Re: [squid-users] Squid Proxy Hijacked By Hackers in China

From: <badaboom003-asdf_at_yahoo.com>
Date: Tue, 27 May 2008 17:58:27 -0700 (PDT)

Thanks very much. I think I've got it working now. Below is a snippet from my access log. Looks like they're being denied, right? Also, these lines appear in my cache.log:

2008/05/27 17:38:17| WARNING: suspicious HTTP request contains double CR
2008/05/27 17:38:17| clientProcessRequest: Invalid Request

Is that okay?

access.log snippet
==================
1211935075.466 0 87.80.92.213 TCP_DENIED/403 379 HEAD http://members.purecfnm.com/ - NONE/- text/html
1211935075.473 0 87.80.92.213 TCP_DENIED/403 379 HEAD http://members.purecfnm.com/ - NONE/- text/html
1211935075.485 0 219.236.102.44 TCP_DENIED/403 1847 GET http://www.google.cn/ - NONE/- text/html
1211935097.147 0 217.20.115.156 NONE/400 2431 GET error:double-CR - NONE/- text/html
1211935075.540 0 80.80.3.130 TCP_DENIED/403 2281 GET http://fly.emirates.com/ - NONE/- text/html
1211935075.551 0 87.80.92.213 TCP_DENIED/403 379 HEAD http://members.purecfnm.com/ - NONE/- text/html
1211935075.608 0 87.80.92.213 TCP_DENIED/403 379 HEAD http://members.purecfnm.com/ - NONE/- text/html
1211935075.609 0 78.109.30.208 TCP_DENIED/403 2492 GET http://wap-top.ru/top/count.php? - NONE/- text/html
1211935075.613 0 87.80.92.213 TCP_DENIED/403 379 HEAD http://members.purecfnm.com/ - NONE/- text/html
1211935075.619 0 123.19.141.173 TCP_DENIED/403 2179 GET http://l01.member.mud.yahoo.com/config/pwtoken_get? - NONE/- text/html
1211935075.651 0 80.80.3.130 TCP_DENIED/403 2281 GET http://fly.emirates.com/ - NONE/- text/html
1211935075.879 0 221.219.135.93 TCP_DENIED/403 2295 GET http://afe.specificclick.net/? - NONE/- text/html

Chris-

--- On Tue, 5/27/08, Henrik Nordstrom <henrik_at_henriknordstrom.net> wrote:

> From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
> Subject: Re: [squid-users] Squid Proxy Hijacked By Hackers in China
> To: badaboom003-asdf_at_yahoo.com
> Cc: squid-users_at_squid-cache.org
> Date: Tuesday, May 27, 2008, 3:11 PM
> On tis, 2008-05-27 at 14:44 -0700,
> badaboom003-asdf_at_yahoo.com wrote:
> > Hi,
> >
> > I upgraded to 3.0. The access log got blown away when
> i upgraded... Is the following configuration correct for
> 3.0? Am I missing anything necessary for security?
>
> For completeness I would also use never_direct allow all.
> It shouldn't
> be needed, but also doesn't hurt and gives you
> additional security just
> in case.
>
> Regards
> Henrik
Received on Wed May 28 2008 - 00:58:36 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT