You already mentioned them earlier in your access log -- 219.106.192.133,
218.222.245.221 -- Asia-Pacific Network IPs. Look at the first item in your
access log lines which is the user's IP address.
If you want to block from the source, the following should work if you have
internal IP addresses 90.0.0.1-254:
acl our_networks src 90.0.0.0/255.255.255.0
acl all src 0.0.0.0/0
http_access allow our_networks
http_access deny all
I advise you shut down squid until you can get it working the way it is
supposed to work so that they would not steal your system resources.
Tesla
>From: Devon Harding - GTHLA <DHarding@gilatla.com>
>To: 'Henrik Nordstrom' <hno@squid-cache.org>
>CC: "'squid-users@squid-cache.org'" <squid-users@squid-cache.org>
>Subject: RE: [squid-users] Outgoing http request?
>Date: Wed, 29 Jan 2003 12:51:38 -0500
>
>The question is, how can I tell where the requests are originating from?
>I
>want to stop the source.
>
>-Devon
>
>-----Original Message-----
>From: Devon Harding - GTHLA
>Sent: Wednesday, January 29, 2003 12:26 PM
>To: 'Henrik Nordstrom'
>Cc: 'squid-users@squid-cache.org'
>Subject: RE: [squid-users] Outgoing http request?
>
>Fixed it!
>http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.11
>
>-Devon
>
>-----Original Message-----
>From: Henrik Nordstrom [mailto:hno@squid-cache.org]
>Sent: Wednesday, January 29, 2003 12:20 PM
>To: Devon Harding - GTHLA
>Cc: 'squid-users@squid-cache.org'; 'redhat-list@redhat.com'
>Subject: RE: [squid-users] Outgoing http request?
>
>To me it looks like you are running an open proxy and have many random
>users over the Internet using your proxy..
>
>Check your http_access rules. Firewalling the Squid port is also a good
>idea to avoid having uninvited users using the service..
>
>Regards
>Henrik
>
>
>
>ons 2003-01-29 klockan 15.36 skrev Devon Harding - GTHLA:
> > Well looking at my access.log, I noticed that squid is accessing
>websites
> > that no users have requested. I have not allowed any users to access
>the
> > cache. These requests are coming from squid itself. I think its some
>kind
> > of worm or virus that has affected squid.
> >
> > 61.21.247.37 - - [29/Jan/2003:11:36:22 -0500] "GET
> > http://home.hanmir.com/%7Eueookjtsou/report/report0635.gif HTTP/1.0" 504
> > 1069 TCP_MISS:NONE
> > 219.106.192.133 - - [29/Jan/2003:11:36:26 -0500] "GET
> > http://home.hanmir.com/~mrtu82bv3/ss2_0744.jpg HTTP/1.0" 504 1045
> > TCP_MISS:NONE
> > 67.85.244.205 - - [29/Jan/2003:11:36:38 -0500] "POST
> > http://www.sparkfind.com/cgi-bin/search/smartsearch.cgi HTTP/1.0" 504
>1063
> > TCP_MISS:NONE
> > 219.98.86.182 - - [29/Jan/2003:11:36:42 -0500] "GET
> > http://www.directpornstar.com/dmay/n1/WWL01_1051.gif HTTP/1.0" 504 1057
> > TCP_MISS:NONE
> > 219.181.160.56 - - [29/Jan/2003:11:36:46 -0500] "GET
> > http://home.hanmir.com/%7Eyabwweo487/egg0412.jpg HTTP/1.0" 504 1049
> > TCP_MISS:NONE
> > 200.198.194.146 - - [29/Jan/2003:11:36:52 -0500] "GET
> > http://www.topmoxie.com/external/builds/common/equivalent_domains.htm
> > HTTP/1.0" 504 1096 TCP_MISS:NONE
> > 218.222.245.221 - - [29/Jan/2003:11:37:10 -0500] "GET
> > http://210.138.105.147/0616/anime66/anime6601-23.zip HTTP/1.1" 504 1057
> > TCP_MISS:NONE
> > 165.76.120.115 - - [29/Jan/2003:11:37:40 -0500] "GET
> > http://home.hanmir.com/~roninman/bijin0289.jpg HTTP/1.0" 504 1045
> > TCP_MISS:NONE
> >
> > -Devon
> >
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > Sent: Tuesday, January 28, 2003 9:23 PM
> > To: Devon Harding - GTHLA
> > Cc: 'squid-users@squid-cache.org'; 'redhat-list@redhat.com'
> > Subject: Re: [squid-users] Outgoing http request?
> >
> > ???
> >
> > Squid is not a web server. Squid is a proxy. If you have users using the
> > Squid proxy then each request sent by these users to the proxy will
> > result in a HTTP request sent by Squid.
> >
> > Regards
> > Henrik
> >
> > Devon Harding - GTHLA wrote:
> > >
> > > I noticed in my log, I have out going http request from my squid web
> > > servers.
> > >
> > > No one is on this machine, how are these requests being initiated? Is
>this
> > a
> > > hack attempt?
> > >
> > > System is rhl7.3
> > >
> > > _____________________
> > > Devon Harding
> > > System Administrator
> > > Gilat Latin America
> > > 954-858-1600
> > > dharding@gilatla.com <mailto:dharding@gilathla.com>
> > >
> > > This e-mail is intended for the above named addressee(s), and may
>contain
> > > information which is confidential or privileged. If you are not the
> > intended
> > > recipient, please inform us immediately: you should not copy or use
>this
> > > e-mail for any purpose nor disclose its contents to any person.
> > >
>--
>Henrik Nordstrom <hno@squid-cache.org>
>MARA Systems AB, Sweden
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
Received on Wed Jan 29 2003 - 11:24:04 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:58 MST