Hello, We got a notification from our ISP that our squid server was being used to relay emails. We checked the logs and found 2.5 Million hits just like this snippit: ---------------------------------------------------------------------------- 1196170398.384 837 64.237.46.55 TCP_MISS/200 222 CONNECT 146.217.15.240:25 - DIRECT/146.217.15.240 - 1196170398.656 8175 64.237.46.132 TCP_MISS/200 665 CONNECT 216.157.254.253:25 - DIRECT/216.157.254.253 - 1196170399.049 1132 64.237.46.55 TCP_MISS/200 165 CONNECT 209.44.115.50:25 - DIRECT/209.44.115.50 - 1196170399.201 4603 64.237.46.55 TCP_MISS/200 139 CONNECT 62.148.180.192:25 - DIRECT/62.148.180.192 - 1196170399.458 14482 64.237.46.132 TCP_MISS/200 224 CONNECT 65.75.75.57:25 - DIRECT/65.75.75.57 - 1196170400.072 10406 64.237.46.132 TCP_MISS/200 279 CONNECT 127.0.0.1:25 - DIRECT/127.0.0.1 - 1196170400.460 2044 208.167.225.68 TCP_MISS/200 444 CONNECT 192.75.254.1:25 - DIRECT/192.75.254.1 - 1196170400.486 9305 64.237.46.132 TCP_MISS/200 1343 CONNECT 211.41.82.89:25 - DIRECT/211.41.82.89 - 1196170400.662 6576 208.167.225.68 TCP_MISS/200 257 CONNECT 64.18.4.10:25 - DIRECT/64.18.4.10 - 1196170401.406 17183 64.237.46.132 TCP_MISS/200 2130 CONNECT 195.50.106.135:25 - DIRECT/195.50.106.135 - 1196170401.503 645 208.167.225.68 TCP_MISS/200 180 CONNECT 216.32.180.22:25 - DIRECT/216.32.180.22 - 1196170401.682 939 208.167.225.68 TCP_MISS/200 306 CONNECT 216.9.208.251:25 - DIRECT/216.9.208.251 - 1196170401.747 10433 64.237.46.132 TCP_MISS/200 279 CONNECT 127.0.0.1:25 - DIRECT/127.0.0.1 - 1196170401.775 10413 64.237.46.132 TCP_MISS/200 279 CONNECT 127.0.0.1:25 - DIRECT/127.0.0.1 - 1196170402.079 120 208.167.225.68 TCP_MISS/200 15 CONNECT 17.148.20.66:25 - DIRECT/17.148.20.66 - 1196170402.267 5056 208.167.225.68 TCP_MISS/200 245 CONNECT 202.54.61.113:25 - DIRECT/202.54.61.113 - 1196170403.291 31145 64.237.46.132 TCP_MISS/200 121 CONNECT 62.40.36.103:25 - DIRECT/62.40.36.103 - 1196170403.578 5218 208.167.225.68 TCP_MISS/200 273 CONNECT 66.235.248.64:25 - DIRECT/66.235.248.64 - 1196170403.707 810 208.167.225.68 TCP_MISS/200 452 CONNECT 207.69.189.219:25 - DIRECT/207.69.189.219 - 1196170404.115 1850 64.237.46.55 TCP_MISS/200 121 CONNECT 202.78.116.253:25 - DIRECT/202.78.116.253 - 1196170404.166 1502 208.167.225.68 TCP_MISS/200 250 CONNECT 193.134.210.132:25 - DIRECT/193.134.210.132 - 1196170404.208 4983 208.167.225.68 TCP_MISS/200 2060 CONNECT 209.191.118.103:25 - DIRECT/209.191.118.103 - 1196170404.249 30567 208.167.225.68 TCP_MISS/200 0 CONNECT 64.29.222.22:25 - DIRECT/64.29.222.22 - 1196170404.887 7863 64.237.46.55 TCP_MISS/200 2223 CONNECT 209.191.88.247:25 - DIRECT/209.191.88.247 - 1196170404.916 627 208.167.225.68 TCP_MISS/200 150 CONNECT 208.97.132.73:25 - DIRECT/208.97.132.73 - 1196170405.288 14668 64.237.46.132 TCP_MISS/200 3520 CONNECT 211.115.216.226:25 - DIRECT/211.115.216.226 - 1196170405.324 1670 64.237.46.52 TCP_MISS/200 249 CONNECT 146.131.119.26:25 - DIRECT/146.131.119.26 - 1196170405.659 882 64.237.46.55 TCP_MISS/200 159 CONNECT 199.224.89.185:25 - DIRECT/199.224.89.185 - 1196170405.917 1555 64.237.46.55 TCP_MISS/200 201 CONNECT 204.10.18.136:25 - DIRECT/204.10.18.136 - 1196170406.776 30671 64.237.46.55 TCP_MISS/200 0 CONNECT 193.252.22.142:25 - DIRECT/193.252.22.142 - 1196170407.099 6405 208.167.225.68 TCP_MISS/200 339 CONNECT 216.219.253.216:25 - DIRECT/216.219.253.216 - 1196170407.214 30834 64.237.46.132 TCP_MISS/200 164 CONNECT 12.206.33.39:25 - DIRECT/12.206.33.39 - 1196170407.446 30690 64.237.46.132 TCP_MISS/200 0 CONNECT 80.95.172.3:25 - DIRECT/80.95.172.3 - 1196170407.875 4719 64.237.46.55 TCP_MISS/200 1898 CONNECT 204.15.82.30:25 - DIRECT/204.15.82.30 - 1196170407.948 5745 64.237.46.55 TCP_MISS/200 404 CONNECT 216.122.128.125:25 - DIRECT/216.122.128.125 - 1196170407.969 217 208.167.225.68 TCP_MISS/200 0 CONNECT 213.246.154.213:25 - DIRECT/213.246.154.213 - 1196170408.043 17180 64.237.46.132 TCP_MISS/200 945 CONNECT 207.88.96.47:25 - DIRECT/207.88.96.47 - 1196170408.739 17415 64.237.46.132 TCP_MISS/200 2266 CONNECT 192.43.228.202:25 - DIRECT/192.43.228.202 - 1196170408.816 19751 208.167.225.68 TCP_MISS/200 2188 CONNECT 66.196.97.250:25 - DIRECT/66.196.97.250 - 1196170408.896 2385 64.237.46.55 TCP_MISS/200 253 CONNECT 67.152.80.132:25 - DIRECT/67.152.80.132 - 1196170409.017 693 64.237.46.55 TCP_MISS/200 108 CONNECT 132.77.4.177:25 - DIRECT/132.77.4.177 - 1196170409.112 779 64.237.46.55 TCP_MISS/200 436 CONNECT 99.161.100.123:25 - DIRECT/99.161.100.123 - 1196170409.400 10512 64.237.46.132 TCP_MISS/200 145 CONNECT 203.181.255.19:25 - DIRECT/203.181.255.19 - 1196170409.434 25 64.237.46.55 TCP_MISS/503 0 CONNECT 63.73.11.8:25 - DIRECT/63.73.11.8 - 1196170409.560 2179 208.167.225.68 TCP_MISS/200 135 CONNECT 213.154.128.18:25 - DIRECT/213.154.128.18 - 1196170409.621 5326 208.167.225.68 TCP_MISS/200 421 CONNECT 65.220.11.24:25 - DIRECT/65.220.11.24 - 1196170410.099 885 64.237.46.132 TCP_MISS/200 429 CONNECT 64.18.4.13:25 - DIRECT/64.18.4.13 - 1196170410.241 1800 64.237.46.55 TCP_MISS/200 411 CONNECT 81.193.127.75:25 - DIRECT/81.193.127.75 - 1196170410.388 852 208.167.225.68 TCP_MISS/200 87 CONNECT 65.183.202.5:25 - DIRECT/65.183.202.5 - 1196170410.517 512 64.237.46.55 TCP_MISS/200 369 CONNECT 129.179.7.249:25 - DIRECT/129.179.7.249 - 1196170411.091 2823 64.237.46.55 TCP_MISS/200 489 CONNECT 194.25.134.8:25 - DIRECT/194.25.134.8 - 1196170411.716 1678 208.167.225.68 TCP_MISS/200 421 CONNECT 67.139.199.68:25 - DIRECT/67.139.199.68 - 1196170411.719 7196 208.167.225.68 TCP_MISS/200 2266 CONNECT 74.128.0.19:25 - DIRECT/74.128.0.19 - 1196170412.230 2212 64.237.46.55 TCP_MISS/200 409 CONNECT 202.216.228.86:25 - DIRECT/202.216.228.86 - 1196170412.380 8 64.237.46.55 TCP_MISS/503 0 CONNECT 207.44.208.37:25 - DIRECT/207.44.208.37 - 1196170412.384 2676 64.237.46.55 TCP_MISS/200 204 CONNECT 193.86.123.25:25 - DIRECT/193.86.123.25 - 1196170412.538 30581 64.237.46.132 TCP_MISS/200 0 CONNECT 206.46.232.11:25 - DIRECT/206.46.232.11 - 1196170413.732 1078 64.237.46.55 TCP_MISS/200 347 CONNECT 71.40.47.7:25 - DIRECT/71.40.47.7 - 1196170413.804 30987 64.237.46.132 TCP_MISS/200 286 CONNECT 64.18.7.10:25 - DIRECT/64.18.7.10 - 1196170413.908 1745 64.237.46.55 TCP_MISS/200 255 CONNECT 158.39.31.190:25 - DIRECT/158.39.31.190 - 1196170413.910 31616 64.237.46.132 TCP_MISS/200 180 CONNECT 194.88.228.80:25 - DIRECT/194.88.228.80 - 1196170414.076 850 64.237.46.55 TCP_MISS/200 341 CONNECT 63.254.35.250:25 - DIRECT/63.254.35.250 - 1196170414.404 5472 208.167.225.68 TCP_MISS/200 300 CONNECT 65.215.152.148:25 - DIRECT/65.215.152.148 - 1196170415.526 1812 64.237.46.55 TCP_MISS/200 328 CONNECT 209.139.247.226:25 - DIRECT/209.139.247.226 - 1196170415.596 929 208.167.225.68 TCP_MISS/200 257 CONNECT 64.18.6.13:25 - DIRECT/64.18.6.13 - 1196170415.607 742 64.237.46.55 TCP_MISS/200 432 CONNECT 63.255.0.140:25 - DIRECT/63.255.0.140 - 1196170416.001 59441 64.237.46.132 TCP_MISS/503 0 CONNECT 194.193.14.235:25 - DIRECT/194.193.14.235 - 1196170416.118 426 208.167.225.68 TCP_MISS/200 311 CONNECT 206.54.145.17:25 - DIRECT/206.54.145.17 - 1196170416.484 50 64.237.46.55 TCP_MISS/503 0 CONNECT 162.40.15.200:25 - DIRECT/162.40.15.200 - 1196170416.604 768 208.167.225.68 TCP_MISS/200 443 CONNECT 70.62.222.50:25 - DIRECT/70.62.222.50 - 1196170416.682 1210 64.237.46.55 TCP_MISS/200 241 CONNECT 194.159.138.87:25 - DIRECT/194.159.138.87 - 1196170417.010 59063 64.237.46.132 TCP_MISS/503 0 CONNECT 68.142.202.247:25 - DIRECT/68.142.202.247 - 1196170417.169 964 64.237.46.55 TCP_MISS/200 215 CONNECT 198.96.180.81:25 - DIRECT/198.96.180.81 - 1196170417.352 797 208.167.225.68 TCP_MISS/200 231 CONNECT 80.168.70.65:25 - DIRECT/80.168.70.65 - 1196170417.377 1073 208.167.225.68 TCP_MISS/200 318 CONNECT 69.20.101.219:25 - DIRECT/69.20.101.219 - 1196170417.649 30692 208.167.225.68 TCP_MISS/200 0 CONNECT 194.106.221.130:25 - DIRECT/194.106.221.130 - 1196170418.282 30006 64.237.46.132 TCP_MISS/200 1994 CONNECT 209.191.88.247:25 - DIRECT/209.191.88.247 - 1196170418.505 25804 208.167.225.68 TCP_MISS/200 723 CONNECT 204.127.217.16:25 - DIRECT/204.127.217.16 - 1196170418.884 1374 64.237.46.55 TCP_MISS/200 342 CONNECT 205.174.162.116:25 - DIRECT/205.174.162.116 - 1196170419.099 31938 64.237.46.132 TCP_MISS/200 193 CONNECT 216.86.100.72:25 - DIRECT/216.86.100.72 - 1196170419.181 30630 64.237.46.132 TCP_MISS/200 0 CONNECT 12.43.220.7:25 - DIRECT/12.43.220.7 - 1196170419.614 1078 208.167.225.68 TCP_MISS/200 407 CONNECT 75.126.136.142:25 - DIRECT/75.126.136.142 - 1196170419.659 1339 208.167.225.68 TCP_MISS/200 257 CONNECT 64.18.6.14:25 - DIRECT/64.18.6.14 - 1196170419.850 733 208.167.225.68 TCP_MISS/200 336 CONNECT 24.173.119.6:25 - DIRECT/24.173.119.6 - 1196170419.936 5533 208.167.225.68 TCP_MISS/200 174 CONNECT 203.112.24.188:25 - DIRECT/203.112.24.188 - 1196170420.102 4395 208.167.225.68 TCP_MISS/200 166 CONNECT 216.229.67.195:25 - DIRECT/216.229.67.195 - 1196170420.964 30718 64.237.46.132 TCP_MISS/200 0 CONNECT 195.252.127.36:25 - DIRECT/195.252.127.36 - 1196170421.105 1115 208.167.225.68 TCP_MISS/200 105 CONNECT 204.101.14.165:25 - DIRECT/204.101.14.165 - 1196170421.114 574 208.167.225.68 TCP_MISS/200 192 CONNECT 84.96.93.166:25 - DIRECT/84.96.93.166 - 1196170421.410 1829 208.167.225.68 TCP_MISS/200 234 CONNECT 195.76.174.39:25 - DIRECT/195.76.174.39 - 1196170421.602 171 208.167.225.68 TCP_MISS/200 78 CONNECT 24.71.223.11:25 - DIRECT/24.71.223.11 - 1196170421.848 155 208.167.225.68 TCP_MISS/200 78 CONNECT 24.71.223.11:25 - DIRECT/24.71.223.11 - 1196170421.858 645 64.237.46.55 TCP_MISS/200 328 CONNECT 69.20.116.136:25 - DIRECT/69.20.116.136 - 1196170421.957 59 64.237.46.55 TCP_MISS/200 0 CONNECT 64.18.5.10:25 - DIRECT/64.18.5.10 - 1196170422.101 30770 64.237.46.132 TCP_MISS/200 0 CONNECT 203.135.130.131:25 - DIRECT/203.135.130.131 - 1196170422.298 17913 64.237.46.55 TCP_MISS/200 577 CONNECT 168.95.5.19:25 - DIRECT/168.95.5.19 - 1196170422.551 1265 208.167.225.68 TCP_MISS/200 268 CONNECT 218.5.77.18:25 - DIRECT/218.5.77.18 - 1196170422.723 37 64.237.46.55 TCP_MISS/503 0 CONNECT 208.4.52.29:25 - DIRECT/208.4.52.29 - 1196170423.019 197 208.167.225.68 TCP_MISS/200 334 CONNECT 65.54.244.8:25 - DIRECT/65.54.244.8 - ---------------------------------------------------------------------------- As you can see thats nearly 100 hits in 8 seconds. I know this is come kind of tool, but I cannot figure out a way to reproduce these results. Our conf for this server is as follows (Host Names and IP addresses have been changed incase our other servers are also vulnerable): ---------------------------------------------------------------------------- http_port 3128 icp_port 3130 cache_dir ufs /var/spool/squid3 100 16 256 debug_options ALL,9 cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER no-query no-digest login=PASS originserver name=bradbury_ats_za cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER no-query no-digest login=PASS originserver name=weasel_ats cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER no-query no-digest login=PASS originserver name=reynolds_ats cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER no-query no-digest login=PASS originserver name=asimov_ats acl sites_on_bradbury_ats_za dstdomain stuff.us.com acl sites_on_weasel_ats dstdomain stuff2.us.com acl sites_on_reynolds_ats dstdomain stuff3.us.com acl sites_on_reynolds_ats dstdomain stuff4.us.com acl sites_on_asimov_ats dstdomain stuff5.us.com acl sites_on_asimov_ats dstdomain stuff6.us.com acl sites_on_asimov_ats dstdomain stuff7.us.com cache_peer_access bradbury_ats_za allow sites_on_bradbury_ats_za cache_peer_access weasel_ats allow sites_on_weasel_ats cache_peer_access reynolds_ats allow sites_on_reynolds_ats cache_peer_access asimov_ats allow sites_on_asimov_ats acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all icp_access allow all coredump_dir /var/spool/squid3 httpd_suppress_version_string on visible_hostname proxy-us.hrsmart.com ---------------------------------------------------------------------------- Anyone have any idea how this was being done? If so please respond to the list. If you know how to do this, I would appreciate a way to reproduce this for my superiors.
