Re: [squid-users] "Squid Address" itself in, requests? from Duane Wessels on 2001-09-17 (squid-users)

From: Duane Wessels <wessels@dont-contact.us>
Date: Mon, 17 Sep 2001 17:32:05 -0600 (MDT)

On Mon, 17 Sep 2001, Brian wrote:

>
> I had posted this a little while back, but didn't get much response
> probably because of all the tragedy that occured around that same time,
> so I am posting again. To clarify, I know the "default.ida" is the code
> red worm, I am not concerned about that right now, what I am concerned
> with is why requests from many different sources come into the caches,
> with the cache servers ip addresses themselves in the requests.
>
>
> I have just turned up a squid farm here after having
> it down for almost a year. Upgraded to squid-2.3.STABLE4-10,
> on Redhat 7.1. I am seeing requests in the access.log
> that have the IP address of the cache itself in them.
>
> This cache's IP address is 208.206.76.60, you can see
> its own IP is in the request.
>
> Here are some examples:
>
> 1000407076.046 5 207.254.211.16 NONE/411 1365 POST
> http://208.206.76.60/servlet/dlwLogin.DLLoginServlet? - NONE/- -
> 1000407083.134 2 207.254.211.16 NONE/411 1368 POST
> http://208.206.76.60/servlet/dlwLogin.DLLoginServlet? - NONE/- -
> 1000410073.068 6 207.254.208.18 NONE/411 1897 POST
> http://208.206.76.60/7/2047/1243/msnbc/videoweb.msnbc.com/msnbc/video/modem/n_bush_tear_010913.asf
> - NONE/- -
> 1000410075.893 3 207.254.202.170 NONE/411 1573 GET
> http://208.206.76.60/default.ida? - NONE/- -
> 1000410075.901 3 207.254.202.170 NONE/411 1573 GET
> http://208.206.76.60/default.ida? - NONE/- -
> 1000410075.908 98 207.254.204.38 TCP_MISS/503 1092 POST
> http://208.206.76.60/scripts/nri/panelserver.dll/logdata -
> DIRECT/208.206.76.60 -
>
>
> Does anyone know what would cause this? The users say
> they cannot get to those sites. One of them, runs some custom
> software, that is obviously using port 80, (the first log entry
> above, the DLL file), and says it won't "login" to his database.

which sites are "those sites?"

Are you using interception on this box (ipchains, ipfw, etc).
It would probably be helpful for us to know more about
your configuration, including 'httpd_accel' lines.
The httpd_accel configuration options may have changed
from your earlier version, so maybe take a closer look
at those directives in the new squid.conf.
Received on Mon Sep 17 2001 - 17:32:05 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:14 MST