Last week I got an email from the abuse department of my ISP. Their automated message said that there is a service with an exploitable vulnerability running on "one of my devices". Apparently it was SSDP - the Simple Service Discovery Protocol, which can be used to facilitate a DDoS attack.
Their system found that this SSDP service was available on UDP port 32788.
This could be one of the users of my shell server violating the terms of service, or it could be unrelated to the shell server altogether. I tried to log into my modem, and found that the administrative web page would not load. Even though the Internet connection was up, this part of my modem was down. So I power cycled the modem.
When it came up and I was able to log in, I did not see any UDP ports being forwarded in the configuration of the modem. Further, I scanned my IP address from another location and did not find any service running on port 32788. I also checked the shell server and it did not have that port open either.
So I see three possibilities: The ISP's threat detection system was inaccurate, the shell server has been compromised from the inside, or somehow the modem was compromised, either from the inside or remotely. I think that it was the modem, given that the administrative web interface was unresponsive.
The warning says that if this continues, they will terminate my Internet service. I will continue to check for anything suspicious going on, but if I am unable to stop this from happening I will have to shut down the shell server.