I have seen unpatched win2k running IIS just allowing to run executables with manipulated URL encoding.. When I was reverse proxying our internal IIS/Win2K servers, I used to have ACLs in squid, 1. preventing requests with : \.cmd \.exe \.com etc 2. Allowing PUT inly with access control. because, I could not ensure that the admins of those servers always kept it patched properly. In this scheme, squid fits perfectly. May be this is useful....
Sunil >>> "Mar Matthias Darin" <[EMAIL PROTECTED]> 09/05/04 03:21PM >>> Tom Le writes: > Hi, > > I have a website that sits behind squid 2.5 and it got hack into today. > Someone from this ip address, > 200.148.134.206, has put few files into my website through squid. The > content of the index.html is > > "Simiens Crew 2004 Ownz U" > > Here is the log from squid > > 1094326387.752 899375 200.148.134.206 TCP_MISS/000 0 PUT > http://<hostname>/index.html - DIRECT/<my website ip adress> - > > > Can any of you give me some insight into this problem, and how to tight my > squid server down? See previous post and add the following to your squid config: add the below to your ACL section acl GETONLY method GET add this one to the *beginning* of your http_access section http_access deny !GETONLY Note that this will STOP all requests that are are not GETs. This is an extreme approach. A better way might be to list all valid IPs you expect and then http_access deny !VALIDIPS Also use authentication esp. if you are providing a public proxy service.
