Spamhauss (CBL) listed due to Tproxy daemon

[guinone]

Hi all,

I am facing a big problem. I Searched the solution in thousnads of forums but did not find the answer yet. :-(

Since a few weeks now, following a brand new installation of a debian/Ispconfig3 "the perfect server" (http://www.howtoforge.com/perfect-se...nny-ispconfig3), i have a strange Daemon called Tproxy attached to my apache2 server, using the same PID. Never seen that until now !

After having correcting my DNS settings, and asking my delisting, i keep on being listed again here after a couple of hours: http://cbl.abuseat.org/lookup.cgi

I suppose it is because my server is configured as a proxy because of this Tproxy daemon.

Can anyone please tell me how to uninstall this Tproxy ????

Thanks a lot in adance.

[falko]

Never heard of something like that. What's the output of

Code:

ps aux

?

Did you run rkhunter and/or chkrootkit to check if there's malware installed?

[guinone]

Hello Falko,

Rkhunter is ok, only a few warnings...

Here is a portion of the command netstat -tap, where we can see that apache2 is listening on the port TPROXY with the PID 8844:


tcp6 0 0 [::]:http-alt [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:www [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:tproxy [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:https [::]:* LISTEN 8844/apache2


tcp6 0 0 [::]:ftp [::]:* LISTEN 24571/pure-ftpd (SE
tcp6 0 0 localhost:domain [::]:* LISTEN 3269/mydns
tcp6 0 0 [::]:ssh [::]:* LISTEN 2307/sshd
tcp6 0 0 localhost:ipp [::]:* LISTEN 3254/cupsd
tcp6 0 0 [::]:imaps [::]:* LISTEN 3196/couriertcpd
tcp6 0 0 [::]op3s [::]:* LISTEN 3214/couriertcpd
tcp6 0 0 [::]op3 [::]:* LISTEN 3202/couriertcpd
tcp6 0 0 [::]:imap2 [::]:* LISTEN 3184/couriertcpd

[matty]

Tproxy would refer to transparent proxy. I have the same services running on my server (on different ports), but I don't get listed in CBL. I'm fairly certain what you're seeing is just your IPv6 capable services bound to ports on your system. I think whatever is getting you listed in CBL will be found elsewhere on your system. Most likely your system has some web scripts that are being abused, or an open mail relay. Monitor your mail and apache logs and see if you can observe some irregular traffic.

[guinone]

Hi Matty,

I tested my smtp (postfix) mail system with this tool: http://mxtoolbox.com/
Apparently everything is fine, including my reverse DNS and my HELO name (Reverse DNS matches SMTP Banner). It also confirms that my server is NOT an open mail relay.

I checked my apache logs and my mail logs (mail.err, mail.info, mail.log). Everything seemed normal.

As on any other system, my web scripts might have been abused, so I checked last week for some irregular traffic with the probe TCPDUMP listening on port 25: I saw very little traffic, and apparently nothing wrong.

Please also note that my server is behind a router, but is the only one to use on this Fixed IP. No wireless access authorised.

As i have seen that when we are listed on CBL, it is often because of some Proxy or transparent proxy being installed on the mail server, that is why i am wondering if the problem is coming from this Tproxy apache 2 daemon.

And the only way i found out is to shut it down before asking a new CBL delisting.

Does anyone know how to shut down Tproxy ?

The only way to stop it for the moment is to stop my apache2 server, which is not very convenient !!! ;-)

Thanks in advance for your help.

[matty]

I still think you're on the wrong track with worrying about the tproxy. It's bound to the IPv6 address on your system, and unless you have specifically configured a public IPv6 address, your ISP supports IPv6, and you opened that port in your firwall, it will be using the equivalent of localhost/127.0.0.1 (which is ::1 in IPv6 land). In a nutshell, it's uncontactable from the outside world for all intents and purposes.

Really, have a read through the FAQ on CBL. The chances are you have a machine using that router that is compromised.

[guinone]

Ok maybe i was focussing too much on this poor Tproxy thing ...

I checked my DNS config again, and realized i did not defined my PTR record.

Now i am going to wait for a while to see how CBL reacts following this modification ...

[guinone]

I modified the header of the messages sent by my PHP email function beacause it was indicating www-data as sender message.

Unfortunatly, i have been listed again twice since my last message.

I am been thrue all the CBL fact list again and again -(http://cbl.abuseat.org/faq.html) but cannot find the solution.

I really feel desperate. I am a unix administrator (on SUN systems and nox on Linux debian) since 10 years now but i have never faced a problem like this before.

If anyone can help, i would be really thanksfull !!!

William

[falko]

Do they tell you why you get listed?

[guinone]

Yes, here is the (beginning) of the message:

IP Address 212.x.x.... is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2010-10-31 16:00 GMT (+/- 30 minutes), approximately 1 days, 1 hours, 30 minutes ago.

It has been relisted following a previous removal at 2010-10-29 19:21 GMT (2 days, 22 hours, 28 minutes ago)

How to resolve future problems and prevent relisting

--------------------------------------------------------------------------------

Is this IP address is a NAT gateway/firewall/router? In other words, is this IP address shared with other computers? See NAT for further information about NATs and how to secure them.

If this IP address is shared with other computers, only the administrator of this IP address can prevent this happening again by following the instructions in NAT to secure the NAT against future infections. In this way, no matter how badly infected the network behind the NAT is, the network can't spam the Internet. The administrator can also refer to Advanced BOT detection for hints and tips on how to find the infected computer behind a NAT.

.... .... ...