RE: [squid-users] Is my squid server beening hacked??

From: Thomas Salmen <thomas@dont-contact.us>
Date: Fri, 20 Jul 2001 20:50:38 +1200

You will likely be seeing this in the news tomorrow. It's the Red Code worm.
It infects IIS web servers and uses them as a base to launch attacks on
other web servers. Current estimates suggest that as many as 200,000
webserves worldwide have been infected. Other fun things it does: crash
Cisco DSL routers, DoS www.whitehouse.org, deface websites.

In four hours, our proxies (transparently caching our network) recieved
several million requests for this url - it was preventing legitimate traffic
from getting through, killing browsing for most of our customers. We ended
up firewalling off the source IPs until they could patch their web servers -
luckily there were only eight or ten of them.

Funny thing is, it doesn't affect Apache...

Regards,

Thomas Salmen
System Administrator

Radionet Ltd.
1/72 Paul Matthews Road
Albany, Auckland, New Zealand
Ph: +64 9 414 0300 ext 718

-----Original Message-----
From: Lee Norvall [mailto:lnorvall@uk.lavron.net]
Sent: Friday, 20 July 2001 8:25 p.m.
To: squid-users@squid-cache.org
Subject: [squid-users] Is my squid server beening hacked??

Hi

Last night I found that our squid server was being used a lot more than
normal. I found the following in the access log with lost
of different IP addresses and wondered if this was the problem??

995592219.826 17 216.219.45.195 NONE/411 1607 GET
http://www.worm.com/default.ida? - NONE/- -

Lee Norvall
Lavron Technologies (UK) Ltd
http://www.lavron.net
T. +44 (0)8708 73 13 13
F. +44 (0)8708 73 13 14
Received on Fri Jul 20 2001 - 02:46:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:17 MST