28-Mar-02 at 02:03, stuart (stuart@catjes.com.au) wrote :
> Hello,
> I am trying to understand some weird behaviour from my squid box,
>
> It is on redhat 7.2, 2.4stable3-1.7.2, with iptables
> It is also set up to do acceleration and redirection, and not as a
> cache, listenting on port 80.
>
> Suddenly it started receiving a lot of http traffic from an
> unpriviledged port, to port 80, and started sending from port 80 back.
> The access.log shows a lot of traffic to mx machines at aol.com on port
> 25. (TCP_DENIED 403) is also there. The host is a cw.net
> (cable&wireless in houston)
>
> Does anyone know what this is?
I don't want to panic you, but this might be someone trying to hijack your
proxy.
They have been denied, if I the deny is there too... but people may keep
trying different methods, etc.
That it is trying to go to AOL suggests a spammer, who love AOL because
it's a domain with a gazillion usernames.
More forensic searching in the logs is needed to bring up something
conclusive.
-- [Simon White. vim/mutt. simon@mtds.com. GIMPS:57.26% see www.mersenne.org] In a time of universal lies, telling the truth is a revolutionary act. -- George Orwell [Arbitrary quotes signature rotation, a simple bash script by Simon White]Received on Wed Mar 27 2002 - 11:16:03 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:08 MST