Who send data to one IP ?

[pppplus]

Checking logs this morning, I send a lot of files like this :

kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=94.23.246.189 DST=208.83.137.117 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33114 DF PROTO=TCP SPT=50842 DPT=2703 WINDOW=14600 RES=0x00 SYN URGP=0

These IP appears a lot of times : 208.83.137.117 and 208.83.137.118

So it seem that a website send date to these IPs, known to spam forum.

How to find which file/website do this ?

Thanks for your help

 

[zEitEr]

Hello,

What are you using? csf? directadmin iptables? or manually configure iptables?

Anyway you might want to add

 --log-uid

to your iptables LOG lines, so you could see User ID who sends such requests.

 

[pppplus]

Hi again, you are in every post !!

I use CSF
Where to add this line ?

 

[zEitEr]

See

iptables-save

in order to learn how your LOGDROPOUT lines look like, you'll need it when you'll re-add them again.

iptables -L LOGDROPOUT --line-numbers

find your line with *TCP_OUT Blocked* and see it's number

in my example it is 1

[root@server csf]# iptables -L LOGDROPOUT --line-numbers
Chain LOGDROPOUT (1 references)
num  target     prot opt source               destination
1    LOG        tcp  --  anywhere             anywhere            limit: avg 30/min burst 5 LOG level warning prefix `Firewall: *TCP_OUT Blocked* '
2    LOG        udp  --  anywhere             anywhere            limit: avg 30/min burst 5 LOG level warning prefix `Firewall: *UDP_OUT Blocked* '
3    LOG        icmp --  anywhere             anywhere            limit: avg 30/min burst 5 LOG level warning prefix `Firewall: *ICMP_OUT Blocked* '
4    DROP       all  --  anywhere             anywhere

Then delete the last and the first rules

iptables -D LOGDROPOUT 4
iptables -D LOGDROPOUT 1

and re-add them as

iptables -A LOGDROPOUT -p tcp -m limit --limit 30/min -j LOG --log-uid --log-prefix "Firewall: *TCP_OUT Blocked* "
iptables -A LOGDROPOUT -j DROP

e.g.

[root@server csf]# iptables -L LOGDROPOUT --line-numbers
Chain LOGDROPOUT (1 references)
num  target     prot opt source               destination
1    LOG        udp  --  anywhere             anywhere            limit: avg 30/min burst 5 LOG level warning prefix `Firewall: *UDP_OUT Blocked* '
2    LOG        icmp --  anywhere             anywhere            limit: avg 30/min burst 5 LOG level warning prefix `Firewall: *ICMP_OUT Blocked* '
3    LOG        tcp  --  anywhere             anywhere            limit: avg 30/min burst 5 LOG level warning uid prefix `Firewall: *TCP_OUT Blocked* '
4    DROP       all  --  anywhere             anywhere

Note, if you restart csf, you'll loose your modification.

 

[zEitEr]

you are in every post

If anybody else wants to reply, please, don't hesitate to do it. I don't want to turn this into a dialogue of two persons only.

 

[LawsHosting]

you are in every post !!

To be fair, your question wasn't even DirectAdmin related, so be thankful you had a reply.

 

[pppplus]

Thanks zEitEr

Peter : it was compliments to zEitEr. When I read your message, it seem you believe that I am not happy zEitEr answer to me. But my english is not very good, so maybe I misunderstood.
It's always a pleasure when someone answer to my questions ! And zEitEr is very nice, and reply very quickly in a lot of my posts.

Ok, I just do what your write to me zEitEr, and now, I have uid of user... And as I suppose, it's user Admin. I suppose this, because I have a lot of request NULL with main domain in /server-status

So now, how to find which file, or which request can provocate these lines ?
Yesterday, I ban the 2 IP, and it stops, but today, same problem with a new IP.
Requests are done about every 3mn.

Thanks for your help.

 

[pppplus]

After a new search, I find that my 3 strange IP comes from cloudmark.com.

But why ?
I do not use their services.

 

[zEitEr]

Another good but a little bit more complex solution you might want to try, is to forward all outgoing traffic from your server to a remote 80 port via a transparent proxy (squid for example, or anything else), in this case you'll always know who and what requests, and control it.

Note, as I don't know how the law might treat this at your location, or location of your servers (is it allowed to inspect the traffic of your customers), you'd better check your TOS, etc, and consult with a lawyer.

 

[2webmen]

Razor

Checking logs this morning, I send a lot of files like this :

kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=94.23.246.189 DST=208.83.137.117 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33114 DF PROTO=TCP SPT=50842 DPT=2703 WINDOW=14600 RES=0x00 SYN URGP=0

These IP appears a lot of times : 208.83.137.117 and 208.83.137.118

So it seem that a website send date to these IPs, known to spam forum.

How to find which file/website do this ?

Thanks for your help

Hi 5 years later I had the same question the answer is that you are very likely running spamAssassin and spamd which is contacting discovery.razor.cloudmark.com

ping discovery.razor.cloudmark.com
PING discovery.razor.cloudmark.com (208.83.137.117) 56(84) bytes of data.
64 bytes from d301.cloudmark.com (208.83.137.117): icmp_seq=1 ttl=50 time=115 ms
64 bytes from d301.cloudmark.com (208.83.137.117): icmp_seq=2 ttl=50 time=117 ms

more info here:

https://wiki.apache.org/spamassassin/UsingRazor

J