[squid-users] dialer downloads bypassing squid acls

From: Luis Miguel <luism@dont-contact.us>
Date: Fri, 16 Jul 2004 18:52:45 +0200

Hi all, I am using squid to secure access to the web, using ACLS' I stopped certain
people from download dangerous files, the problem is that I cant block certain
malicious downloads, this downloads never show the filename on a GET or POST command,
the filename is send by the server on a MIME header so squid or squidguard ACLS
cant catch it, this technique is used massively by web trojans/dialers and AFAIK
squid dont have a way to stop it and nothing seems to care ..

An example:
http://www.0texkax7c6hzuidk.com/?login=&brokerid=&extlogin=&url=&mediaid=00300214&product=1&iso_country=ES&aol=0 , click on "modem/isdn".

When something request this URL, the server send the followin MIME header, (I grab it using log_mime_hdrs = on on squid):

1089995989.529 2701 192.168.0.167 TCP_MISS/200 36267 GET http://fr4-scripts.downloadv3.com/DialerEXE/downloadEXE.php? - DIRECT/62.39.85.20 octet-stream [Host: fr4-scripts.downloadv3.com\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.6) Gecko/20040207 Mozilla/4.0/compatible; MSIE 5.5; Windows NT 4.0; DEV4012; SP4012\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\r\nAccept-Language: es-es,es;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: http://fr4-scripts.downloadv3.com/Common/show_module.php?login=&brokerid=&extlogin=&url=&mediaid=00300214&product=1&iso_country=ES&aol=0&base=F06&quova_country=1.60&original_host=www.0texkax7c6hzuidk.com&browser=MSIE5.5&os=WINNT4&hitsin=0&cache_mode=3&PHPSESSID=d4def75f0ba56b54957f585a3355e937&customid=3260&id_site=81&sp=0&errorcode=14&billing_id=9&asked_billing_id=&custom_param==&=\r\n] [HTTP/1.1 200 OK\r\nDate: Fri, 16 Jul 2004 16:39:47 GMT\r\nServer: Apache/2.0.49 (Fedora)\r\nX-Powered-By: PHP/4.3.6\r\nContent-Disposition: filename=Instant-Access.exe\r\nContent-Length: 149740\r\nConnection: close\r\nContent-Type: octet-stream\r\n\r]

The browser catch the filename from the MIME header field "filename" (filename=Instant-Access.exe), AFAIK the only squid ACL that parses the MIME header send by the server is rep_mime_type, with is only valid to block based on the "Content-Type" field.

We need a way to filter based on the whole MIME replied header or on select mime fields (filename) to cath this downloads.

Please, tell if I am wrong with something and if you know a way to filter this dowloads correctly.

Best regards.
Received on Fri Jul 16 2004 - 10:52:48 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT