# Torbutton and freenode.net



## z0ran (Jun 22, 2009)

I was trying torbutton and vidalia and get banned from freenode.net, now, i don't have it any more but i'm still banned, i was trying to conntact somebody from freenode but only one who i can conntact is kline@freenode.net which asked me for information from http://myip.dk/, after i provided it, there was no response what so ever and i'm still banned, does anyone have any idea what should i do to get back on the chanels please.
Thanks in advance!


----------



## DutchDaemon (Jun 22, 2009)

IIRC, 'kline' is the account associated with the IP blocking system (BOPM). Usually, an IP gets blocked immediately when it appears in one of the open proxy blacklist databases. I don't know which are the prevailing OPM blacklists nowadays (used to be Blitzed, but they're gone). I guess you could try querying your IP at http://www.spamhaus.org/XBL/ to see whether it has any security problems associated with it.


----------



## z0ran (Jun 22, 2009)

So, i'm not on XBL, SBL but i'm listed on The Policy Block List (PBL), now, they say, i'm not a spamer and that i can remove my IP but only if i have mail server and static public IP, not if i use adsl and so on..which i'm.
they don't say nothing about torbutton which is the reason why i was banned on freenode.net...how to get out from this..i have no idea..god damn torbutton, i'll remember that thing for sure..this is not good at all.


----------



## DutchDaemon (Jun 22, 2009)

Forget PBL, every residential/dynamic IP address is in it, and PBL is only used by mail servers, not by IRC, Freenode, or any other non-smtp network.


----------



## DutchDaemon (Jun 22, 2009)

I did a quick check on your IP, but it doesn't appear to be listed anywhere. However, almost every IRC network runs a quick check on your IP address when connecting, and if the scanner finds anything strange (like an open proxy), it will ban you immediately. Is there any chance you may be running something that may act as an open proxy, like a poorly configured Squid, Apache, or any other proxy-capable stuff?


----------



## z0ran (Jun 22, 2009)

I have configured apache but i have it for long time, now, i had instaled priveproxy wich i deinstalled after torbutton, it also saying that i should have install identd, and i don't how to install it, the problem started with torbutton, because i don't know much about configurin proxy and staff.
I get somehow through on irc.nac.net, and there on #freenode i explained the problem and they say that i should send all information on kline@freenode.net, which i did, and that there is nothing i can do before they clear me from the list.


----------



## SirDice (Jun 22, 2009)

You don't need ident and it is advised not to run it. IRC servers do still check for it but on most IRC networks it's not needed.


----------



## z0ran (Jun 22, 2009)

i was reading about ident and i'm not going to change nothing in my inetd.conf, i just hope they will let me connect again.


----------



## DutchDaemon (Jun 22, 2009)

Run [cmd=]sockstat -l4[/cmd] on your machine and see if you're running anything you don't recognise (or don't want anymore).


----------



## z0ran (Jun 22, 2009)

DutchDaemon, this is all i have, and i don't see that anything is so wrong

```
beastie  opera      1407  23 tcp4   *:18768               *:*
www      httpd      1294  3  tcp46  *:80                  *:*
www      httpd      1294  4  tcp4   *:*                   *:*
www      httpd      1294  5  tcp46  *:443                 *:*
www      httpd      1294  6  tcp4   *:*                   *:*
www      httpd      1293  3  tcp46  *:80                  *:*
www      httpd      1293  4  tcp4   *:*                   *:*
www      httpd      1293  5  tcp46  *:443                 *:*
www      httpd      1293  6  tcp4   *:*                   *:*
www      httpd      1292  3  tcp46  *:80                  *:*
www      httpd      1292  4  tcp4   *:*                   *:*
www      httpd      1292  5  tcp46  *:443                 *:*
www      httpd      1292  6  tcp4   *:*                   *:*
www      httpd      1291  3  tcp46  *:80                  *:*
www      httpd      1291  4  tcp4   *:*                   *:*
www      httpd      1291  5  tcp46  *:443                 *:*
www      httpd      1291  6  tcp4   *:*                   *:*
www      httpd      1290  3  tcp46  *:80                  *:*
www      httpd      1290  4  tcp4   *:*                   *:*
www      httpd      1290  5  tcp46  *:443                 *:*
www      httpd      1290  6  tcp4   *:*                   *:*
root     sendmail   1222  3  tcp4   127.0.0.1:25          *:*
root     httpd      1209  3  tcp46  *:80                  *:*
root     httpd      1209  4  tcp4   *:*                   *:*
root     httpd      1209  5  tcp46  *:443                 *:*
root     httpd      1209  6  tcp4   *:*                   *:*
mysql    mysqld     1186  10 tcp4   *:3306                *:*
root     sshd       1125  4  tcp4   *:22                  *:*
root     snmptrapd  1105  10 udp4   *:162                 *:*
root     smbd       1096  19 tcp4   *:445                 *:*
root     smbd       1096  20 tcp4   *:139                 *:*
root     nmbd       1092  6  udp4   *:137                 *:*
root     nmbd       1092  7  udp4   *:138                 *:*
root     nmbd       1092  8  udp4   192.168.1.100:137     *:*
root     nmbd       1092  9  udp4   192.168.1.100:138     *:*
root     ntpd       1057  20 udp4   *:123                 *:*
root     ntpd       1057  22 udp4   192.168.1.100:123     *:*
root     ntpd       1057  25 udp4   127.0.0.1:123         *:*
root     syslogd    946   7  udp4   *:514                 *:*
```


----------



## DutchDaemon (Jun 22, 2009)

I'm slightly worried by the "**:**' values of httpd in the 'LOCAL ADDRESS' column. I only run IPv4 myself, not a combination of v4/v6, but I've never seen such wildcard entries for httpd.


----------



## z0ran (Jun 22, 2009)

i don't know, everythig was working great before i installed torbutton, priveproxy and vidalia..i deinstalled all 3 of them and only thing is that i cannot conect to freenode.net.
this is the message i get when i try to connect to freenode.net


```
[verio]  *** Processing connection to irc.wh.verio.net
[verio]  *** Looking up your hostname...
[verio]  *** Checking Ident
[verio]  *** Found your hostname
[verio]  *** No Ident response
[verio]  You need to install identd to use this server
[verio]  *** Processing connection to irc.wh.verio.net
[verio]  *** Looking up your hostname...
[verio]  *** Checking Ident
[verio]  *** Found your hostname
[verio]  *** No Ident response
[verio]  You need to install identd to use this server
[choopa]  *** Processing connection to irc.choopa.net
[choopa]  *** Looking up your hostname...
[choopa]  *** Checking Ident
[choopa]  *** No Ident response
[choopa]  *** Found your hostname
[choopa]  *** Processing connection to irc.choopa.net
[choopa]  *** Looking up your hostname...
[choopa]  *** Checking Ident
[choopa]  *** Found your hostname
[choopa]  *** No Ident response
[easynews]  *** Processing connection to irc.easynews.com
[easynews]  *** Looking up your hostname...
[easynews]  *** Checking Ident
[easynews]  *** Found your hostname
[easynews]  *** No Ident response
[easynews]  *** Banned Temporary K-line 1440 min. - TOR Server detected - see
            http://www.sectoor.de/tor.php for more information (2009/6/21
            10.27)
[easynews]  *** Processing connection to irc.easynews.com
[easynews]  *** Looking up your hostname...
[easynews]  *** Checking Ident
[easynews]  *** Found your hostname
[easynews]  *** No Ident response
[easynews]  *** Banned Temporary K-line 1440 min. - TOR Server detected - see
            http://www.sectoor.de/tor.php for more information (2009/6/21
            10.27)
                                                                    [OperView]
-:- *beep**beep**beep**beep**beep*X: Auto Response is set to - z0ran
-:- Connecting to port 6667 of server irc.foxlink.net [refnum 0]
-:- Connection closed from irc.foxlink.net: Unknown error: 0
-:- Connecting to port 6667 of server irc.weblook2k.com [refnum 1]
-:- Connecting to port 6667 of server irc.weblook2k.com [refnum 1]
-:- Connecting to port 6667 of server irc.wh.verio.net [refnum 2]
-:- beastie  Nickname is already in use.
-:- Closing Link: 127.0.0.1 (Install identd)
-:- Connection closed from irc.wh.verio.net: Unknown error: 0
-:- Connecting to port 6667 of server irc.wh.verio.net [refnum 2]
-:- Closing Link: 127.0.0.1 (Install identd)
-:- Connection closed from irc.wh.verio.net: Unknown error: 0
-:- Connecting to port 6667 of server irc.choopa.net [refnum 3]
-:- beastie  Nickname is already in use.
-:- Closing Link: 77-105-55-173.adsl-1.sezampro.yu (*** Banned )
-:- Connection closed from irc.choopa.net: Unknown error: 0
-:- Connecting to port 6667 of server irc.choopa.net [refnum 3]
-:- Closing Link: 77-105-55-173.adsl-1.sezampro.yu (*** Banned )
-:- Connection closed from irc.choopa.net: Unknown error: 0
-:- Connecting to port 6667 of server irc.easynews.com [refnum 4]
-:- beastie  Nickname is already in use.
-:- Closing Link: 127.0.0.1 (*** Banned )
-:- Connection closed from irc.easynews.com: Unknown error: 0
-:- Connecting to port 6667 of server irc.easynews.com [refnum 4]
-:- Closing Link: 127.0.0.1 (*** Banned )
-:- Connection closed from irc.easynews.com: Unknown error: 0
-:- Connecting to port 6667 of server irc.limelight.us [refnum 5]
-:- Connecting to port 6667 of server irc.limelight.us [refnum 5]
```

only reason i can see is "TOR server detected" it doesn't complain about anythig else..and yes "Banned Temporary K-line 1440 min. - TOR Server detected - see" that is soo many min.


----------



## DutchDaemon (Jun 22, 2009)

Try shutting down your Apache and then run [cmd=]sockstat -l4[/cmd] again. If there are still www/httpd processes running after you closed Apache down, 'something' is mimicking Apache and still running on your system. If all httpd processes disappear, try connecting to IRC without restarting Apache. At least you'll know if that improves things. BTW, the K-Line error message states that your IP will be listed for 24 hours (1440 minutes) regardless, so reconnecting earlier than this time tomorrow may not give you access whether you close Apache or not.

The identd stuff .. well, it's up to you. I don't have it installed, and I can connect to EFnet through irc.prison.net without any problem.


----------



## z0ran (Jun 22, 2009)

i shutt down apache and none www/httpd was running, all httpd is gone and i still cannot connect to freenode.net, also, i'm not going to install identd stuff, i was reading that if i like the identd to start i have to enable all "auth" line in my inetd.conf but then my security can be jeopardize..so no, and after all, i can wait for 24 hours, no problem 
Thanks so lot DuchDaemon for your time and advices, i appreciate it!


----------



## DutchDaemon (Jun 22, 2009)

Did you need to make any changes to your httpd.conf for Tor, or did you build Apache with any proxy support? I'm still intrigued by that weird sockstat output. If you don't need any proxy support and you do have it enabled in Apache, I suggest you rebuild Apache with the proxy settings disabled in make config:

```
[...]
[ ] PROXY                 Enable mod_proxy
[ ] PROXY_CONNECT         Enable mod_proxy_connect
[X] PATCH_PROXY_CONNECT   Patch proxy_connect SSL support
[ ] PROXY_FTP             Enable mod_proxy_ftp
[ ] PROXY_HTTP            Enable mod_proxy_http
[ ] PROXY_AJP             Enable mod_proxy_ajp
[ ] PROXY_BALANCER        Enable mod_proxy_balancer
[...]
```


----------



## z0ran (Jun 22, 2009)

i didn't touch my httpd.conf or any other conf when i installed Tor, and when i builded apache22 i left the settings at their defaults, so my MySQL, Apache22, PHP and mediawiki are good so far, i mean, i never had any problem, now i'm also concern about my weird sockstat output , can you show me for example how normal sockstat output for www/httpd will look like or...something.
Only thing with tor and vidalia i did is installing it, and i didn't keep it for long, only 2 days, that is all i did.
You realy make me think about my apache now , i'll definetly go trough the book about apache and sockstat output.


----------



## SirDice (Jun 22, 2009)

If you don't bind apache to a specific address it will bind to *:80 (and/or *:443 if you have SSL enabled), the part that's 'weird' about it is httpd being bound to *:*


----------



## DutchDaemon (Jun 22, 2009)

Right.

This is normal (for an IPv4 setup);


```
www      httpd      15611 3  tcp4   *:80                  *:*
www      httpd      15611 4  tcp4   *:443                 *:*
www      httpd      81862 3  tcp4   *:80                  *:*
www      httpd      81862 4  tcp4   *:443                 *:*
www      httpd      81215 3  tcp4   *:80                  *:*
www      httpd      81215 4  tcp4   *:443                 *:*
www      httpd      79659 3  tcp4   *:80                  *:*
www      httpd      79659 4  tcp4   *:443                 *:*
www      httpd      1331  3  tcp4   *:80                  *:*
www      httpd      1331  4  tcp4   *:443                 *:*
www      httpd      62269 3  tcp4   *:80                  *:*
www      httpd      62269 4  tcp4   *:443                 *:*
www      httpd      8727  3  tcp4   *:80                  *:*
www      httpd      8727  4  tcp4   *:443                 *:*
www      httpd      71064 3  tcp4   *:80                  *:*
www      httpd      71064 4  tcp4   *:443                 *:*
www      httpd      85687 3  tcp4   *:80                  *:*
www      httpd      85687 4  tcp4   *:443                 *:*
www      httpd      25621 3  tcp4   *:80                  *:*
www      httpd      25621 4  tcp4   *:443                 *:*
root     httpd      98789 3  tcp4   *:80                  *:*
root     httpd      98789 4  tcp4   *:443                 *:*
```


----------



## DutchDaemon (Jun 22, 2009)

If someone could check what it looks like in a IPv6 or a mixed IPv4/IPv6 setup, that would be nice. Maybe the *:* output is some side-effect of mixed setups, but I doubt it. Still, if someone else sees this type of output, it may be ok.


----------



## z0ran (Jun 23, 2009)

btw, when i built apache22 i also was building it with SSL support, but i don't think that this is a problem..and yes, you were right about one thing DuchDaemon, i recieved mail from freenode, quess what, they think that i still have god damn tor


```
Hi,

Our utility bot still believes you're listed as a tor exit node.  It's
not unusual for the listing to take a few days to disappear, but are you
sure you fully stopped tor?

Thanks,
```


----------



## z0ran (Jun 24, 2009)

they let me trough on a freenode.net, before i recieved mail from them that my host is no longer marked as a tor node, i found in my /var/log/rkhunter.log line 


```
:07:12] Warning: Users have been added to the passwd file:
[18:07:12]          privoxy:*:201:201:privoxy pseudo-user:/nonexistent:/sbin/nologin
```

i commented it out and not so long after i received mail that i can connect to freenode, i don't think that this line was the reason for them to lift the ban..but i'm not going to mess with the tor, privoxy and those kinds of things anymore..that's for sure


----------



## Carpetsmoker (Jun 24, 2009)

I don't think so ... I think you just had to wait some time before your unblock request got processed


----------

