.
one recurring ip address points to metasploit.com, which is pretty weird. can this be a false alert due to some legitimate program ? im confused.

below, one sample alert:


=-=-=-=-=-=-=-=-=-=-=-= Tue Jan 11 16:21:56 2011 =-=-=-=-=-=-=-=-=-=-=-=


Danger level: [2] (out of 5)

Scanned UDP ports: [28409: 1 packets, Nmap: -sU]
iptables chain: OUTPUT (prefix "DROPPED"), 1 packets

Source: 192.168.16.2
DNS: [No reverse dns info available]
OS guess: Linux:2.6:8:Linux 2.6.8 and newer (?)

Destination: 72.204.199.142
DNS: ip72-204-199-142.ph.ph.cox.net

Overall scan start: Tue Jan 11 16:07:13 2011
Total email alerts: 7
Complete UDP range: [28409]
Syslog hostname: [my-machine]

Global stats: chain: interface: TCP: UDP: ICMP:
OUTPUT eth0 0 1 0

[+] Whois Information:
Whois data not available!

Protocol is UDP (stateless) and port is ephemeral and w/o IANA assignment, so packet inspection (snort or wireshark) might help fish for clues.

a lot of scans are about port 111 being scanned over the whole subnet mask. psad monitoring portmap, maybe ? looks weird, from the point of view of my poor knowledge.

While I appreciate the response it talks about issues while posting cold hard data could be so much more interesting...