RE: [squid-users] Web site got hack through squid

Hi Tom,
People should correct me if I am wrong, however a proxy server such as
squid doesn't know the difference between a legitimate web request, and
a malicious one. Both can, and in most cases are required to be
compliant with various networking RFC's. A malformed GET request, for
instance, done with just the right payload (no need to tweak it to work
with squid), and aimed at a sufficiently vulnerable windows box/service
is all it takes. Reverse-shell spawning payload would give the attacker
unlimited to your machine at that point. Since all a proxy server does
is forward web transactions, that service is nearly as vulnerable as if
the box was sitting naked on the Internet. So without knowing more
details, this comes down to a question of how well patched is your web
service?

Hope that helps,
Mark

> -----Original Message-----
> From: Tom Le [mailto:tomle@telus.net]
> Sent: Saturday, September 04, 2004 9:49 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Web site got hack through squid
>
>
> Hi,
>
> I have a website that sits behind squid 2.5 and it got hack
> into today.
> Someone from this ip address,
> 200.148.134.206, has put few files into my website through
> squid. The
> content of the index.html is
>
> "Simiens Crew 2004 Ownz U"
>
> Here is the log from squid
>
> 1094326387.752 899375 200.148.134.206 TCP_MISS/000 0 PUT
> http://<hostname>/index.html - DIRECT/<my website ip adress> -
>
>
> Can any of you give me some insight into this problem, and
> how to tight
> my squid server down?
>
> Thanks
>
>
>
> --
> ----------------------------
> Tom Le
> Phone : (604) 612-6617
> Email : tomle@telus.net
> ----------------------------
>
>
> ******************************************************************
> This electronic communication (email) is intended only for
> the use of the addressee and may contain information which
> is privileged and confidential. If you are not the
> intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this email is
> strictly prohibited. If you have received this email in
> error, please reply to the sender immediately and delete
> the original and all copies. Thank you.
> ******************************************************************
>
>
>
Received on Sat Sep 04 2004 - 23:51:43 MDT