Hi there,
I am looking forward for your help, please.
Further I tried to get the access log on the same time and I found this:
Tue May 27 06:33:20 2014 0 TCP_MISS/503 3797 POST
http://xdz.no-ip.org:9091/is-ready - HIER_DIRECT/0.0.0.0 text/html
Tue May 27 06:36:20 2014 120834 TCP_MISS/200 1972 CONNECT
www.facebook.com:443 - HIER_DIRECT/31.13.64.145 -
Tue May 27 06:39:21 2014 0 TCP_MISS/503 3797 POST
http://xdz.no-ip.org:9091/is-ready - HIER_DIRECT/0.0.0.0 text/html
Tue May 27 06:42:20 2014 0 TCP_MISS/503 3797 POST
http://xdz.no-ip.org:9091/is-ready - HIER_DIRECT/0.0.0.0 text/html
Tue May 27 06:45:23 2014 0 TCP_MISS/503 3797 POST
http://xdz.no-ip.org:9091/is-ready - HIER_DIRECT/0.0.0.0 text/html
Tue May 27 06:45:23 2014 1 TCP_MISS/503 3744 GET http://torrentz.eu/i
- HIER_NONE/- text/html
Tue May 27 06:48:21 2014 0 TCP_MISS/503 3797 POST
http://xdz.no-ip.org:9091/is-ready - HIER_DIRECT/0.0.0.0 text/html
Tue May 27 06:51:24 2014 203333 TCP_MISS/200 3556 CONNECT
www.facebook.com:443 - HIER_DIRECT/31.13.64.81 -
Tue May 27 06:51:24 2014 470 TCP_MISS/503 3744 GET http://torrentz.eu/i
- HIER_NONE/- text/html
Tue May 27 06:51:24 2014 0 TCP_MISS/503 3797 POST
http://xdz.no-ip.org:9091/is-ready - HIER_DIRECT/0.0.0.0 text/html
Tue May 27 06:54:23 2014 0 TCP_MISS/503 3797 POST
http://xdz.no-ip.org:9091/is-ready - HIER_DIRECT/0.0.0.0 text/html
And the Store.cc line 915 is saying this
/* Append incoming data from a primary server to an entry. */
void
StoreEntry::append(char const *buf, int len)
{
assert(mem_obj != NULL);
assert(len >= 0);
assert(store_status == STORE_PENDING);
StoreIOBuffer tempBuffer;
tempBuffer.data = (char *)buf;
tempBuffer.length = len;
/*
* XXX sigh, offset might be < 0 here, but it gets "corrected"
* later. This offset crap is such a mess.
*/
tempBuffer.offset = mem_obj->endOffset() - (getReply() ?
getReply()->hdr_sz : 0);
write(tempBuffer);
}
Best Regards,
Farooq
-----Original Message-----
From: Farooq Bhatti [mailto:farooq_at_n4networks.net]
Sent: Tuesday, May 27, 2014 12:31 PM
To: 'Amos Jeffries'; squid-users_at_squid-cache.org
Subject: RE: [squid-users] store.cc crashing the squid child
Ahh.. on my backup proxy in which I allow that subnet I was again on attack
but this time on the squid version is 3.4.5.
Squid Cache: Version 3.4.5
configure options: '--build=x86_64-unknown-linux-gnu'
'--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-follow-x-forwarded-for'
'--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=65535' '--with-dl'
'--with-openssl' '--with-pthreads' '--with-included-ltdl'
'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
--enable-ltdl-convenience
The syslog is saying below
May 27 06:36:22 proxy1 squid[3503]: Squid Parent: (squid-1) process 16614
exited due to signal 6 with status 0 May 27 06:36:25 proxy1 squid[3503]:
Squid Parent: (squid-1) process 16672 started May 27 06:39:22 proxy1
squid[3503]: Squid Parent: (squid-1) process 16672 exited due to signal 6
with status 0 May 27 06:39:25 proxy1 squid[3503]: Squid Parent: (squid-1)
process 16729 started May 27 06:42:23 proxy1 squid[3503]: Squid Parent:
(squid-1) process 16729 exited due to signal 6 with status 0 May 27 06:42:26
proxy1 squid[3503]: Squid Parent: (squid-1) process 16790 started May 27
06:45:23 proxy1 squid[3503]: Squid Parent: (squid-1) process 16790 exited
due to signal 6 with status 0 May 27 06:45:26 proxy1 squid[3503]: Squid
Parent: (squid-1) process 16847 started May 27 06:48:24 proxy1 squid[3503]:
Squid Parent: (squid-1) process 16847 exited due to signal 6 with status 0
May 27 06:48:27 proxy1 squid[3503]: Squid Parent: (squid-1) process 16903
started May 27 06:51:25 proxy1 squid[3503]: Squid Parent: (squid-1) process
16903 exited due to signal 6 with status 0 May 27 06:51:28 proxy1
squid[3503]: Squid Parent: (squid-1) process 16963 started May 27 06:54:25
proxy1 squid[3503]: Squid Parent: (squid-1) process 16963 exited due to
signal 6 with status 0 May 27 06:54:28 proxy1 squid[3503]: Squid Parent:
(squid-1) process 17019 started
The Cache log is saying this and restarting the child every time.
2014/05/27 06:36:21 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/27 06:39:21 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/27 06:42:22 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/27 06:45:23 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/27 06:48:23 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/27 06:51:24 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/27 06:54:24 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
Again from access log not been able to point out who could be the culprit of
that and further what query made him possible for exploiting this
vulnerability of the latest version of squid 3.4.5.
Any inside expert opinion to filter such exploiting request.
BR
Farooq
-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Tuesday, May 27, 2014 10:55 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] store.cc crashing the squid child
On 27/05/2014 4:32 p.m., Farooq Bhatti wrote:
> Hi There,
>
> Pardon me for long email. Actually I faced a DOS attack in a
> university setup and want to get help to avoid it in future. I am
> using squid following version
>
> squid -v
> Squid Cache: Version 3.4.3
Could be this:
http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
Please upgrade to the latest Squid version. Today that is 3.4.5.
Amos
--- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.comReceived on Wed May 28 2014 - 08:44:25 MDT
This archive was generated by hypermail 2.2.0 : Wed May 28 2014 - 12:00:06 MDT