RE: [squid-users] default.ida worm

We were hit by a similar thing a few weeks ago... probably a stupid game
that tries to connect to the developer's site. It found out the proxy
address, but could not authenticate, so retried... some hundred times per
second. Since it was spreading all over our organization, I decided to
invent an automated solution for blocking them. First, I redirected the url
to a local cgi on the proxy. We already use squidGuard, so it was only an
extra line in the config file:
s@.*://216\.46\.233\.11/.*@http://proxy:8001/cgi-bin/killya.cgi@i
(The actual request was 'POST http://216.46.233.11/1.0.0/SetSessionGUID.asp'
or 'POST http://216.46.233.11/1.0.0/Hello.asp'). The cgi extracts the
client's ip address:

#!/bin/sh
echo Content-type: text/plain
echo
echo byebye
VICTIM=`echo $HTTP_X_FORWARDED_FOR|sed 's/.*, //'`
sudo /usr/local/bin/killya $VICTIM

... and calls another script through sudo:

#!/bin/sh
VICTIM=$1
export VICTIM
if ipchains -L -n |\
    grep ^DENY |\
    awk '{print $4}'|\
    grep $VICTIM
then
  exit 0
fi
ipchains -I input -s $VICTIM -j DENY
cat << EOF | sendmail -t -oem
From: ipdenied@proxy
To: whoever.I.want.to.notify
Subject: ip denied

$VICTIM
EOF
(sleep 900;ipchains -D input -s $VICTIM -j DENY) &

That's it. 15 minutes is enough for 'education' :)

> -----Original Message-----
> From: Thomas Salmen [SMTP:thomas@radionet.co.nz]
> Sent: Friday, July 20, 2001 3:02 AM
> To: 'David Robb'
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] default.ida worm
>
> Another one hit by the Code Red storm, huh...
>
> Putting them in an acl didn't seem to make a huge difference for us either
> -
> our Squids were still needing to process the connections, and getting so
> many of them that legitimate traffic was slowing right down. We ended up
> using ipchains to deny all requests from affected customers. But we only
> had
> 8 or so - you guys might have a few more...
>
> ...1.4 million GETs since 4oclock this morning...sigh...
>
> Regards,
>
> Thomas Salmen
> System Administrator
>
> Radionet Ltd.
> 1/72 Paul Matthews Road
> Albany, Auckland, New Zealand
> Ph: +64 9 414 0300 ext 718
>
>
> -----Original Message-----
> From: David Robb [mailto:david.robb@staff.ihug.co.nz]
> Sent: Friday, 20 July 2001 10:50 a.m.
> To: David Robb
> Cc: Robert Collins; squid-users@squid-cache.org
> Subject: Re: [squid-users] default.ida worm
>
>
> On Fri, 20 Jul 2001, David Robb wrote:
>
> > I'm transparently proxying all of our customers using a cluster of 6
> squid
> > boxes.
>
> Ah. Further investigation reveals they're not getting out anyway...
>
> HTTP/1.0 411 Length Required
> Server: Squid/2.4.STABLE1
> Mime-Version: 1.0
> Date: Thu, 19 Jul 2001 22:46:37 GMT
> Content-Type: text/html
> Content-Length: 1692
> Expires: Thu, 19 Jul 2001 22:46:37 GMT
> X-Squid-Error: ERR_INVALID_REQ 0
> X-Cache: MISS from proxy.akl.ihug.co.nz
> X-Cache-Lookup: NONE from proxy.akl.ihug.co.nz:3128
> Connection: close
>
> <HTML><HEAD>
> <TITLE>ERROR: The requested URL could not be retrieved</TITLE>
> </HEAD><BODY>
> <H1>ERROR</H1>
> <H2>The requested URL could not be retrieved</H2>
> <HR>
> <P>
> While trying to process the request:
> <PRE>
> GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NN
> NNNNNNNN
> N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
> u9
> 090%
> u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
> Content-Type: text/xml
> Host: www.worm.com
> Accept: */*
> Content-Length: 3569
>
> </PRE>
> <P>
> The following error was encountered:
> <UL>
> <LI>
> <STRONG>
> Invalid Request
> </STRONG>
> </UL>
>
>
> David Robb
> ---
> Senior Network Engineer DDI +64-9-359-2710
> ihug (AS7657) NOC +64-9-359-2708
>
> "The Earth is a single point of failure"
Received on Mon Jul 23 2001 - 07:31:32 MDT