Spamhauss (CBL) listed due to Tproxy daemon

Hi all,

I am facing a big problem. I Searched the solution in thousnads of forums but did not find the answer yet. :-(

Since a few weeks now, following a brand new installation of a debian/Ispconfig3 "the perfect server" (http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3), i have a strange Daemon called Tproxy attached to my apache2 server, using the same PID. Never seen that until now !

After having correcting my DNS settings, and asking my delisting, i keep on being listed again here after a couple of hours: http://cbl.abuseat.org/lookup.cgi

I suppose it is because my server is configured as a proxy because of this Tproxy daemon.

Can anyone please tell me how to uninstall this Tproxy ????

Thanks a lot in adance.

 

Never heard of something like that. What's the output of

Code:

ps aux

?

Did you run rkhunter and/or chkrootkit to check if there's malware installed?

 

Hello Falko,

Rkhunter is ok, only a few warnings...

Here is a portion of the command netstat -tap, where we can see that apache2 is listening on the port TPROXY with the PID 8844:


tcp6 0 0 [::]:http-alt [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:www [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:tproxy [::]:* LISTEN 8844/apache2
tcp6 0 0 [::]:https [::]:* LISTEN 8844/apache2


tcp6 0 0 [::]:ftp [::]:* LISTEN 24571/pure-ftpd (SE
tcp6 0 0 localhost:domain [::]:* LISTEN 3269/mydns
tcp6 0 0 [::]:ssh [::]:* LISTEN 2307/sshd
tcp6 0 0 localhost:ipp [::]:* LISTEN 3254/cupsd
tcp6 0 0 [::]:imaps [::]:* LISTEN 3196/couriertcpd
tcp6 0 0 [::]op3s [::]:* LISTEN 3214/couriertcpd
tcp6 0 0 [::]op3 [::]:* LISTEN 3202/couriertcpd
tcp6 0 0 [::]:imap2 [::]:* LISTEN 3184/couriertcpd

 

Tproxy would refer to transparent proxy. I have the same services running on my server (on different ports), but I don't get listed in CBL. I'm fairly certain what you're seeing is just your IPv6 capable services bound to ports on your system. I think whatever is getting you listed in CBL will be found elsewhere on your system. Most likely your system has some web scripts that are being abused, or an open mail relay. Monitor your mail and apache logs and see if you can observe some irregular traffic.

 

Hi Matty,

I tested my smtp (postfix) mail system with this tool: http://mxtoolbox.com/
Apparently everything is fine, including my reverse DNS and my HELO name (Reverse DNS matches SMTP Banner). It also confirms that my server is NOT an open mail relay.

I checked my apache logs and my mail logs (mail.err, mail.info, mail.log). Everything seemed normal.

As on any other system, my web scripts might have been abused, so I checked last week for some irregular traffic with the probe TCPDUMP listening on port 25: I saw very little traffic, and apparently nothing wrong.

Please also note that my server is behind a router, but is the only one to use on this Fixed IP. No wireless access authorised.

As i have seen that when we are listed on CBL, it is often because of some Proxy or transparent proxy being installed on the mail server, that is why i am wondering if the problem is coming from this Tproxy apache 2 daemon.

And the only way i found out is to shut it down before asking a new CBL delisting.

Does anyone know how to shut down Tproxy ?

The only way to stop it for the moment is to stop my apache2 server, which is not very convenient !!! ;-)

Thanks in advance for your help.

 

I still think you're on the wrong track with worrying about the tproxy. It's bound to the IPv6 address on your system, and unless you have specifically configured a public IPv6 address, your ISP supports IPv6, and you opened that port in your firwall, it will be using the equivalent of localhost/127.0.0.1 (which is ::1 in IPv6 land). In a nutshell, it's uncontactable from the outside world for all intents and purposes.

Really, have a read through the FAQ on CBL. The chances are you have a machine using that router that is compromised.

 

Ok maybe i was focussing too much on this poor Tproxy thing ...

I checked my DNS config again, and realized i did not defined my PTR record.

Now i am going to wait for a while to see how CBL reacts following this modification ...

 

CBL listed again

I modified the header of the messages sent by my PHP email function beacause it was indicating www-data as sender message.

Unfortunatly, i have been listed again twice since my last message.

I am been thrue all the CBL fact list again and again -(http://cbl.abuseat.org/faq.html) but cannot find the solution.

I really feel desperate. I am a unix administrator (on SUN systems and nox on Linux debian) since 10 years now but i have never faced a problem like this before.

If anyone can help, i would be really thanksfull !!!

William

 

Do they tell you why you get listed?

 

Yes, here is the (beginning) of the message:

IP Address 212.x.x.... is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2010-10-31 16:00 GMT (+/- 30 minutes), approximately 1 days, 1 hours, 30 minutes ago.

It has been relisted following a previous removal at 2010-10-29 19:21 GMT (2 days, 22 hours, 28 minutes ago)

How to resolve future problems and prevent relisting

--------------------------------------------------------------------------------

Is this IP address is a NAT gateway/firewall/router? In other words, is this IP address shared with other computers? See NAT for further information about NATs and how to secure them.

If this IP address is shared with other computers, only the administrator of this IP address can prevent this happening again by following the instructions in NAT to secure the NAT against future infections. In this way, no matter how badly infected the network behind the NAT is, the network can't spam the Internet. The administrator can also refer to Advanced BOT detection for hints and tips on how to find the infected computer behind a NAT.

.... .... ...

 

Do you maybe have web applications that got hacked and are abused by spammers?

This article might help: http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam

 

Thank you Falko, that's a very good idea !

So i tried to install this wrapper script but it does not work (neither the php version nor the shell script version).

It only works (it logs the mail) when i run the script in command line:

/usr/local/bin/phpsendmail

So now i am trying to understand why my php.ini does not seem to validate the use of the phpsendmail script:

[mail function]
; For Win32 only.
; SMTP = localhost
; smtp_port = 25

; For Win32 only.
;sendmail_from = [email protected]

; For Unix only. You may supply arguments as well (default: "sendmail -t -i").

sendmail_path = /usr/local/bin/phpsendmail

 

Is /usr/local/bin/phpsendmail executable?

 

Yes, /usr/local/bin/phpsendmail is executable: ls -la /usr/local/bin/phpsendmail
-rwxr-xr-x 1 root staff 970 2010-11-12 15:19 /usr/local/bin/phpsendmail

But a little bit lazy ! The only time it works is when i send mails using the webmail of ISPconfig (squirel mail).

It seems that the php mail function of my websites just don't go thru /usr/local/bin/phpsendmail !!!

I am using Postfix so i configured the /usr/local/bin/phpsendmail header like that:

#!/usr/bin/php5
<?php
$sendmail_bin='/usr/sbin/postfix';
$logfile='/var/log/php_mail_log';

Moreover, in the mail.err log file, i get the following message:
postfix[27147]: fatal: the postfix command is reserved for the superuser

 

IT's EVEN LESS than that !!!
The script only works when i create a new mail account, using the ISPconfig interface. At that moment, a welcome mail is sent to the new mailbox, and this activates the wrapper /usr/local/bin/phpsendmail:

Here is the content of my log file ('/var/log/php_mail_log') now:

11-12-10 :: 03:40:55 PM -- /usr/local/ispconfig/interface/web/mail To: [email protected] From: ISPConfig3 <[email protected]>
11-12-10 :: 04:50:48 PM -- /usr/local/ispconfig/interface/web/mail To: [email protected] From: ISPConfig3 <[email protected]>

 

Did you modify the correct php.ini? That depends on which PHP mode you use for your web sites.

 

Hello Falko,

I modified all my php.ini but it could not work. :-(

So i have decided to install Modsecurity with the following rules, found on the website below:

http://www.damonkohler.com/2008/12/email-injection.html

SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

Now i am waiting to see if i am listed again or not... (i cross my fingers !) ;-)

 

Hi there,

Ok so i have suspended almost all the mail() php scripts on my server (i kept only one witch sent around 10 mails per day) and have not been listed for 10 days. Moreover, Nothing special in the Modsec logs regarding email injection attempt.

So i decided to send my (big) weekly mailing (about 80.000 emails), opt-in only.

2 hours later, i was listed again !!!

So now i think that this new CBL listing must come from either:

- A wrong php mail() header, knowing that i had to update my php version (from 4.x to 5.2) when my server crashed in september.

- Too many mails sent at once (i sent the 80.000 in one shot with a home made PHP script), but i was doing that before and it seemed to work.

- The fact that my server moved to another IP since the crash in september, and that maybe it does not seems normal that a brand new IP is suddenly sending so many mails ??

I think my main.cf, master.cf and DNS config are ok.

If anybody has a clue, it would be very welcome !!!

Thanks in advance.

Guinone

 

Is your PTR record ok?

 

yes Falko, my PTR is checked and OK.

But i realize did not put the right rules in my modsecurity_crs_10_config.conf !

HERE IS THE RIGHT RULE, and it works !!! (i tested it by injecting the following sequence in the field of one of my forms: [email protected]%0ACc:[email protected]%)


This is the rule to be put in the modsecurity_crs_10_config.conf

# Email Injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "[\n\r]\s*(?:to|bcc|cc)\s*:.*?\@" \
"t:none,t:lowercase,t:urlDecode,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack. Matched signature <%{TX.0}>',,id:'950019',severity:'2'"

Now let's wait again to see if any spammer comes around ...