Re: [squid-users] Nimda Virus problem

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Thu, 20 Sep 2001 13:38:31 +0200 (MESZ)

On Thu, 20 Sep 2001, Tomas Andershem wrote:

> acl w1 url_regex eml
> acl e1 url_regex -i eml
> acl q1 urlpath_regex eml
> acl a1 urlpath_regex -i eml
> acl r1 urlpath_regex -i \.eml$
> acl t1 url_regex -i \.eml$
[...]

> The real probelm i have is that it passing trough the readme.eml
> The access.log file gives me this message, that to looks like it are beeing
> blocked, but it reatch my client just fine.
>
> xxx.xxx.xxx.xxx - - [20/Sep/2001:11:43:33 +0200] "GET
> http://brooker1.internet42.com/readme.eml HTTP/1.1" 403 1052 TCP_DENIED:NONE
>
> The regexp filters works just fine if i have "eml" in the browsers url path
> ex. http://www.anywhere.com/eml

This is by far not an authorative answer but just some thoughts:

I would suspect that your regex commands above are redundant. -i
should already include the not '-i' case, urlpath should include
url (or otherway around? check the manual, please). eml alone should
include \.eml$.

This isn't a real issue, but superflous filter commands reduced the
efficiency and increase the chance of configuration errors.

That said, after the TCP_DENIED you found, are there any
success messages? Maybe the virus tries downloads with other names
after the failure which are not catched by the regex. I'd assume one can
replace the eml by %hexcode%hexcode%hexcode, for example.. or something.

Also, maybe IE only checks brooker1.internet42.com/readme.eml to see if it
is more recent than a locally cached version and failing to see that, just
consults its local cache (from experience I know IE loves it's local
cache. It even caches cgi stuff and whatelse.. you have to manually clean
the cache all the time (ok, ok.. often ...).

Maybe you should check that. I'd assume that either a local copy or one
with a completely different name is downloaded.

Michael.

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
Received on Thu Sep 20 2001 - 05:38:50 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:19 MST