Re: [squid-users] Forward loop detected: what does this mean?

On 20/05/11 19:06, Boniforti Flavio wrote:
> Hello again Amos, you're precious debugger of my situation! :-)
>
>>> What you see there are some services redirected to my
>> internal servers
>>> and the rule for intercepting web traffic...
>>
>> Okay. Looks okay. The use of "eth0" replaces a specific Squid bypass.
>> Squid will be using the Internet link eth1.
>
> Sorry, but I don't understand the above statement. What do you mean by
> "replaces a specific Squid bypass"?

I mean its fine. Squid outbound traffic does not get caught by your rules.

> [cut]
>
>>> What could this be meaning? It look like the PC is trying
>> to connect
>>> to the proxy port 3128, which is then directed to itself... uh?!
>>
>> Yes, this is the access.log displayed for all the forwarding
>> attempts which failed. For each "Forward loop detected" there
>> will be one or more of these in access.log to show the
>> request which was forwarded to Squid then abandoned.
>>
>> The transaction looks something like this:
>> client ->
>> squid (access.log "000" / request aborted by server) ->
>> squid (access.log "000" / request aborted by server) ->
>> squid (cache.log "forward loop" abort)
>
> OK: Squid is aborting the request to connect to itself because of design
> and setup, right?
>

Yes.

>> Congratulations, active use of the CVE-2009-0801 vulnerabilities.
>> I would be grateful if you could provide any detailed info
>> about the malware seen on the client box and the traffic
>> itself ("tcpdump -s0"
>> traces would be great). If this can be confirmed as the
>> malware and not just a forward-proxy config in the client
>> browser I'm going to have to make an announcement that its
>> finally gone wild.
>
> What would have gone wild there?

A vulnerability "gone wild" aka implemented in some malware...

.. or in this case, it appears, some security penetration testing
software. Somehow installed on a users PC.

> Here you can find trace: http://www.sendspace.com/file/ij5qpe
>

Sorry, that seems to be a summary packet log. Just confirms that the PC
and Squid are chattering away. I need it to be a full binary packet
dump. The binary bit is saved with -w to a file.
So "tcpdump -s0 -w infected-dump.cap" should grab the bit I need to look at.
  If its already cleaned up thats fine. This is just for my interest to
confirm details.

> I now re-attached the "infected" PC to the network and with "netstat
> -nab" (it's a Win7 PC) I catched the process.
> It's McSvHost.exe, which tries to connect to *every IP* on the subnet on
> port 80!!!
> It seems to be part of some McAfee suite (which in fact is installed on
> the client PC). After uninstalling that McAfee software, it didn't
> happen anymore.

Could be "McAfee Network Security Agent" doing a network-wide scan/check?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1