Wireshark-users: Re: [Wireshark-users] Yum install centos 5.2

From: Jeffrey Walton <noloader@xxxxxxxxx>
Date: Wed, 14 Oct 2009 07:02:10 -0400
Hi Mike,

On Tue, Oct 13, 2009 at 9:00 AM, Mike Brandonisio
<mbrando@xxxxxxxxxxxxxx> wrote:
> Hi Guy,
>
> I'm getting closer. In using tshark to record all the SMTP traffic I was
> able to grep 'helo' and 'ehlo'. I got a hit on 'helo' where my server was
> saying it was a well known ISP. It is not. I then was able to cross
> reference the destination IP with the netstat log that showed that is was in
> fact php script. Now to find out which one. I have the PID but of course the
> script is not currently running.
>
> Ant thoughts on how to track down the script?

Two thoughts come to mind. First is an AV scan, and second is
inspection of the cron jobs.

CentOS is usually pretty solid. It makes very few guest appearances
over at BugTraq. Out of curiousity, are you running a down level
version?

Jeff