On 20/05/11 19:06, Boniforti Flavio wrote:
Hello again Amos, you're precious debugger of my situation! :-)
What you see there are some services redirected to my
internal servers
and the rule for intercepting web traffic...
Okay. Looks okay. The use of "eth0" replaces a specific Squid bypass.
Squid will be using the Internet link eth1.
Sorry, but I don't understand the above statement. What do you mean by
"replaces a specific Squid bypass"?
I mean its fine. Squid outbound traffic does not get caught by your rules.
[cut]
What could this be meaning? It look like the PC is trying
to connect
to the proxy port 3128, which is then directed to itself... uh?!
Yes, this is the access.log displayed for all the forwarding
attempts which failed. For each "Forward loop detected" there
will be one or more of these in access.log to show the
request which was forwarded to Squid then abandoned.
The transaction looks something like this:
client ->
squid (access.log "000" / request aborted by server) ->
squid (access.log "000" / request aborted by server) ->
squid (cache.log "forward loop" abort)
OK: Squid is aborting the request to connect to itself because of design
and setup, right?
Yes.
Congratulations, active use of the CVE-2009-0801 vulnerabilities.
I would be grateful if you could provide any detailed info
about the malware seen on the client box and the traffic
itself ("tcpdump -s0"
traces would be great). If this can be confirmed as the
malware and not just a forward-proxy config in the client
browser I'm going to have to make an announcement that its
finally gone wild.
What would have gone wild there?
A vulnerability "gone wild" aka implemented in some malware...
.. or in this case, it appears, some security penetration testing
software. Somehow installed on a users PC.
Here you can find trace: http://www.sendspace.com/file/ij5qpe
Sorry, that seems to be a summary packet log. Just confirms that the PC
and Squid are chattering away. I need it to be a full binary packet
dump. The binary bit is saved with -w to a file.
So "tcpdump -s0 -w infected-dump.cap" should grab the bit I need to look at.
If its already cleaned up thats fine. This is just for my interest to
confirm details.
I now re-attached the "infected" PC to the network and with "netstat
-nab" (it's a Win7 PC) I catched the process.
It's McSvHost.exe, which tries to connect to *every IP* on the subnet on
port 80!!!
It seems to be part of some McAfee suite (which in fact is installed on
the client PC). After uninstalling that McAfee software, it didn't
happen anymore.
Could be "McAfee Network Security Agent" doing a network-wide scan/check?
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
