RE: [squid-users] default.ida worm from Thomas Salmen on 2001-07-19 (squid-users)

From: Thomas Salmen <thomas@dont-contact.us>
Date: Fri, 20 Jul 2001 13:02:11 +1200

Another one hit by the Code Red storm, huh...

Putting them in an acl didn't seem to make a huge difference for us either -
our Squids were still needing to process the connections, and getting so
many of them that legitimate traffic was slowing right down. We ended up
using ipchains to deny all requests from affected customers. But we only had
8 or so - you guys might have a few more...

...1.4 million GETs since 4oclock this morning...sigh...

Regards,

Thomas Salmen
System Administrator

Radionet Ltd.
1/72 Paul Matthews Road
Albany, Auckland, New Zealand
Ph: +64 9 414 0300 ext 718

-----Original Message-----
From: David Robb [mailto:david.robb@staff.ihug.co.nz]
Sent: Friday, 20 July 2001 10:50 a.m.
To: David Robb
Cc: Robert Collins; squid-users@squid-cache.org
Subject: Re: [squid-users] default.ida worm

On Fri, 20 Jul 2001, David Robb wrote:

> I'm transparently proxying all of our customers using a cluster of 6 squid
> boxes.

Ah. Further investigation reveals they're not getting out anyway...

HTTP/1.0 411 Length Required
Server: Squid/2.4.STABLE1
Mime-Version: 1.0
Date: Thu, 19 Jul 2001 22:46:37 GMT
Content-Type: text/html
Content-Length: 1692
Expires: Thu, 19 Jul 2001 22:46:37 GMT
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from proxy.akl.ihug.co.nz
X-Cache-Lookup: NONE from proxy.akl.ihug.co.nz:3128
Connection: close

<HTML><HEAD>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR>
<P>
While trying to process the request:
<PRE>
GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNN
N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%
u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Content-Type: text/xml
Host: www.worm.com
Accept: */*
Content-Length: 3569

</PRE>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Invalid Request
</STRONG>
</UL>

David Robb

---
Senior Network Engineer		DDI +64-9-359-2710
ihug (AS7657)			NOC +64-9-359-2708
"The Earth is a single point of failure"

Received on Thu Jul 19 2001 - 18:57:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:17 MST