[SQU] Security issue

From: Awie <awie@dont-contact.us>
Date: Sun, 21 Jan 2001 12:41:44 +0800

Folks,

Following up my problem of security, I need your comments and suggestions.

We were suspected by our IX that one of our user attack other network and causing their e-commerce site totally went down. Our IP (aaa.bbb.ccc.ddd) was detected running CMD.EXE (DOW "DOS On Windows" of NT). Our IP that being suspected was running Linux RH 6.2 and Squid for PROXY purpose.

As you see below, that another IP run file JELEK.EXE (in our language, JELEK means BAD).

2:14 and 4:37 GMT
10:32 and 12:59 GMT

02:08:20 aaa.bbb.ccc.ddd GET /msadc/../../../../../../winnt/system32/cmd.exe 200
07:19:45 24.142.102.150 GET /msadc/../../../../../../winnt/system32/cmd.exe 200
10:23:28 24.142.102.150 GET /scripts/../../winnt/system32/cmd.exe 200
10:40:43 24.142.102.150 GET /scripts/../../inetpub/Jelek.exe 200
10:40:51 aaa.bbb.ccc.ddd GET /scripts/../../winnt/system32/cmd.exe 200
10:40:56 24.142.102.150 GET /scripts/../../inetpub/Jelek.exe 502
10:53:24 202.57.0.180 GET /scripts/test.bat"+"+&+dir+c:/+/..\..\..\..\winnt/system32/route.exe 500
11:14:39 24.142.102.150 GET /scripts/../../inetpub/Jelek.exe 502
11:40:40 202.154.58.94 GET /scripts/..\../winnt/system32/cmd.exe 200
12:41:56 aaa.bbb.ccc.ddd GET /scripts/../../winnt/system32/cmd.exe 502
12:56:02 aaa.bbb.ccc.ddd GET /scripts/../../winnt/system32/cmd.exe 502
12:59:56 aaa.bbb.ccc.ddd GET /scripts/../../winnt/system32/cmd.exe 502

So far, I run the Squid with DEFAULT configuration of its squid.conf. Now, I just realized that using default configuration is very dangerous. Now, I changed my cachemgr_passwd with other password. I assume that by changing it, it will get a better security of Squid, even it is from outside attack.

I don't know why and who run CMD.EXE from our PROXY. I am really confuse and surprise because I am 100% sure that RH 6.2 and Squid don't have file CMD.EXE.

Would someone tell me why CMD.EXE run in our PROXY? How to secure our PROXY? Is my action (change password) correct?

Your answer, comment, and suggestion are very appreciated.

Best Regards,
 
Awie

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sat Jan 20 2001 - 21:45:19 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:30 MST