RE: [squid-users] another illegal character in hostname

Hi,

I have been experiencing the same problem i.e getting messages in syslog
like this :
urlParse: Illegal character in hostname' proxy.xyz.net:8080proxy.xyz.net'

I am currently testing various 'Warez' clients such as bearshare, imesh,
gnutella etc in order to find which ports/IP are being used so that they can
be banned at our router.

By chance I noticed that these Illegal character messages were appearing in
my syslog on a test cache that I am configuring. I am the only user going
through this cache. They also appear in our main caches.

I have investigated this with the help of a mail posted by Samuel Atlan
3/11/2001 Message attached and it appears that in our case the problem is
being caused by the imesh warez client www.imesh.com . It copies a file
called cd_load.exe into winnt\system32 it is an advertising banner client.

 <<[SQU] urlParse errors (CyDoor)>>

****************************************
Jezz Palmer.
Internet Systems Officer.
Library and Information Services
University of Wales, Swansea
Singleton Park
Swansea
SA2 8PP
Tel 01792 513260
****************************************

 -----Original Message-----
From: John Croft [mailto:john.croft@jcu.edu.au]
Sent: 26 March 2001 01:05
To: squid-users@squid-cache.org
Subject: [squid-users] another illegal character in hostname

> Subject: Correct example of "illegal character in hostname"
> Date: Sat, 24 Mar 2001 04:57:16 -0800 (PST)
> From: ssdd sdsds <w1mirza74@yahoo.com>
> To: squid-users@squid-cache.org
>
> Oh yes. Thanx for pointing out. But actual contineos
> errors r of the machine name itself ie:
>
> urlParse: Illegal character in
> hostname'proxy.xyz.net:8080proxy.xyz.net'
>
> (where proxy.xyz.net is FQDN machine name , with
> proper dns entry)
>
> Is there any other reason for "illegal hostname error"
> other than wrong spelled site name??
> bye

I have two client machines exhibiting this problem also.

I get one line in the cache.log, viz:
2001/03/26 09:56:22| urlParse: Illegal character
 in hostname 'proxy.jcu.edu.au:8080proxy.jcu.edu.au'

I get three lines in access.log, viz:
985564555.145 7 x.x.x.94 NONE/400 1204 GET
 http://proxy.jcu.edu.au:8080proxy.jcu.edu.au:8080 - NONE/- -
985564555.172 5 x.x.x.94 NONE/400 1204 GET
 http://proxy.jcu.edu.au:8080proxy.jcu.edu.au:8080 - NONE/- -
985564555.199 0 x.x.x.94 NONE/400 1270 GET
/scripts/cms/CmsInit.ASP?ID=4018293&D2=??OAKW@?????????
 &AW=168&LV=2040&CU=84427977 - NONE/- -

With this extra information, does anyone know which application
on the clients (both windows boxes) may be at fault ....

-- 
JohnC

attached mail follows:

Hello,

It seems to me that several proxy administrators had problems with the
urlParse error and the "strange" access.log lines like :

984326992.663 2 xxx.xxx.xxx.xxx NONE/400 1315 GET
http://cache.ese-metz.fr:3128cache.ese-metz.fr:3128 - NONE/- -

Those lines repeat every 15 seconds or so. I think I've found one source
that is causing this and that fills up my logs : Cydoor ads banner software
add-on.

I recently posted that Babylon software (from www.babylon.com) was creating
those lines in my access.log, so I looked up this issue a little bit
further.

Using a "clean computer" running only babylon translator, I did a tcpdump on
the packets and I've found that :

My computer tries to contact 212.29.215.2 on the 80 port directly
(connection that is blocked by my firewall) about three times, then it makes
a connection the the cache and do three bad queries :
984329080.652 2 xxx.xxx.xxx.xxx NONE/400 1315 GET
http://cache.ese-metz.fr:3128cache.ese-metz.fr:3128 - NONE/- -
984329080.665 2 xxx.xxx.xxx.xxx NONE/400 1315 GET
http://cache.ese-metz.fr:3128cache.ese-metz.fr:3128 - NONE/- -
984329080.678 1 xxx.xxx.xxx.xxx NONE/400 1397 GET
/scripts/cms/CmsInit.ASP?ID=1&D2=I`?BCsCH????????&AW=167&LV=2045&CU=11056548
 - NONE/- -

This results and two additionnal lines in /var/log/messages like those :
Mar 11 17:45:10 cache squid[675]: urlParse: Illegal character in hostname
'cache.ese-metz.fr:3128cache.ese-metz.fr'
Mar 11 17:45:10 cache squid[675]: urlParse: Illegal character in hostname
'cache.ese-metz.fr:3128cache.ese-metz.fr'

Then my computer redo those direct connections....

Here is the interesting part... a query on the IP 212.29.215.2
(http://www.ripe.net/cgi-bin/whois?query=212.29.215.2) gave me the address
of a ISP in Israel.
Then, I look at the technical forums in Babylon website to see if nobody had
reported problems with proxies. I came across a post
(http://forums.babylon.com/tech/Forum9/HTML/001045.html) who stated that is
was not possible anymore to circumvent the Cydoor Ads banner... I then went
to www.cydoor.com and found out that they had offices in Tel-aviv. So I used
tcpmon and found out that the port corresponding to the packet dump
genereting Squid's error where opened by "cd_load.exe" wich is a stub
program usied by CyDoor. Also, I installed several programs from CyDoor
websites and they generated the same errors on my Squid proxy with the same
symptoms.

CyDoor software tries to connect in an odd way and badly handle web cache...
causing it to trigger frequent errors.

Hope this helps some of you from getting rid of those messages.

---
Samuel Atlan.
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html