Quoting Henrik Nordstrom <[EMAIL PROTECTED]>: > > > On Wed, 20 Oct 2004, oke wrote: > > > Can you tell me which pattern to grep to checkout existence of virus > > or spyware? > > A common sign is lots of request for random IP addresses, or very high > failure ratio (TCP_MISS/5XX or TCP_MISS/404) > > Regards > Henrik >
And also , look for many : TCP_DENIED/407 : software unable to authenticate (if you use authentication) TCP_DENIED/400 : misconfigured automatic sofware trying to access wrong URL's for example : 407 : a widespread PDF reader v6.0.0 (corrected in v6.0.1) 400 : misconfigured yahoo toolbar accessing companion site with ";" in the URL awk '$4 ~ /TCP_DENIED\/400/' /usr/local/squid/logs/access.log Andrew.
