Wireshark mailing list archives
Re: Yum install centos 5.2
From: Mike Brandonisio <mbrando () jikometrix net>
Date: Wed, 14 Oct 2009 08:57:18 -0500
Hi,Cronjobs appear clean. AV scan and rootkit check came back clean. I ended up blocking TCP_OUT in the firewall and removing a site that appeared to have a compromised PHP script. Not sure which on. I tarred the entire folder and removed the loose files. Things seem normal for today.
I'm not sure what you mean by "down level version". This is what I see for a version:
CENTOS 5.2 x86_64 virtuozzo2.6.18-028stab064.7 #1 SMP Wed Aug 26 13:11:07 MSD 2009 x86_64 x86_64 x86_64 GNU/Linux
What made me think the account I removed was involved was because it's dedicated IP was connecting to all kinds of Asian hosts 50-60 at a shot. It had no business there.
Sincerely, Mike -- Mike Brandonisio * Web Hosting / Development Tech One Illustration * Internet Marketing tel (630) 759-9283 x1001 * e-Commerce mbrando () jikometrix net * www.jikometrix.net JIKOmetrix - Reliable web hosting Jeffrey Walton wrote:
Hi Mike, On Tue, Oct 13, 2009 at 9:00 AM, Mike Brandonisio <mbrando () jikometrix net> wrote:Hi Guy, I'm getting closer. In using tshark to record all the SMTP traffic I was able to grep 'helo' and 'ehlo'. I got a hit on 'helo' where my server was saying it was a well known ISP. It is not. I then was able to cross reference the destination IP with the netstat log that showed that is was in fact php script. Now to find out which one. I have the PID but of course the script is not currently running. Ant thoughts on how to track down the script?Two thoughts come to mind. First is an AV scan, and second is inspection of the cron jobs. CentOS is usually pretty solid. It makes very few guest appearances over at BugTraq. Out of curiousity, are you running a down level version? Jeff ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Attachment:
mbrando.vcf
Description:
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Yum install centos 5.2, (continued)
- Re: Yum install centos 5.2 Guy Harris (Oct 11)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 11)
- Re: Yum install centos 5.2 Guy Harris (Oct 11)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 11)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 11)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 12)
- Re: Yum install centos 5.2 Guy Harris (Oct 12)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 12)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 14)
- Re: Yum install centos 5.2 Jeffrey Walton (Oct 14)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 14)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 11)
- Re: Yum install centos 5.2 Guy Harris (Oct 11)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 11)
- Re: Yum install centos 5.2 Mike Brandonisio (Oct 11)