Re: [squid-users] SECURITY ALERT: Squid Cache: Version 3.2.0.13 from David Touzeau on 2011-12-01 (squid-users)

From: David Touzeau <david_at_touzeau.eu>
Date: Thu, 01 Dec 2011 17:51:40 +0100

Le jeudi 01 décembre 2011 à 09:58 +0100, David Touzeau a écrit :
> Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit :
> > On Tue, 29 Nov 2011 22:48:39 +0100, David Touzeau wrote:
> > > Dear
> > >
> > > I'm trying to make Squid Cache: Version 3.2.0.13-20111127-r11436
> on
> > > transparent mode
> > >
> > > But squid refuse to access to some websites
> > > for example google.* is ok
> > >
> > > but microsoft is impossible.
> > >
> > > How to fix this issue ?
> >
> > Track down the client software which is producing the requests.
> >
> > >
> > > On event :
> > >
> >
> >
> > ... missing log line...
> >
> > > Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user
> agent:
> > > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > > 3.0.4506.2152; .NET CLR 3.5.30729)
> > > Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL:
> > > http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
> >
> > ... missing log line...
> >
> > > Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user
> agent:
> > > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > > 3.0.4506.2152; .NET CLR 3.5.30729)
> > > Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL:
> > > http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
> >
> >
> > Which brings us back to the question of where the key log line has
> > disappeared to.
> >
> > The log line which says "Host header forgery from $C ($A does not
> match
> > $B)"
> >
> > What those $ values are is important to how to fix it. $C is the
> > connection details needed to isolate the machine to investigate. $A
> and
> > $B the details which it is getting wrong.
> >
> > Amos
> >
>
>
> I have made others tests
>
> HEre it is the dump.
>
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/42/72A83D0D39814D13CA15F184E71D2.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/F4/9DC6A31D2F48971E8CF184EAF3ACFF.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/B5/2BC4D612CC1DB446582EB29AD4FF0.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/B3/F358459610F7EE4285351371CB3A.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb01.s-msn.com/i/4B/9571894AD3B49F1AFBDFB6A0AB929.gif
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/98/FD8C6B5E35BB28EE6D5D7CAA46C48.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/FF/976AED20082B54679EAB83F1C3.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/48/B6F62B8F241454CD698D3CE9DB625.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb01.s-msn.com/i/9B/BBD5BC1B0962CA282508E1A7FB4A0.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/1F/C76A82B18F7D1B3C54BA91EC4C250.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb01.s-msn.com/i/19/876FD0FCBCE1923D3FB6CA6FECD496.jpg
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb01.s-msn.com/i/7D/52D12418B630F1586B7DD29B40D77D.jpg
> Dec 1 09:56:22 squid2 squid[28754]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:22 squid2 squid[28754]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/1C/B916E20FDBAABD2FE380EB8B6AEC.jpg
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb01.s-msn.com/i/46/274F185AF2C2D85E1F2FC5977F13.jpg
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/89/9730F0C17E6AA0923B57F951F66C.jpg
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/3E/79B4983F93A12DE76E55D51751E1.jpg
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/A3/64CA40A819E687F1CB52BF66D902A.jpg
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://est.msn.com/as/wea3/i/fr/30.gif
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/BD/3BC65FAD6B399ADBCB3C6FD9EADB46.jpg
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/94/131CFF71AB21EE8A9EB69B23433160.jpg
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:23 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb01.s-msn.com/i/14/9F75B0374DDCFA47C519D174ABF1B.jpg
> Dec 1 09:56:24 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec 1 09:56:24 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://ads2.msads.net/CIS/62/000/000/000/021/771.gif
>
>
>
>

Here it is the log without debug

2011/12/01 17:51:50.739 kid1| SECURITY ALERT: Host header forgery
detected on local=65.55.12.249:80 remote=192.168.1.228:1130 FD 25
flags=33 (local IP does not match any domain IP)
2011/12/01 17:51:50.739 kid1| SECURITY ALERT: By user agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; MS-RTC
LM 8; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
2011/12/01 17:51:50.739 kid1| SECURITY ALERT: on URL:
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Received on Thu Dec 01 2011 - 16:51:56 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 02 2011 - 12:00:01 MST