Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Trying to find Cause of CBL blocking

Discussion in 'E-mail Discussion' started by Cybersalt, Apr 20, 2018.

  1. Cybersalt

    Cybersalt Registered

    Joined:
    Jul 3, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    My server's ip has been added to the SpamHaus CBL blacklist. I thought I found the infected client site that is the cause and cleaned it, but I keep getting relisted so I am missing something.

    SpamHaus have given me excellent information to find the cause, but for the life of me I cannot find any record of the connection related to the info they gave me - despite grepping the heck out of my entire server, which I have full access to.

    They have also provided a link to tool https://www.abuseat.org/shtracer.pl to use to monitor for the next activity that will get me back on the list, but I am climbing the learning curve to get that perl script to run on my ssh command line.

    So while I continue to struggle away I thought I'd ask for help/advice here and in the process create a thread others in my situation may benefit from. I've not found anything current online that is helping me, so either I'm missing something bigtime or this is a new issue.

    An abbreviation of what I have been told:

    > This IP address is infected with or NATing for an infection of "Eitest".

    >This was detected by a TCP connection from "xxx.xxx.xxx.xxx" on port "59095" going to IP address "192.42.xxx.xx" (the sinkhole) on port "80".

    > This detection corresponds to a connection at Fri Apr 20 20:49:04 2018 UTC (this timestamp is believed accurate to within one second).

    Detection Information Summary
    Destination IP 192.42.xxx.xx
    Destination port 80
    Source IP xxx.xxx.xxx.xxx
    Source port 59095
    C&C name/domain example.com
    Protocol TCP
    Time Fri Apr 20 20:49:04 2018 UTC
     
    #1 Cybersalt, Apr 20, 2018
    Last edited by a moderator: Apr 20, 2018
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,030
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,346
    Likes Received:
    59
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Chances are good that if he doesn't run the shtracer script, he isn't going to have any log of any kind that will reference the 192.42.xxx.xxx sinkhole address. That's the purpose of shtracer. And it sounds like he is somewhat confused about how to use shtracer.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,346
    Likes Received:
    59
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Here is a real quick and dirty way.

    # create a directory where you are putting shtracer (example: /root/abuseat.org
    mkdir /root/abuseat.org

    # change to that directory
    cd /root/abuseat.org

    # download the script
    wget https://www.abuseat.org/shtracer.pl

    # edit the paths to lsof / ps / ss in the shtracer.pl script
    # for CentOS 6 / CloudLinux 6 / probably any redhat based platform
    # Locations of various utilities we use.
    my $ss = '/usr/sbin/ss';
    my $lsof = '/usr/sbin/lsof';
    my $grep = '/bin/grep';

    # test the script to make sure it is working
    # using the CBL website IP address by default

    • In one SSH session, switch to the directory where shtracer.pl is and run perl shtracer.pl
    • In another SSH session run wget http://192.42.118.110
    • Switch back to the first SSH session and you should see a log of activity related to 192.42.118.110
    • ctrl-c to exit the shtracer.pl script
    Assuming the shtracer session did reveal some information about the test access to the CBL site, you can continue below.
    # Now edit shtracer.pl and set the sinkhole address to the one CBL told you was the triggered sinkhole address
    my $sinkhole = '192.42.xxx.xxx';

    Run perl shtracer.pl and wait for it to show activity. When you see activity in the shtracer.pl session, it is going to help you identify what processes on your machine are attempting to communicate with the sinkhole.

    NOTE: Whatever is communicating with the sinkhole IP address and causing you to get blacklisted at CBL may not be a process that is running 24/7. You may run shtracer.pl and not see anything the whole time you are monitoring. You might have to set up a cron job to run it and pipe it to a log file, or use screen to fire off shtracer and log back in later to reference.

    Quick and dirty you could do something like this (after making sure the sinkhole address is set):

    perl /root/abuseat.org/shtracer.pl > /root/abuseat.org/tracer.log &

    If you do that, you'll execute an shtracer process and fork it into the background . If it detects activity it will write what it logs to /root/abuseat.org/tracer.org for later viewing. shtracer will continue to run until you kill it or reboot. You can kill the script by finding the pid using something like ps to find the pid and kill it.

    # ps auwx|grep shtra
    root 8073 6.4 0.1 127332 3468 pts/0 S 08:08 0:02 perl ./shtracer.pl
    # kill -9 8073

    At any rate, that's quick and dirty. If your server is communicating with the sinkhole often / at the time you run shtracer, you should immediately start seeing information when running shtracer. But the offending scripts on your system may only be communicating with the sinkhole periodically, which is why you will probably end up having to force shtracer into the background and make it log to a logfile for later viewing.

    A gazillion people on these forums could have given a better writeup on how to do this, and many would most likely have given some different instructions than I did. If you don't like my Q&D, wait for somebody else to post.

    M
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello, @Cybersalt

    Please let us know if the suggestions noted here were of assistance in helping you set up the shtracer script, thank you to everyone for your responses.

    You can also run something similar to that which we do internally, while not officially supported we do have the following CpanelInc/tech-SSE which is a powerful tool for identifying spam senders and may be helpful as well.

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. planetc

    planetc Registered

    Joined:
    Apr 24, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hello there. I am having the exact same problem. Installed shtracer.pl but it's giving me "No ss utility at .bin/ss" error. What path should I be changing it to?
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,346
    Likes Received:
    59
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    No idea. Might not even be installed on your machine. You could always type which ss and see if it shows that it is installed / what path it is using.

    m
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. planetc

    planetc Registered

    Joined:
    Apr 24, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Thank you for the tip! It's working now. Thank you very much.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice