[squid-users] squid cache poisoing

Hi,

We are running two squid proxies one with RedHat 8.0 and the other RedHat
9.0 with default kernels.

Interscan viruswall ver. 3.8 is also runnig on both the proxies and are
acting as parent proxies for squid proxies.

The squid version and config parameters are as given below.

# /usr/local/squid/sbin/squid -v
Squid Cache: Version 2.5.STABLE3
configure options: --enable-async-io --enable-carp

The hardware configs of both the proxies are exactly same ( HP DL 580 ,
16GB RAM , 4 x 72 GB HDD ). There are three cache directories of 60 GB disk
space each ( three partitions /cache1 , /cache2 and /cache3 with reiserfs
FS) on each proxy i.e. total of 180GB cache.

For last few days we are facing very strange problem as described below.

Whenever user tries to access few sites e.g. www.google.com,
www.rediff.com, www.indiatimes.com , www.yahoo.com and many more . all what
s/he gets is coolsavings.com web page.

We suspected some adware might have got installed in local client machine
so we cleared all local cache , cookles etc. and again tried but the problem
continued. We then tried through lynx and links from linux desktops and
problem persisted there also.

We then stopped squid , cleared cache and restarted again. Iit worked for
few minutes but again the whole thing started with users only able to see
coolsavings.com pages.

We then stopped squid entirely and divered all user traffic through
viruswall acting as a proxy and it worked fine. We then recompiled squid
with storeio as null option and started squid without caching enabled and it
worked fine.

But since we could not work without cache and could not use viruswall as
proxy we had to find other solution. We then blocked coolsavings.com on
proxy with IPTABLES rules and it resolved the problem.

To understand the problem we removed IPTABLES rules, cleared the cache again
and put ethereal on client machine. When the problem reoccured we captured
the entire TCP stream. We again cleared the cache and opened the page
captured which immediatly reproduced the problem. The problem was also
reproduced on all other client machines accessing the proxy .

Strangly I have not been able to reproduce the problem on any other squid
proxy running same versions of squid ( diff hardware config but same
squid.conf )

Now I have again put the firewall rules and everything is working fine but
I'm unable to find the cause of the problem.

Kindly help

Regards
Vikram

_________________________________________________________________
Stand out from the crowd. Make your own MMS cards. http://msn.migasia.cn/msn
Have some mobile masti!
Received on Thu Dec 18 2003 - 03:50:25 MST