[squid-users] swuid / worm weirdness from Brad Groshok on 2003-09-12 (squid-users)

From: Brad Groshok <bg-squid@dont-contact.us>
Date: Fri, 12 Sep 2003 22:27:24 -0400 (EDT)

This topic has kind of been touched on here in the last few days.

Running squid2.5stable3 on Redhat9
Transparent mode from a cisco 7206VXR WCCP1

I was just tailing access.log
and noticed a particular ip address accessing what appeared to be random
IP addresses. (customer using that ip address prolly hit with one of the
latest worms)

So I figgured I'd cut access from that customer till we can contact them
and get their system cleaned up.

Changed their password so they could not get logged back in.
Then disconnected their DSL connection to our network.

So at this point we don't have anybody using this particular address.

Still tailing squid access.log
Its still showing that IP address making requests to random ip addresses.
10 min later!!!

15 min later still a couple requests here and there, Not as frequent, but
they are still showing up in access.log.
And guaranteed nobody is connected to that port/ip address.
(Sample access.log below)

Is it possible that these worms are causing our squid boxes to get this
far behind in processing request. Taking over 10 min to get caught up once
the offending source is disconnected?

Sample access.log:

1063418773.024 240213 x.x.x.x TCP_MISS/504 1353 GET
http://219.30.176.25/ - NONE/- text/html
1063418773.024 240305 x.x.x.x TCP_MISS/504 1351 GET
http://210.90.151.3/ - NONE/- text/html
1063418774.524 240173 x.x.x.x TCP_MISS/504 1353 GET
http://220.71.37.187/ - NONE/- text/html
1063418774.524 240240 x.x.x.x TCP_MISS/504 1355 GET
http://128.90.223.113/ - NONE/- text/html
1063418774.524 241519 x.x.x.x TCP_MISS/504 1353 GET
http://211.37.25.196/ - NONE/- text/html
1063418775.128 240807 x.x.x.x TCP_MISS/504 1355 GET
http://211.114.62.254/ - NONE/- text/html
1063418776.770 240180 x.x.x.x TCP_MISS/504 1355 GET
http://196.46.173.122/ - NONE/- text/html
1063418776.770 244050 x.x.x.x TCP_MISS/504 1355 GET
http://202.123.179.21/ - NONE/- text/html
1063418777.010 245607 x.x.x.x TCP_MISS/504 1353 GET
http://61.214.68.198/ - NONE/- text/html
1063418777.010 246002 x.x.x.x TCP_MISS/504 1355 GET
http://219.101.249.35/ - NONE/- text/html
1063418778.101 240098 x.x.x.x TCP_MISS/504 1355 GET
http://211.50.237.107/ - NONE/- text/html
1063418778.101 240096 x.x.x.x TCP_MISS/504 1353 GET
http://211.28.206.68/ - NONE/- text/html
1063418781.003 239995 x.x.x.x TCP_MISS/504 1355 GET
http://211.204.118.87/ - NONE/- text/html
1063418781.003 239995 x.x.x.x TCP_MISS/504 1355 GET
http://134.128.67.113/ - NONE/- text/html
Received on Fri Sep 12 2003 - 20:27:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:43 MST