Detect port scans performed by own computer

A definite easy way to monitor your system is to run a command like netstat for a day or so and see what's going outbound. For example, something like this would show all outgoing (polled) connections:

netstat -nputwc | tee ~/network.log

From there, you can check network.log in your home folder to see if there are any weird/anomalous connections. It would be best to run this on a day when you're not going to use the internet too much, so you can get only background and not-active connections. Netstat will give you the capability to see what process is also calling the connections, which might be worthwhile to find and destroy if any scanner is running.

Furthermore, you can get a more detailed/verbose log using tcpdump, which you can use to get more advanced output, and get more information. See man tcpdump for more information. However, look particularly at the src expression to only get outgoing connections. Also be sure to use the -w option to write to a file for easy searching. You can read a bit more about tcpdump here if you want. At the very least, this will tell you if your computer is actually scanning things.

From either of these, you can either get the process (through netstat) or important things like when and where things are going. You can in fact run both at the same time to look for any triggers or similar that cause scans. You can even use tcpdump to find when scans happen, and then cross-reference that with netstat to find what process is doing things.

If you notice that these scans happen at regular times, you should look for cronjobs or similar, which can be removed (relatively) easily.

Otherwise, you can use the general security tips, such as running rkhunter, clamav, and so on. You could also always just reinstall your system from a known-good backup to just end it now.


And just for a bit of background on botnets, mostly to bore you.

Typically, a botnet sits idle on your system until triggered by some order. This can either be your system receiving a message from a remote server, or your machine polling a server for its new "orders." Either way, you can use these same tools to find these botnet commands, and where they're going to.

Once you can capture your machine being part of a botnet (if it is), you can find what and where the botnet software is, and remove it using any methods you want.

It may also be important to note that your computer may not be the infected device on the network. A router upstream, a WAP, a webcam, or any other sort of IoT thing (printers, even!) can also be members of a botnet. If they're behind the same connection/IP as your machine (especially at home or similar), you might be falsely blaming your computer instead of your smart toaster or whatever.


Possible things you can do:

  • Change your passwords: in case of a human attacker using your device(s) as mask , it's obvious that your authentication was somehow compromised. This includes your computer, but also router, modem, smart devices on your home network. Most users only put password on wifi, but no password their router admin account , which is bad. As Kaz pointed out, smart devices are also easy targets. While you're checking the router, also check whether someone has enabled port forwarding on the router to know exactly what device is being accessed.

  • Check for nmap. Nmap is one of the most common tools used for scanning networks. It can be used for good and it's good tool for system administrators, but also can be used by the bad guys. Do apt-cache policy nmap to see if somebody installed it onto your machine.

  • Analyze your network connections and traffic. Such tools as netstat will tell you what programs are using which network ports. Particularly of interest is sudo netstat -tulpan command. Another tool already mentioned is Wireshark. You might need to take time to learn how to use it. I'd recommend that you run all these tests with all browsers and applications that depend on network turned off.

  • Consider deleting plugins for browsers: Chrome extensions and Firefox addons are amazing, but they're not innocent little kittens. You could be running a browser, and those extensions do all the malicious activity in background. Consider deleting them all, or simply removing ~/.mozilla and ~/.config/google-chrome/

  • If nothing else works, nuke it from the orbit: In other words, back up your data, and reinstall your Ubuntu. Once a system is compromised, it's hard to trust it. Quite common technique is replace a legitimate program with fake one. With thousands of binary files on computer, it can be hard to tell what is causing the mess, if you're not a computer forensic specialist or security researcher. Make an Ubuntu live USB ( preferably on a different, trusted computer ) and reinstall your system. Consider getting rid of your router as well and getting new one. Installing malware in routers isn't as uncommon as you think. If you don't want to do that, consider installing open source software to the router, such as DD-WRT or Open-WRT, it those support your router manufacturer and version.

  • Consider asking a professional for help: this one might cost you the most, but if you want to get to the bottom of this and find out what actually is going on, consider hiring someone who investigates computer network security for a living. The potential plus is that they can tell you who and how has compromised your network and is using it for malicious juju.


You should install wireshark for packet inspection. In the meantime you could block the IPs or better yet the whole range(in case they own it all) but it is likely they'll just use another route.

For a single IP:

sudo ufw deny from 123.24.163.24 to any

For a range:

sudo ufw deny from 123.24.163.0/24 to any

or append a rule to iptables if you prefer this way.

sudo iptables -A INPUT -s 123.24.163.0/24 -j DROP

There is a chance that someone is operating from your computer, hence the scanning. In such case, then who knows what else has already been done on your computer. Might require a total cleanout.