Hello again Amos, you're precious debugger of my situation! :-)
> > What you see there are some services redirected to my
> internal servers
> > and the rule for intercepting web traffic...
>
> Okay. Looks okay. The use of "eth0" replaces a specific Squid bypass.
> Squid will be using the Internet link eth1.
Sorry, but I don't understand the above statement. What do you mean by
"replaces a specific Squid bypass"?
[cut]
> > What could this be meaning? It look like the PC is trying
> to connect
> > to the proxy port 3128, which is then directed to itself... uh?!
>
> Yes, this is the access.log displayed for all the forwarding
> attempts which failed. For each "Forward loop detected" there
> will be one or more of these in access.log to show the
> request which was forwarded to Squid then abandoned.
>
> The transaction looks something like this:
> client ->
> squid (access.log "000" / request aborted by server) ->
> squid (access.log "000" / request aborted by server) ->
> squid (cache.log "forward loop" abort)
OK: Squid is aborting the request to connect to itself because of design
and setup, right?
> Congratulations, active use of the CVE-2009-0801 vulnerabilities.
> I would be grateful if you could provide any detailed info
> about the malware seen on the client box and the traffic
> itself ("tcpdump -s0"
> traces would be great). If this can be confirmed as the
> malware and not just a forward-proxy config in the client
> browser I'm going to have to make an announcement that its
> finally gone wild.
What would have gone wild there?
Here you can find trace: http://www.sendspace.com/file/ij5qpe
I now re-attached the "infected" PC to the network and with "netstat
-nab" (it's a Win7 PC) I catched the process.
It's McSvHost.exe, which tries to connect to *every IP* on the subnet on
port 80!!!
It seems to be part of some McAfee suite (which in fact is installed on
the client PC). After uninstalling that McAfee software, it didn't
happen anymore.
> The fix; is to follow the recommended config of not using
> port 3128 for intercept or transparent. Use a randomly
> selected high port instead.
>
> Also, at the Squid box "mangle" table configure this for your
> newly chosen intercept port:
> iptables -t mangle -A PREROUTING -p tcp --dport $NEW_PORT -j DROP
>
> Make sure *nobody* can get to Squid with that port directly
> from inside OR outside the network.
> If you want to be more selective and only block -i eth0 or
> -s 172.16.16.1, okay. But DNAT needs to be used then instead
> of REDIRECT since DNAT allows some explicit control over
> which IP gets picked by NAT and listened on by Squid. Match
> that IP to the mangle protected IP or NIC.
This last iptables-part I have to take some time to apply it with care.
Thanks so far!
Flavio Boniforti
PIRAMIDE INFORMATICA SAGL
Via Ballerini 21
6600 Locarno
Switzerland
Phone: +41 91 751 68 81
Fax: +41 91 751 69 14
URL: http://www.piramide.ch
E-mail: flavio_at_piramide.ch
Received on Fri May 20 2011 - 07:09:17 MDT
This archive was generated by hypermail 2.2.0 : Fri May 20 2011 - 12:00:02 MDT