We're seeing this on most of our clients machines (and we've implemented
regexes to block Code Red v1 and v2), however, the requests you're
seeing are from the second generation Code Red (called Code Red II--not
the same as v1 and v2). Code Red II, according to a post I read a
couple of days ago (maybe here) sends malformed requests which are never
serviced by Squid.
As far as I know, the NONE/411 tells you that Squid is not servicing
that request and so is stopping further propogation of Code Red II. I'm
no longer seeing any of the v1/v2 versions of Code Red show up in the
logs of our clients, and I think it has been replaced by Code Red II in
most machines.
I think you're probably hitting some other snag that is causing your
proxy to hang. I don't think Code Red can do it unless you have many
hosts on your network that are infected.
Alexander Chelidze wrote:
> HI,
>
> I have squid2.4.stable1, installed on linux6.2.
> few days ago I noticed that time to time squid hanged, it did not open
> connections to 8080.acl CodeRed urlpath_regex \/deacl CodeRed urlpath_regex \/default\.ida\?
> http_access deny CodeRed
> fault\.ida\?
> http_access deny CodeRed
>
> I examined logs, and using netstat detected lot of connects to 8080.
> It was one user's IIS virus - 'Code Red', which sended requests to other
> www-s.(I use transparency fot http). so it hanged my proxy.
>
> The requests were of type:
>
> 997098888.366 145 INFECTED_MACHINE_IP NONE/411 1559 GET http://111.54.151.163/default.ida? - NONE/- -
> 997103647.734 129 INFECTED_MACHINE_IP NONE/411 1592 GET http://www.worm.com/default.ida? - NONE/- -
>
> destination of most of them was www.worm.com , but also there were ip addresses
> from 192 and 111 classes.
>
> I desided to use next access list:
> acl CodeRed urlpath_regex \/default\.ida\?
> http_access deny CodeRed
>
> So it works when I send request which contains "/default.ida?" text ,
> and entries in log were:
> 997251176.495 3 MY_IP TCP_DENIED/403 1040 GET http://Some-domain/default.ida? - NONE/- -
> of this type.
>
> but today
> I discovered non-blocked entries (with code NONE/411) in my access.log .
> 997213182.091 57 INFECTED_MACHINE_IP NONE/411 1559 GET http://217.106.234.17/default.ida? - NONE/- -
>
> what can be the reason of this?
--
Joe Cooper <joe@swelltech.com>
Affordable Web Caching Proxy Appliances
http://www.swelltech.com
Received on Wed Aug 08 2001 - 01:51:00 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST