>
> there are 3 squid servers in our network and all of
> them are seperated from each other. Recently, one of
> our server started to strange. After some inspection
> from cache.log, we found at least few thousand lines
> of the below log :-
>
> Request header is too large (24575 bytes)
>
> Further inspection leads to checking the cache manager
> menu under Cache Client List. We found that most of
> the infected user has these attributes :-
>
> Address: 192.168.25.100
> Name: 192.168.25.100
> Currently established connections: 0
> ICP Requests 0
> HTTP Requests 2808
> NONE 2800 100%
>
> ddress: 192.168.23.80
> Name: 192.168.23.80
> Currently established connections: 0
> ICP Requests 0
> HTTP Requests 7184
> NONE 6330 88%
>
> ....
>
> Some of them even have 30000 of NONE request. We
> scanned the infected user and the only viruses/worm
> detected is worm_sdbot.se. FYI, we are using
> Trendmicro's sysclean to scan. After deleting the
> virus, they still try to request to port 80 and the
> request remains at 24575 bytes. Any idea of what is
> happening here? Thanks.
>
To find out what is happening ,check access.log and look
what kind of requests these clients are (still) sending to SQUID.
M.
Received on Thu Oct 28 2004 - 01:12:35 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST