Trying to find Cause of CBL blocking
My server's ip has been added to the SpamHaus CBL blacklist. I thought I found the infected client site that is the cause and cleaned it, but I keep getting relisted so I am missing something.
SpamHaus have given me excellent information to find the cause, but for the life of me I cannot find any record of the connection related to the info they gave me - despite grepping the heck out of my entire server, which I have full access to.
They have also provided a link to tool This was detected by a TCP connection from "xxx.xxx.xxx.xxx" on port "59095" going to IP address "192.42.xxx.xx" (the This detection corresponds to a connection at Fri Apr 20 20:49:04 2018 UTC (this timestamp is believed accurate to within one second).
Detection Information Summary
Destination IP 192.42.xxx.xx
Destination port 80
Source IP xxx.xxx.xxx.xxx
Source port 59095
C&C name/domain example.com
Protocol TCP
Time Fri Apr 20 20:49:04 2018 UTC
-
My server's ip has been added to the SpamHaus CBL blacklist. I thought I found the infected client site that is the cause and cleaned it, but I keep getting relisted so I am missing something. SpamHaus have given me excellent information to find the cause, but for the life of me I cannot find any record of the connection related to the info they gave me - despite grepping the heck out of my entire server, which I have full access to. They have also provided a link to tool This was detected by a TCP connection from "xxx.xxx.xxx.xxx" on port "59095" going to IP address "192.42.xxx.xx" (the This detection corresponds to a connection at Fri Apr 20 20:49:04 2018 UTC (this timestamp is believed accurate to within one second). Detection Information Summary Destination IP 192.42.xxx.xx Destination port 80 Source IP xxx.xxx.xxx.xxx Source port 59095 C&C name/domain example.com Protocol TCP Time Fri Apr 20 20:49:04 2018 UTC
Here is a real quick and dirty way. # create a directory where you are putting shtracer (example: /root/abuseat.org mkdir /root/abuseat.org # change to that directory cd /root/abuseat.org # download the script wget- Switch back to the first SSH session and you should see a log of activity related to 192.42.118.110
- ctrl-c to exit the shtracer.pl script Assuming the shtracer session did reveal some information about the test access to the CBL site, you can continue below. # Now edit shtracer.pl and set the sinkhole address to the one CBL told you was the triggered sinkhole address my $sinkhole = '192.42.xxx.xxx'; Run perl shtracer.pl and wait for it to show activity. When you see activity in the shtracer.pl session, it is going to help you identify what processes on your machine are attempting to communicate with the sinkhole. NOTE: Whatever is communicating with the sinkhole IP address and causing you to get blacklisted at CBL may not be a process that is running 24/7. You may run shtracer.pl and not see anything the whole time you are monitoring. You might have to set up a cron job to run it and pipe it to a log file, or use screen to fire off shtracer and log back in later to reference. Quick and dirty you could do something like this (after making sure the sinkhole address is set): perl /root/abuseat.org/shtracer.pl > /root/abuseat.org/tracer.log & If you do that, you'll execute an shtracer process and fork it into the background . If it detects activity it will write what it logs to /root/abuseat.org/tracer.org for later viewing. shtracer will continue to run until you kill it or reboot. You can kill the script by finding the pid using something like ps to find the pid and kill it. # ps auwx|grep shtra root 8073 6.4 0.1 127332 3468 pts/0 S 08:08 0:02 perl ./shtracer.pl # kill -9 8073 At any rate, that's quick and dirty. If your server is communicating with the sinkhole often / at the time you run shtracer, you should immediately start seeing information when running shtracer. But the offending scripts on your system may only be communicating with the sinkhole periodically, which is why you will probably end up having to force shtracer into the background and make it log to a logfile for later viewing. A gazillion people on these forums could have given a better writeup on how to do this, and many would most likely have given some different instructions than I did. If you don't like my Q&D, wait for somebody else to post. M
0 -
Hello, @Cybersalt Please let us know if the suggestions noted here were of assistance in helping you set up the shtracer script, thank you to everyone for your responses. You can also run something similar to that which we do internally, while not officially supported we do have the following CpanelInc/tech-SSE which is a powerful tool for identifying spam senders and may be helpful as well. Thank you, 0 -
Hello there. I am having the exact same problem. Installed shtracer.pl but it's giving me "No ss utility at .bin/ss" error. What path should I be changing it to? 0 -
Hello there. I am having the exact same problem. Installed shtracer.pl but it's giving me "No ss utility at .bin/ss" error. What path should I be changing it to?
No idea. Might not even be installed on your machine. You could always type which ss and see if it shows that it is installed / what path it is using. m0 -
No idea. Might not even be installed on your machine. You could always type which ss and see if it shows that it is installed / what path it is using. m
Thank you for the tip! It's working now. Thank you very much.0
Please sign in to leave a comment.
Comments
7 comments