Re: [squid-users] Confused

From: Simon White <simon@dont-contact.us>
Date: Wed, 27 Mar 2002 18:15:58 +0000

28-Mar-02 at 02:03, stuart (stuart@catjes.com.au) wrote :
> Hello,
> I am trying to understand some weird behaviour from my squid box,
>
> It is on redhat 7.2, 2.4stable3-1.7.2, with iptables
> It is also set up to do acceleration and redirection, and not as a
> cache, listenting on port 80.
>
> Suddenly it started receiving a lot of http traffic from an
> unpriviledged port, to port 80, and started sending from port 80 back.
> The access.log shows a lot of traffic to mx machines at aol.com on port
> 25. (TCP_DENIED 403) is also there. The host is a cw.net
> (cable&wireless in houston)
>
> Does anyone know what this is?

I don't want to panic you, but this might be someone trying to hijack your
proxy.

They have been denied, if I the deny is there too... but people may keep
trying different methods, etc.

That it is trying to go to AOL suggests a spammer, who love AOL because
it's a domain with a gazillion usernames.

More forensic searching in the logs is needed to bring up something
conclusive.

-- 
[Simon White. vim/mutt. simon@mtds.com. GIMPS:57.26% see www.mersenne.org]
In a time of universal lies, telling the truth is a revolutionary act.
  -- George Orwell
[Arbitrary quotes signature rotation, a simple bash script by Simon White]
Received on Wed Mar 27 2002 - 11:16:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:08 MST