Cliff wrote:
>
> Squid 2.4STABLE6 on RH7.3
>
> What exploit is happening?
>
> IP addresses attacking me:
> 209.189.55.195 to 205. (10 consecutive addresses)
>
> They are hitting port 3128.
> They are causing my RH Box to send
> ALOT of traffic to all kinds of places
> with names that include mx...hotmail...yahoo mail...etc.
>
> I assume some spammer is exploiting port 3128
> to cause me to relay spam for them? I killed
> sendmail but the spamming continued.
>
> I can kill squid, which stops me from being
> a spam conduit. I prefer not to kill squid.
>
> So I put in a firewall rule to deny everything
> from 209.189.55.x when going to my external
> port 3128.
>
> This seems to have blocked it however I am still
> currently under attack from the miscreant.
>
> The attack was going on for 4 hours before I stopped it.
> I suppose that for 4 hours the spammer pumped lots
> of spam through my box???
>
> It is still going on, though thank goodness I put
> in the firewall rule and stopped it.
>
> Any links to exploits and information is much appreciated.
> I wonder how long this spammer is gonna keep on trying
> to pump spam through my port 3128?
>
Doesn't matter , as you are stating : make sure that SQUID can
only be accessed by your Intranet users.
Can be accomplished with the correct acl statements in squid.conf
and/or firewalling setup at the Internet perimeter.
M.
> Thx gurus.
-- 'Time is a consequence of Matter thus General Relativity is a direct consequence of QM (M.E. Mar 2002)Received on Mon Dec 23 2002 - 01:19:30 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:11 MST