Over the weekend we received a message from our ISP. They were giving us a Verbal warning regarding one of our machines on our subnet. It turns out that our Linux RH 9.0 Machine we just built for Webmail was port scanning, I guess over the weekend our ISP received several complaints about us.

The machine is currently unplugged from the network. Do you think someone hacked it, if so what our some possible solutions? What I want to do is download some security programs that can check for any vulnerabilities in our system and also check for viruses. Does anyone know of any good ones that I can use to check my system.

Thanks for all your help

I'd do a fresh install. Then look at something like tripwire or other IDS solutions, especially ones that can detect modified files (like tripwire can).

Ello.
Have you checked for root kits ?
If not then try Chkrootkit (http://www.chkrootkit.org/) .
Then vulnerabity scanner could be
Nessus (http://www.nessus.org/) .
And if u dont have firewall (witch u probably have)
you can use Firestarter (http://firestarter.sourceforge.net/).
And with Bastille (http://www.bastille-linux.org/)
make system more secure..clip from site:

The Bastille Hardening System attempts to "harden" or
"tighten" Unix operating systems.
It currently supports the Red Hat, Debian, Mandrake, SuSE and TurboLinux Linux distributions
along with HP-UX and Mac OS X.

And also i would scan my own system for open ports
with Nmap (http://www.insecure.org/nmap/)
or other same kind of program.
Remember also change every password.

Cool.

Thank you all very much.


Here is an example from the log that was sent to our ISP it turns out it was 3com's network our computer was Scanning/probing.


log record count per hour
22: 99
log record count for source ip
x.x.x.x x.x.x.x: 99
log record count for destination ip
log record count for destination nets
x.x.x.x: 99
log record by service. counts greater than 10
Port 23: 99
number of different services: 1
sample log records with start and end times (all times displayed with 24 hour clock)
CST(GMT-6) Jan 20 22:06:07 x.x.x.x:42738 -> x.x.x.6:23 SYN ******S*
CST(GMT-6) Jan 20 22:06:09 x.x.x.x:43509 -> x.x.x.251:23 SYN*****S*
CST(GMT-6) Jan 20 22:06:09 x.x.x.x:43515 -> x.x.x.238:23 SYN *****S*
CST(GMT-6) Jan 20 22:06:09 x.x.x.x:43522 -> x.x.x.131:23 SYN *****S*
CST(GMT-6) Jan 20 22:06:09 x.x.x.x:43529 -> x.x.x.7:23 SYN ******S*
CST(GMT-6) Jan 20 22:06:09 x.x.x.x:43536 -> x.x.x.5:23 SYN ******S*

It's an intresting log. I thought most scanners ran in order, like this. 45670, 45671, 45672...

Hmmm, maybe I'm missing something.

Thye probably listed just the shots from the one address. No telling what is in between.