Re: [squid-users] problem with urlpath_regex

From: hari_bhr <hari_bhr@dont-contact.us>
Date: Wed, 8 Aug 2001 15:02:35 +0530

hi

all
i have the same problem

i have done the acl
but still i see un wanted traffic to my network going to unknow site with
default.ida

how do i cotrol that, only accept only our block and rest all deny
and dont allow the site with default.ida

can some one help
thanks
----- Original Message -----
From: Joe Cooper <joe@swelltech.com>
To: Alexander Chelidze <chelidze@geo.net.ge>
Cc: <squid-users@squid-cache.org>
Sent: Wednesday, August 08, 2001 1:27 PM
Subject: Re: [squid-users] problem with urlpath_regex

> We're seeing this on most of our clients machines (and we've implemented
> regexes to block Code Red v1 and v2), however, the requests you're
> seeing are from the second generation Code Red (called Code Red II--not
> the same as v1 and v2). Code Red II, according to a post I read a
> couple of days ago (maybe here) sends malformed requests which are never
> serviced by Squid.
>
> As far as I know, the NONE/411 tells you that Squid is not servicing
> that request and so is stopping further propogation of Code Red II. I'm
> no longer seeing any of the v1/v2 versions of Code Red show up in the
> logs of our clients, and I think it has been replaced by Code Red II in
> most machines.
>
> I think you're probably hitting some other snag that is causing your
> proxy to hang. I don't think Code Red can do it unless you have many
> hosts on your network that are infected.
>
> Alexander Chelidze wrote:
> > HI,
> >
> > I have squid2.4.stable1, installed on linux6.2.
> > few days ago I noticed that time to time squid hanged, it did not open
> > connections to 8080.acl CodeRed urlpath_regex \/deacl CodeRed
urlpath_regex \/default\.ida\?
> > http_access deny CodeRed
> > fault\.ida\?
> > http_access deny CodeRed
> >
> > I examined logs, and using netstat detected lot of connects to 8080.
> > It was one user's IIS virus - 'Code Red', which sended requests to other
> > www-s.(I use transparency fot http). so it hanged my proxy.
> >
> > The requests were of type:
> >
> > 997098888.366 145 INFECTED_MACHINE_IP NONE/411 1559 GET
http://111.54.151.163/default.ida? - NONE/- -
> > 997103647.734 129 INFECTED_MACHINE_IP NONE/411 1592 GET
http://www.worm.com/default.ida? - NONE/- -
> >
> > destination of most of them was www.worm.com , but also there were ip
addresses
> > from 192 and 111 classes.
> >
> > I desided to use next access list:
> > acl CodeRed urlpath_regex \/default\.ida\?
> > http_access deny CodeRed
> >
> > So it works when I send request which contains "/default.ida?" text ,
> > and entries in log were:
> > 997251176.495 3 MY_IP TCP_DENIED/403 1040 GET
http://Some-domain/default.ida? - NONE/- -
> > of this type.
> >
> > but today
> > I discovered non-blocked entries (with code NONE/411) in my access.log .
> > 997213182.091 57 INFECTED_MACHINE_IP NONE/411 1559 GET
http://217.106.234.17/default.ida? - NONE/- -
> >
> > what can be the reason of this?
> --
> Joe Cooper <joe@swelltech.com>
> Affordable Web Caching Proxy Appliances
> http://www.swelltech.com
>


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Received on Wed Aug 08 2001 - 03:01:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST