Today someone phoned me that he was receiving port scans and lots of requests from the IPs of my server.
I indeed see a high memory usage of HTTPD requests in the logs. However, how can I trace this back to an infected website?
I used the Apache domain logs but can't find anything unusual.
If somebody reports unusual traffic from your machine, you probably do want to confirm it is compromised before going down the road of dealing with a compromise (summary: rebuild). If the suspected attack is related to portscanning and other botnet like traffic, mirror traffic to another host that is running a protocol sniffer and look for anything not normal, which is basically anything that is not HTTP traffic. If you see signs of compromise there, then you know to follow the nuke it from orbit plan.
wiresharkso it gets the traffic generated by the suspect (or the equivalent), and check that the traffic really is originated by it and it is not some other machine maskerading as yours in order to throw investigators off track. – vonbrand Feb 22 '13 at 02:55