Re: [squid-users] Squid attack?

From: Paul <paulm.harvey@dont-contact.us>
Date: Sat, 24 Feb 2007 15:32:33 +0000

Thanks - no traffic to 3128 right now, unless I browse from my lan.
Nothing listening on 3128 except squid.

On Sat, 2007-02-24 at 17:21 +0200, Denys wrote:
> Just check
> tcpdump -n -i eth0 -X -s 1500 dst port SQUIDPORT
>
> SQUIDPORT i guess must be 3128
>
> Then just look, what kind of requests there, maybe you will see headers of
> software, possible dansguardian headers.
> Also try to stop dansguardian and see if it logs still continue.
> Do
> netstat -anp|grep 3128
> to see who connecting to squid port
>
> On Sat, 24 Feb 2007 15:15:26 +0000, Paul wrote
> > DAnsGuardian is on 8080 and that's closed to all but my lan. I do
> > have 5801 and 5901 open for remote desktop, but I doubt that's a problem.
> > Is there a way to misconfigure apache2 to enable open proxy?
> >
> > On Sat, 2007-02-24 at 09:21 +0100, Henrik Nordstrom wrote:
> > > [UTF-8?]lц╤r 2007-02-24 klockan 08:28 +0100 skrev Henrik Nordstrom:
> > >
> > > > To diagnose after you have made changes somehow stopping the abuse then
> > > > checking all logs in detail is the only available, or maybe tcpdump
> > > > looking for users still trying to access the service and from that
> > > > derive how they gained access in the first place..
> > >
> > > One educated guess: Maybe the port dansguardian is listening on is
> > > accessible from the outside.
> > >
> > > Regards
> > > Henrik
>
>
> --
> Virtual ISP S.A.L.
>
Received on Sat Feb 24 2007 - 08:32:55 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST