Trying to find Cause of CBL blocking

[Cybersalt]

My server's ip has been added to the SpamHaus CBL blacklist. I thought I found the infected client site that is the cause and cleaned it, but I keep getting relisted so I am missing something.

SpamHaus have given me excellent information to find the cause, but for the life of me I cannot find any record of the connection related to the info they gave me - despite grepping the heck out of my entire server, which I have full access to.

They have also provided a link to tool https://www.abuseat.org/shtracer.pl to use to monitor for the next activity that will get me back on the list, but I am climbing the learning curve to get that perl script to run on my ssh command line.

So while I continue to struggle away I thought I'd ask for help/advice here and in the process create a thread others in my situation may benefit from. I've not found anything current online that is helping me, so either I'm missing something bigtime or this is a new issue.

An abbreviation of what I have been told:

> This IP address is infected with or NATing for an infection of "Eitest".

>This was detected by a TCP connection from "xxx.xxx.xxx.xxx" on port "59095" going to IP address "192.42.xxx.xx" (the sinkhole) on port "80".

> This detection corresponds to a connection at Fri Apr 20 20:49:04 2018 UTC (this timestamp is believed accurate to within one second).

Detection Information Summary
Destination IP 192.42.xxx.xx
Destination port 80
Source IP xxx.xxx.xxx.xxx
Source port 59095
C&C name/domain example.com
Protocol TCP
Time Fri Apr 20 20:49:04 2018 UTC

 

[keat63]

Have a look in in the log/messages log, search for 192.42.xxx.xx
You should be able to determine the UID of the account causing the problem.


Take a look at this thread.
Find domain connection blocked by firewall - ConfigServer Community Forum

 

[mtindor]

Have a look in in the log/messages log, search for 192.42.xxx.xx
You should be able to determine the UID of the account causing the problem.


Take a look at this thread.
Find domain connection blocked by firewall - ConfigServer Community Forum

Chances are good that if he doesn't run the shtracer script, he isn't going to have any log of any kind that will reference the 192.42.xxx.xxx sinkhole address. That's the purpose of shtracer. And it sounds like he is somewhat confused about how to use shtracer.

Mike

 

[mtindor]

My server's ip has been added to the SpamHaus CBL blacklist. I thought I found the infected client site that is the cause and cleaned it, but I keep getting relisted so I am missing something.

SpamHaus have given me excellent information to find the cause, but for the life of me I cannot find any record of the connection related to the info they gave me - despite grepping the heck out of my entire server, which I have full access to.

They have also provided a link to tool https://www.abuseat.org/shtracer.pl to use to monitor for the next activity that will get me back on the list, but I am climbing the learning curve to get that perl script to run on my ssh command line.

So while I continue to struggle away I thought I'd ask for help/advice here and in the process create a thread others in my situation may benefit from. I've not found anything current online that is helping me, so either I'm missing something bigtime or this is a new issue.

An abbreviation of what I have been told:

> This IP address is infected with or NATing for an infection of "Eitest".

>This was detected by a TCP connection from "xxx.xxx.xxx.xxx" on port "59095" going to IP address "192.42.xxx.xx" (the sinkhole) on port "80".

> This detection corresponds to a connection at Fri Apr 20 20:49:04 2018 UTC (this timestamp is believed accurate to within one second).

Detection Information Summary
Destination IP 192.42.xxx.xx
Destination port 80
Source IP xxx.xxx.xxx.xxx
Source port 59095
C&C name/domain example.com
Protocol TCP
Time Fri Apr 20 20:49:04 2018 UTC

Here is a real quick and dirty way.

# create a directory where you are putting shtracer (example: /root/abuseat.org
mkdir /root/abuseat.org

# change to that directory
cd /root/abuseat.org

# download the script
wget https://www.abuseat.org/shtracer.pl

# edit the paths to lsof / ps / ss in the shtracer.pl script
# for CentOS 6 / CloudLinux 6 / probably any redhat based platform
# Locations of various utilities we use.
my $ss = '/usr/sbin/ss';
my $lsof = '/usr/sbin/lsof';
my $grep = '/bin/grep';

# test the script to make sure it is working
# using the CBL website IP address by default

• In one SSH session, switch to the directory where shtracer.pl is and run perl shtracer.pl
• In another SSH session run wget http://192.42.118.110
• Switch back to the first SSH session and you should see a log of activity related to 192.42.118.110
• ctrl-c to exit the shtracer.pl script

Assuming the shtracer session did reveal some information about the test access to the CBL site, you can continue below.
# Now edit shtracer.pl and set the sinkhole address to the one CBL told you was the triggered sinkhole address
my $sinkhole = '192.42.xxx.xxx';

Run perl shtracer.pl and wait for it to show activity. When you see activity in the shtracer.pl session, it is going to help you identify what processes on your machine are attempting to communicate with the sinkhole.

NOTE: Whatever is communicating with the sinkhole IP address and causing you to get blacklisted at CBL may not be a process that is running 24/7. You may run shtracer.pl and not see anything the whole time you are monitoring. You might have to set up a cron job to run it and pipe it to a log file, or use screen to fire off shtracer and log back in later to reference.

Quick and dirty you could do something like this (after making sure the sinkhole address is set):

perl /root/abuseat.org/shtracer.pl > /root/abuseat.org/tracer.log &

If you do that, you'll execute an shtracer process and fork it into the background . If it detects activity it will write what it logs to /root/abuseat.org/tracer.org for later viewing. shtracer will continue to run until you kill it or reboot. You can kill the script by finding the pid using something like ps to find the pid and kill it.

# ps auwx|grep shtra
root 8073 6.4 0.1 127332 3468 pts/0 S 08:08 0:02 perl ./shtracer.pl
# kill -9 8073

At any rate, that's quick and dirty. If your server is communicating with the sinkhole often / at the time you run shtracer, you should immediately start seeing information when running shtracer. But the offending scripts on your system may only be communicating with the sinkhole periodically, which is why you will probably end up having to force shtracer into the background and make it log to a logfile for later viewing.

A gazillion people on these forums could have given a better writeup on how to do this, and many would most likely have given some different instructions than I did. If you don't like my Q&D, wait for somebody else to post.

M

 

[cPanelLauren]

Hello, @Cybersalt

Please let us know if the suggestions noted here were of assistance in helping you set up the shtracer script, thank you to everyone for your responses.

You can also run something similar to that which we do internally, while not officially supported we do have the following CpanelInc/tech-SSE which is a powerful tool for identifying spam senders and may be helpful as well.

Thank you,

 

[planetc]

Hello there. I am having the exact same problem. Installed shtracer.pl but it's giving me "No ss utility at .bin/ss" error. What path should I be changing it to?

 

[mtindor]

Hello there. I am having the exact same problem. Installed shtracer.pl but it's giving me "No ss utility at .bin/ss" error. What path should I be changing it to?

No idea. Might not even be installed on your machine. You could always type which ss and see if it shows that it is installed / what path it is using.

m

 

[planetc]

No idea. Might not even be installed on your machine. You could always type which ss and see if it shows that it is installed / what path it is using.

m

Thank you for the tip! It's working now. Thank you very much.