Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 15th October 2010, 16:22
guinone guinone is offline
Junior Member
 
Join Date: Oct 2010
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
Post Spamhauss (CBL) listed due to Tproxy daemon

Hi all,

I am facing a big problem. I Searched the solution in thousnads of forums but did not find the answer yet. :-(

Since a few weeks now, following a brand new installation of a debian/Ispconfig3 "the perfect server" (http://www.howtoforge.com/perfect-se...nny-ispconfig3), i have a strange Daemon called Tproxy attached to my apache2 server, using the same PID. Never seen that until now !

After having correcting my DNS settings, and asking my delisting, i keep on being listed again here after a couple of hours: http://cbl.abuseat.org/lookup.cgi

I suppose it is because my server is configured as a proxy because of this Tproxy daemon.

Can anyone please tell me how to uninstall this Tproxy ????

Thanks a lot in adance.
Reply With Quote
Sponsored Links
  #2  
Old 16th October 2010, 11:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Never heard of something like that. What's the output of
Code:
ps aux
?

Did you run rkhunter and/or chkrootkit to check if there's malware installed?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 17th October 2010, 20:11
guinone guinone is offline
Junior Member
 
Join Date: Oct 2010
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hello Falko,

Rkhunter is ok, only a few warnings...

Here is a portion of the command netstat -tap, where we can see that apache2 is listening on the port TPROXY with the PID 8844:


tcp6 0 0 [::]:http-alt [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:www [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:tproxy [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:https [::]:* LISTEN 8844/apache2


tcp6 0 0 [::]:ftp [::]:* LISTEN 24571/pure-ftpd (SE
tcp6 0 0 localhost:domain [::]:* LISTEN 3269/mydns
tcp6 0 0 [::]:ssh [::]:* LISTEN 2307/sshd
tcp6 0 0 localhost:ipp [::]:* LISTEN 3254/cupsd
tcp6 0 0 [::]:imaps [::]:* LISTEN 3196/couriertcpd
tcp6 0 0 [::]op3s [::]:* LISTEN 3214/couriertcpd
tcp6 0 0 [::]op3 [::]:* LISTEN 3202/couriertcpd
tcp6 0 0 [::]:imap2 [::]:* LISTEN 3184/couriertcpd
Reply With Quote
  #4  
Old 18th October 2010, 08:39
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

Tproxy would refer to transparent proxy. I have the same services running on my server (on different ports), but I don't get listed in CBL. I'm fairly certain what you're seeing is just your IPv6 capable services bound to ports on your system. I think whatever is getting you listed in CBL will be found elsewhere on your system. Most likely your system has some web scripts that are being abused, or an open mail relay. Monitor your mail and apache logs and see if you can observe some irregular traffic.
Reply With Quote
  #5  
Old 18th October 2010, 16:06
guinone guinone is offline
Junior Member
 
Join Date: Oct 2010
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
Thumbs down

Hi Matty,

I tested my smtp (postfix) mail system with this tool: http://mxtoolbox.com/
Apparently everything is fine, including my reverse DNS and my HELO name (Reverse DNS matches SMTP Banner). It also confirms that my server is NOT an open mail relay.

I checked my apache logs and my mail logs (mail.err, mail.info, mail.log). Everything seemed normal.

As on any other system, my web scripts might have been abused, so I checked last week for some irregular traffic with the probe TCPDUMP listening on port 25: I saw very little traffic, and apparently nothing wrong.

Please also note that my server is behind a router, but is the only one to use on this Fixed IP. No wireless access authorised.

As i have seen that when we are listed on CBL, it is often because of some Proxy or transparent proxy being installed on the mail server, that is why i am wondering if the problem is coming from this Tproxy apache 2 daemon.

And the only way i found out is to shut it down before asking a new CBL delisting.

Does anyone know how to shut down Tproxy ?

The only way to stop it for the moment is to stop my apache2 server, which is not very convenient !!! ;-)

Thanks in advance for your help.
Reply With Quote
  #6  
Old 19th October 2010, 09:28
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

I still think you're on the wrong track with worrying about the tproxy. It's bound to the IPv6 address on your system, and unless you have specifically configured a public IPv6 address, your ISP supports IPv6, and you opened that port in your firwall, it will be using the equivalent of localhost/127.0.0.1 (which is ::1 in IPv6 land). In a nutshell, it's uncontactable from the outside world for all intents and purposes.

Really, have a read through the FAQ on CBL. The chances are you have a machine using that router that is compromised.
Reply With Quote
  #7  
Old 19th October 2010, 18:25
guinone guinone is offline
Junior Member
 
Join Date: Oct 2010
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
Default

Ok maybe i was focussing too much on this poor Tproxy thing ...

I checked my DNS config again, and realized i did not defined my PTR record.

Now i am going to wait for a while to see how CBL reacts following this modification ...
Reply With Quote
  #8  
Old 30th October 2010, 11:52
guinone guinone is offline
Junior Member
 
Join Date: Oct 2010
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
Default CBL listed again

I modified the header of the messages sent by my PHP email function beacause it was indicating www-data as sender message.

Unfortunatly, i have been listed again twice since my last message.

I am been thrue all the CBL fact list again and again -(http://cbl.abuseat.org/faq.html) but cannot find the solution.

I really feel desperate. I am a unix administrator (on SUN systems and nox on Linux debian) since 10 years now but i have never faced a problem like this before.

If anyone can help, i would be really thanksfull !!!

William
Reply With Quote
  #9  
Old 31st October 2010, 13:21
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Do they tell you why you get listed?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 1st November 2010, 19:53
guinone guinone is offline
Junior Member
 
Join Date: Oct 2010
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

Yes, here is the (beginning) of the message:

IP Address 212.x.x.... is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2010-10-31 16:00 GMT (+/- 30 minutes), approximately 1 days, 1 hours, 30 minutes ago.

It has been relisted following a previous removal at 2010-10-29 19:21 GMT (2 days, 22 hours, 28 minutes ago)

How to resolve future problems and prevent relisting

--------------------------------------------------------------------------------

Is this IP address is a NAT gateway/firewall/router? In other words, is this IP address shared with other computers? See NAT for further information about NATs and how to secure them.

If this IP address is shared with other computers, only the administrator of this IP address can prevent this happening again by following the instructions in NAT to secure the NAT against future infections. In this way, no matter how badly infected the network behind the NAT is, the network can't spam the Internet. The administrator can also refer to Advanced BOT detection for hints and tips on how to find the infected computer behind a NAT.

.... .... ...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 10 - Virtual Users And Domains With Postfix, Courier etc j.smith1981 Server Operation 6 17th February 2010 02:01
squirrelmail and postfix witoszek General 12 1st December 2009 19:07
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 13:20
Email: Login Error furiano Installation/Configuration 6 28th January 2009 03:39


All times are GMT +2. The time now is 01:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.