[squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?

From: kk CHN <kkchn.cdac@dont-contact.us>
Date: Fri, 28 Mar 2008 10:27:26 +0530

People: in my server box , I am using squid as http accelerator
;setup is as follows

Flow of requests from users should be like this

squid listens on public ip port:80 --->apache(127.0.0.1:80) ---
RewriteRule for apache to--->zope:8080/plonesite

Important NOTE : for the last couple of days I am experiencing
that my plone site on zope :8080 is become not acceesible after 5/6
hours ,after the services I restarted :

when I run the command # ` sockstat -4p 80 `
 here I can see a specific IP address (164.115.5.2 ) connecting
directly ande using python2.4 as pasted below .

(My question is ,Is it normal this foreign ipaddress connectiong to
my public ip and executing python.2.4 ? can I suspect this foreign Ip
address as an attacker ?)

many of you may be aware what is this & let me request you to share
your information with me .

Thanks in advance
KK

$ sockstat -4p 80
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 73932 3 tcp4 127.0.0.1:80 *:*
www python2.4 44496 20 tcp4 my_Serverbox_public_IPAddress
:65287 164.115.5.2:80
www python2.4 44496 30 tcp4
my_Derverbox_public_IPAddress:64313 164.115.5.2:80
www httpd 849 3 tcp4 127.0.0.1:80 *:*
squid squid 603 9 tcp4 my_box_public_IPAddress:80
203.194.194.254:43451
squid squid 603 11 tcp4 my_Serverbox_public_IPAddress:80 *:*
squid squid 603 13 tcp4 127.0.0.1:55663 127.0.0.1:80
www httpd 516 3 tcp4 127.0.0.1:80 *:*
www httpd 515 3 tcp4 127.0.0.1:80 *:*
www httpd 514 3 tcp4 127.0.0.1:80 *:*
www httpd 514 18 tcp4 127.0.0.1:80 127.0.0.1:55663
root httpd 502 3 tcp4 127.0.0.1:80 *:*
$ su
Received on Thu Mar 27 2008 - 22:57:34 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT