Wireshark mailing list archives

Re: Yum install centos 5.2


From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 14 Oct 2009 07:02:10 -0400

Hi Mike,

On Tue, Oct 13, 2009 at 9:00 AM, Mike Brandonisio
<mbrando () jikometrix net> wrote:
Hi Guy,

I'm getting closer. In using tshark to record all the SMTP traffic I was
able to grep 'helo' and 'ehlo'. I got a hit on 'helo' where my server was
saying it was a well known ISP. It is not. I then was able to cross
reference the destination IP with the netstat log that showed that is was in
fact php script. Now to find out which one. I have the PID but of course the
script is not currently running.

Ant thoughts on how to track down the script?

Two thoughts come to mind. First is an AV scan, and second is
inspection of the cron jobs.

CentOS is usually pretty solid. It makes very few guest appearances
over at BugTraq. Out of curiousity, are you running a down level
version?

Jeff
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


Current thread: