How to detect if port scanning software is running on our machine?

From: Dave Baker (dpbaker@streamyx.com)
Date: 04/23/03


From: Dave Baker <dpbaker@streamyx.com>
Date: Wed, 23 Apr 2003 14:11:18 +0800

We run an FTP server. One of our clients says that our server is port
scanning their machine - the log files they sent us appear to back this up:

>'TCP_Port_Scan' event detected by 'network_sensor_1'
>Details:
> Source IP Address: 1xx.1xx.1xx.1xx
> Source Port: N/A
> Source MAC Address: N/A
> Destination IP Address: 1xx.1xx.xx.2xx
> Destination Port: N/A
> Destination MAC Address: N/A
> Time: 2003-04-22 18:22:28 UTC
> Protocol: TCP(6)
> ICMP Type: N/A
> ICMP Code: N/A
> Priority: medium
> Actions: DISPLAY=Default:0,EMAIL=Operator:0,LOGDB=LogWithoutRaw:0,RSKILL=Default:0
> Event Specific Information:
> :port: 2775|2840|2878|3032|3160|3235|3357|3644
> :victim-ip-addr: 1xx.1xx.xx.2xx
> :intruder-ip-addr: 1xx.1xx.1xx.1xx

I have looked at all the software we are running, and the processes running,
and can't see anything abnormal. I've done a virus check with no problems
found.

How would I find out what software on our machine is doing this port
scanning?

Dave