HI,
I have squid2.4.stable1, installed on linux6.2.
few days ago I noticed that time to time squid hanged, it did not open
connections to 8080.acl CodeRed urlpath_regex \/deacl CodeRed urlpath_regex \/default\.ida\?
http_access deny CodeRed
fault\.ida\?
http_access deny CodeRed
I examined logs, and using netstat detected lot of connects to 8080.
It was one user's IIS virus - 'Code Red', which sended requests to other
www-s.(I use transparency fot http). so it hanged my proxy.
The requests were of type:
997098888.366 145 INFECTED_MACHINE_IP NONE/411 1559 GET http://111.54.151.163/default.ida? - NONE/- -
997103647.734 129 INFECTED_MACHINE_IP NONE/411 1592 GET http://www.worm.com/default.ida? - NONE/- -
destination of most of them was www.worm.com , but also there were ip addresses
from 192 and 111 classes.
I desided to use next access list:
acl CodeRed urlpath_regex \/default\.ida\?
http_access deny CodeRed
So it works when I send request which contains "/default.ida?" text ,
and entries in log were:
997251176.495 3 MY_IP TCP_DENIED/403 1040 GET http://Some-domain/default.ida? - NONE/- -
of this type.
but today
I discovered non-blocked entries (with code NONE/411) in my access.log .
997213182.091 57 INFECTED_MACHINE_IP NONE/411 1559 GET http://217.106.234.17/default.ida? - NONE/- -
what can be the reason of this?
Received on Wed Aug 08 2001 - 01:39:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST