Re: [squid-users] Squid attack?

From: Denys <nuclearcat@dont-contact.us>
Date: Sat, 24 Feb 2007 17:21:33 +0200

Just check
tcpdump -n -i eth0 -X -s 1500 dst port SQUIDPORT

SQUIDPORT i guess must be 3128

Then just look, what kind of requests there, maybe you will see headers of
software, possible dansguardian headers.
Also try to stop dansguardian and see if it logs still continue.
Do
netstat -anp|grep 3128
to see who connecting to squid port

On Sat, 24 Feb 2007 15:15:26 +0000, Paul wrote
> DAnsGuardian is on 8080 and that's closed to all but my lan. I do
> have 5801 and 5901 open for remote desktop, but I doubt that's a problem.
> Is there a way to misconfigure apache2 to enable open proxy?
>
> On Sat, 2007-02-24 at 09:21 +0100, Henrik Nordstrom wrote:
> > [UTF-8?]lör 2007-02-24 klockan 08:28 +0100 skrev Henrik Nordstrom:
> >
> > > To diagnose after you have made changes somehow stopping the abuse then
> > > checking all logs in detail is the only available, or maybe tcpdump
> > > looking for users still trying to access the service and from that
> > > derive how they gained access in the first place..
> >
> > One educated guess: Maybe the port dansguardian is listening on is
> > accessible from the outside.
> >
> > Regards
> > Henrik

--
Virtual ISP S.A.L.
Received on Sat Feb 24 2007 - 08:21:59 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST