Re: [squid-users] SECURITY ALERT: Squid Cache: Version 3.2.0.13 from David Touzeau on 2011-12-01 (squid-users)

From: David Touzeau <david_at_touzeau.eu>
Date: Thu, 01 Dec 2011 09:58:47 +0100

Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit :
> On Tue, 29 Nov 2011 22:48:39 +0100, David Touzeau wrote:
> > Dear
> >
> > I'm trying to make Squid Cache: Version 3.2.0.13-20111127-r11436 on
> > transparent mode
> >
> > But squid refuse to access to some websites
> > for example google.* is ok
> >
> > but microsoft is impossible.
> >
> > How to fix this issue ?
>
> Track down the client software which is producing the requests.
>
> >
> > On event :
> >
>
>
> ... missing log line...
>
> > Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user agent:
> > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > 3.0.4506.2152; .NET CLR 3.5.30729)
> > Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL:
> > http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
>
> ... missing log line...
>
> > Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user agent:
> > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > 3.0.4506.2152; .NET CLR 3.5.30729)
> > Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL:
> > http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
>
>
> Which brings us back to the question of where the key log line has
> disappeared to.
>
> The log line which says "Host header forgery from $C ($A does not match
> $B)"
>
> What those $ values are is important to how to fix it. $C is the
> connection details needed to isolate the machine to investigate. $A and
> $B the details which it is getting wrong.
>
> Amos
>

I have made others tests

HEre it is the dump.

Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/42/72A83D0D39814D13CA15F184E71D2.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/F4/9DC6A31D2F48971E8CF184EAF3ACFF.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/B5/2BC4D612CC1DB446582EB29AD4FF0.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/B3/F358459610F7EE4285351371CB3A.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb01.s-msn.com/i/4B/9571894AD3B49F1AFBDFB6A0AB929.gif
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/98/FD8C6B5E35BB28EE6D5D7CAA46C48.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/FF/976AED20082B54679EAB83F1C3.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/48/B6F62B8F241454CD698D3CE9DB625.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb01.s-msn.com/i/9B/BBD5BC1B0962CA282508E1A7FB4A0.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/1F/C76A82B18F7D1B3C54BA91EC4C250.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb01.s-msn.com/i/19/876FD0FCBCE1923D3FB6CA6FECD496.jpg
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb01.s-msn.com/i/7D/52D12418B630F1586B7DD29B40D77D.jpg
Dec 1 09:56:22 squid2 squid[28754]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:22 squid2 squid[28754]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/1C/B916E20FDBAABD2FE380EB8B6AEC.jpg
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb01.s-msn.com/i/46/274F185AF2C2D85E1F2FC5977F13.jpg
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/89/9730F0C17E6AA0923B57F951F66C.jpg
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/3E/79B4983F93A12DE76E55D51751E1.jpg
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/A3/64CA40A819E687F1CB52BF66D902A.jpg
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://est.msn.com/as/wea3/i/fr/30.gif
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/BD/3BC65FAD6B399ADBCB3C6FD9EADB46.jpg
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb00.s-msn.com/i/94/131CFF71AB21EE8A9EB69B23433160.jpg
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
http://db2.stb01.s-msn.com/i/14/9F75B0374DDCFA47C519D174ABF1B.jpg
Dec 1 09:56:24 squid2 squid[28798]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Dec 1 09:56:24 squid2 squid[28798]: SECURITY ALERT: on URL:
http://ads2.msads.net/CIS/62/000/000/000/021/771.gif
Received on Thu Dec 01 2011 - 08:58:58 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 12:00:03 MST