I recently wrote a script that runs croned and port scans all of our servers daily. It saves the output and diffs it compared to the previous days and emails me as new ports open up.
I think this will be a good way to detect new services and potential malware infection, but what about machines that are already infected?
To fix that I wrote in a function that parses the output for known malware ports. The only problem is that I cant find a definitive list of known malware ports. Does anyone know of such a resource?