Wireshark-users: Re: [Wireshark-users] Yum install centos 5.2

From: Mike Brandonisio <mbrando@xxxxxxxxxxxxxx>
Date: Wed, 14 Oct 2009 08:57:18 -0500
Hi,

Cronjobs appear clean. AV scan and rootkit check came back clean. I ended up blocking TCP_OUT in the firewall and removing a site that appeared to have a compromised PHP script. Not sure which on. I tarred the entire folder and removed the loose files. Things seem normal for today.

I'm not sure what you mean by "down level version". This is what I see for a version:

CENTOS 5.2 x86_64 virtuozzo
2.6.18-028stab064.7 #1 SMP Wed Aug 26 13:11:07 MSD 2009 x86_64 x86_64 x86_64 GNU/Linux

What made me think the account I removed was involved was because it's dedicated IP was connecting to all kinds of Asian hosts 50-60 at a shot. It had no business there.
Sincerely,
Mike
-- 
Mike Brandonisio          *    Web Hosting / Development
Tech One Illustration     *    Internet Marketing
tel (630) 759-9283 x1001  *    e-Commerce
mbrando@xxxxxxxxxxxxxx    *    www.jikometrix.net

    JIKOmetrix - Reliable web hosting


Jeffrey Walton wrote:
Hi Mike,

On Tue, Oct 13, 2009 at 9:00 AM, Mike Brandonisio
<mbrando@xxxxxxxxxxxxxx> wrote:
  
Hi Guy,

I'm getting closer. In using tshark to record all the SMTP traffic I was
able to grep 'helo' and 'ehlo'. I got a hit on 'helo' where my server was
saying it was a well known ISP. It is not. I then was able to cross
reference the destination IP with the netstat log that showed that is was in
fact php script. Now to find out which one. I have the PID but of course the
script is not currently running.

Ant thoughts on how to track down the script?
    
Two thoughts come to mind. First is an AV scan, and second is
inspection of the cron jobs.

CentOS is usually pretty solid. It makes very few guest appearances
over at BugTraq. Out of curiousity, are you running a down level
version?

Jeff
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

  
begin:vcard
fn:Mike Brandonisio
n:Brandonisio;Mike
org:Tech One Illustration
adr:;;231 S. Cranberry St.;Bolingbrok;Illinois;60490;US
email;internet:mbrando@xxxxxxxxxxxxxx
title:Principal
tel;work:630-759-9283 x1001
tel;fax:630-214-9877
x-mozilla-html:FALSE
url:http://www.jikometrix.net
version:2.1
end:vcard