Hi!

It seems like my computer has a http-proxy function and it has been
forwarding spam mail:

> Received: from x.x.x.202 by by11fd.bay11.hotmail.msn.com with
> HTTP; Sat, 10 Jan 2004 18:06:58 GMT


I tried to find any proxy service:

# cat /etc/services | grep proxy
socks 1080/tcp # socks proxy server
socks 1080/udp # socks proxy server
trnsprntproxy 3346/tcp # Trnsprnt Proxy
trnsprntproxy 3346/udp # Trnsprnt Proxy
squid 3128/tcp # squid web proxy
tircproxy 7666/tcp # Tircproxy
tproxy 8081/tcp # Transparent Proxy
tproxy 8081/udp # Transparent Proxy

How can i find out witch processes are listening to these ports, and which
commands or sw has started those daemons?

Here is the only proxy process i manage to find:

# ps axu | grep proxy
postfix 4989 0.0 0.0 4308 276 ? S 22:42 0:00 proxymap -t
unix -u
root 6524 0.0 0.1 1824 616 pts/3 R 23:34 0:00 grep proxy


If i find out which programs are running these services, i could
investigate to see if i can configure the deamons different, and i could
investigate to see if the software might have been installed by intruders.

On 2004-01-13, Amund <sjaavaag.nospam@bigfoot.com> wrote:
> How can i find out witch processes are listening to these ports, and which
> commands or sw has started those daemons?

Netstat is a friend. For example, a "netstat -epa --protocol inet" would
give you this information. However, investigate the command yourself
since it have many more nice options.


Cheers,
Björn Sjöberg

--
The trouble with having an open mind, of course, is that people will
insist on coming along and trying to put things in it.
-- (Terry Pratchett, Diggers)

In article <%q_Mb.1243$Ed.23599@news4.e.nsc.no>, Amund wrote:
> It seems like my computer has a http-proxy function and it has been
> forwarding spam mail:
>
>> Received: from x.x.x.202 by by11fd.bay11.hotmail.msn.com with
>> HTTP; Sat, 10 Jan 2004 18:06:58 GMT

The x.x.x.202 I suppose is your IP, as in the NNTP-Posting-Host header?
This is excerpted from an actual spam someone got and complained to you
about? Are you sure it's not a forged header?

If so, pull this thing off the network until you know how you're being
used as a spam launcher. It could get you in serious trouble.

> I tried to find any proxy service:
>
> # cat /etc/services | grep proxy

UUOC. "grep proxy /etc/services" does it.

A couple of days ago I posted here a brief description of what
/etc/services is for. Please review that.

> How can i find out witch processes are listening to these ports, and which
> commands or sw has started those daemons?

You are looking in the wrong place. The service name I'd think most
likely culpable is "http", and the process name would be "httpd".
Anyway, why do you think these services are running? Try man pages for
nmap(8) and netstat(8).

> If i find out which programs are running these services, i could
> investigate to see if i can configure the deamons different, and i could
> investigate to see if the software might have been installed by intruders.

That should be the plan, yes.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Bjorn Sjoberg wrote:

> On 2004-01-13, Amund <sjaavaag.nospam@bigfoot.com> wrote:
>> How can i find out witch processes are listening to these ports, and
>> which commands or sw has started those daemons?
>
> Netstat is a friend. For example, a "netstat -epa --protocol inet" would
> give you this information. However, investigate the command yourself
> since it have many more nice options.
>
>
> Cheers,
> Björn Sjöberg
>

Thank you for the help.

I think i had a proxy server on port 80. When the package apache2-mod_proxy
is installed, there is a proxy on port 80,and if i remove this package,
there is no proxy on this port.

Is there any easy way to check if i might have any proxy running on other
ports?

Amund