1 Topic by baobab

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Topic: Python process listening on UDP

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

NEW: --WARN-- [lin002i] The process `python' is listening on socket 47178 (UDP) on every interface.

I'm getting this warning from Tiger Auditing Report. It wasn't producing this warning before today. I don't see this listed in open ports when i run nmap. I can see 2 running python processes currently, one by user iredapd and one by root. Should I be worried that the machine is hacked? I do not see anything related on the page that lists open ports by iRedMail.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Python process listening on UDP

baobab wrote:

Should I be worried that the machine is hacked?

YES.

iRedAPD should listen on port 7777 (TCP) by default, and run by root user when start, then drop privilege to 'iredapd' user. I'm not sure why it listens on port 47178 and UDP protocol, there might be something wrong, or maybe it's hacked.

Which iRedAPD version are you running? Please check it with command "ls -l /opt/"

3 Reply by baobab

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Re: Python process listening on UDP

I'm running iRedAPD-1.9.1.

Today I got this:

--WARN-- [cron001w] cron entry for root does not use full pathname (python):
--WARN-- [cron001w] cron entry for root does not use full pathname (python):
--WARN-- [cron001w] cron entry for root does not use full pathname (python):

I've been trying to locate the entries but so far haven't found any (or possibly do not recognize them). I'm thinking this would be the easiest route to find out if it is an innocuous process.

4 Reply by baobab

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Re: Python process listening on UDP

I found these 3 in /var/spool/cron/crontabs/root. I'm guessing none of them would be listening to a random UDP port?

# iRedAPD: Clean up expired tracking records hourly.
1   *   *   *   *   python /opt/iredapd/tools/cleanup_db.py >/dev/null

# iRedAPD: Convert SPF DNS record of specified domain names to IP
#          addresses/networks every 30 minutes.
*/30   *   *   *   *   python /opt/iredapd/tools/spf_to_greylist_whitelists.py >/dev/null
# iRedMail: Cleanup Amavisd database
1   2   *   *   *   python /opt/www/iredadmin/tools/cleanup_amavisd_db.py >/dev/null

5 Reply by baobab (edited by baobab 2016-11-21 17:43:56)

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Re: Python process listening on UDP

Maybe fail2ban server is the process listening on UDP? (though wouldn't explain why it shows up in logs just now)

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Python process listening on UDP

baobab wrote:

--WARN-- [cron001w] cron entry for root does not use full pathname (python):

Please run 'crontab -e' command, replace 'python' by its full path: /usr/bin/python (warning: use the correct path on your server).

baobab wrote:

Maybe fail2ban server is the process listening on UDP? (though wouldn't explain why it shows up in logs just now)

Fail2ban doesn't listen on any network port.

7 Reply by baobab

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Re: Python process listening on UDP

For some reason only Tiger auditing reports claim that such a UDP port is open. Netstat or nmap don't show it as an open port. I found this as an open process, I wonder if it could be the culprit:

python /usr/sbin/denyhosts --daemon --purge --config=/etc/denyhosts.conf

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Python process listening on UDP

I didn't use 'denyhosts', you have to do some research yourself. sorry.

9 Reply by baobab (edited by baobab 2016-11-23 04:02:23)

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Re: Python process listening on UDP

Looks like the python process with the UDP port was something in denyhosts. I couldn't find any documentation on it, nor did I see the open port with anything except Tiger auditing report, but after uninstalling denyhosts I stopped getting the notification. Thanks for your help with narrowing it down.