check your config (http_access allow all) ... change it to http_access deny all On Nov 29, 2007 4:21 PM, Josh Fritts <reikoshea@xxxxxxxxx> wrote: > Hello, > > We got a notification from our ISP that our squid server was being > used to relay emails. > > We checked the logs and found 2.5 Million hits just like this snippit: > > ---------------------------------------------------------------------------- > > 1196170398.384 837 64.237.46.55 TCP_MISS/200 222 CONNECT > 146.217.15.240:25 - DIRECT/146.217.15.240 - > 1196170398.656 8175 64.237.46.132 TCP_MISS/200 665 CONNECT > 216.157.254.253:25 - DIRECT/216.157.254.253 - > 1196170399.049 1132 64.237.46.55 TCP_MISS/200 165 CONNECT > 209.44.115.50:25 - DIRECT/209.44.115.50 - > 1196170399.201 4603 64.237.46.55 TCP_MISS/200 139 CONNECT > 62.148.180.192:25 - DIRECT/62.148.180.192 - > 1196170399.458 14482 64.237.46.132 TCP_MISS/200 224 CONNECT > 65.75.75.57:25 - DIRECT/65.75.75.57 - > 1196170400.072 10406 64.237.46.132 TCP_MISS/200 279 CONNECT > 127.0.0.1:25 - DIRECT/127.0.0.1 - > 1196170400.460 2044 208.167.225.68 TCP_MISS/200 444 CONNECT > 192.75.254.1:25 - DIRECT/192.75.254.1 - > 1196170400.486 9305 64.237.46.132 TCP_MISS/200 1343 CONNECT > 211.41.82.89:25 - DIRECT/211.41.82.89 - > 1196170400.662 6576 208.167.225.68 TCP_MISS/200 257 CONNECT > 64.18.4.10:25 - DIRECT/64.18.4.10 - > 1196170401.406 17183 64.237.46.132 TCP_MISS/200 2130 CONNECT > 195.50.106.135:25 - DIRECT/195.50.106.135 - > 1196170401.503 645 208.167.225.68 TCP_MISS/200 180 CONNECT > 216.32.180.22:25 - DIRECT/216.32.180.22 - > 1196170401.682 939 208.167.225.68 TCP_MISS/200 306 CONNECT > 216.9.208.251:25 - DIRECT/216.9.208.251 - > 1196170401.747 10433 64.237.46.132 TCP_MISS/200 279 CONNECT > 127.0.0.1:25 - DIRECT/127.0.0.1 - > 1196170401.775 10413 64.237.46.132 TCP_MISS/200 279 CONNECT > 127.0.0.1:25 - DIRECT/127.0.0.1 - > 1196170402.079 120 208.167.225.68 TCP_MISS/200 15 CONNECT > 17.148.20.66:25 - DIRECT/17.148.20.66 - > 1196170402.267 5056 208.167.225.68 TCP_MISS/200 245 CONNECT > 202.54.61.113:25 - DIRECT/202.54.61.113 - > 1196170403.291 31145 64.237.46.132 TCP_MISS/200 121 CONNECT > 62.40.36.103:25 - DIRECT/62.40.36.103 - > 1196170403.578 5218 208.167.225.68 TCP_MISS/200 273 CONNECT > 66.235.248.64:25 - DIRECT/66.235.248.64 - > 1196170403.707 810 208.167.225.68 TCP_MISS/200 452 CONNECT > 207.69.189.219:25 - DIRECT/207.69.189.219 - > 1196170404.115 1850 64.237.46.55 TCP_MISS/200 121 CONNECT > 202.78.116.253:25 - DIRECT/202.78.116.253 - > 1196170404.166 1502 208.167.225.68 TCP_MISS/200 250 CONNECT > 193.134.210.132:25 - DIRECT/193.134.210.132 - > 1196170404.208 4983 208.167.225.68 TCP_MISS/200 2060 CONNECT > 209.191.118.103:25 - DIRECT/209.191.118.103 - > 1196170404.249 30567 208.167.225.68 TCP_MISS/200 0 CONNECT > 64.29.222.22:25 - DIRECT/64.29.222.22 - > 1196170404.887 7863 64.237.46.55 TCP_MISS/200 2223 CONNECT > 209.191.88.247:25 - DIRECT/209.191.88.247 - > 1196170404.916 627 208.167.225.68 TCP_MISS/200 150 CONNECT > 208.97.132.73:25 - DIRECT/208.97.132.73 - > 1196170405.288 14668 64.237.46.132 TCP_MISS/200 3520 CONNECT > 211.115.216.226:25 - DIRECT/211.115.216.226 - > 1196170405.324 1670 64.237.46.52 TCP_MISS/200 249 CONNECT > 146.131.119.26:25 - DIRECT/146.131.119.26 - > 1196170405.659 882 64.237.46.55 TCP_MISS/200 159 CONNECT > 199.224.89.185:25 - DIRECT/199.224.89.185 - > 1196170405.917 1555 64.237.46.55 TCP_MISS/200 201 CONNECT > 204.10.18.136:25 - DIRECT/204.10.18.136 - > 1196170406.776 30671 64.237.46.55 TCP_MISS/200 0 CONNECT > 193.252.22.142:25 - DIRECT/193.252.22.142 - > 1196170407.099 6405 208.167.225.68 TCP_MISS/200 339 CONNECT > 216.219.253.216:25 - DIRECT/216.219.253.216 - > 1196170407.214 30834 64.237.46.132 TCP_MISS/200 164 CONNECT > 12.206.33.39:25 - DIRECT/12.206.33.39 - > 1196170407.446 30690 64.237.46.132 TCP_MISS/200 0 CONNECT > 80.95.172.3:25 - DIRECT/80.95.172.3 - > 1196170407.875 4719 64.237.46.55 TCP_MISS/200 1898 CONNECT > 204.15.82.30:25 - DIRECT/204.15.82.30 - > 1196170407.948 5745 64.237.46.55 TCP_MISS/200 404 CONNECT > 216.122.128.125:25 - DIRECT/216.122.128.125 - > 1196170407.969 217 208.167.225.68 TCP_MISS/200 0 CONNECT > 213.246.154.213:25 - DIRECT/213.246.154.213 - > 1196170408.043 17180 64.237.46.132 TCP_MISS/200 945 CONNECT > 207.88.96.47:25 - DIRECT/207.88.96.47 - > 1196170408.739 17415 64.237.46.132 TCP_MISS/200 2266 CONNECT > 192.43.228.202:25 - DIRECT/192.43.228.202 - > 1196170408.816 19751 208.167.225.68 TCP_MISS/200 2188 CONNECT > 66.196.97.250:25 - DIRECT/66.196.97.250 - > 1196170408.896 2385 64.237.46.55 TCP_MISS/200 253 CONNECT > 67.152.80.132:25 - DIRECT/67.152.80.132 - > 1196170409.017 693 64.237.46.55 TCP_MISS/200 108 CONNECT > 132.77.4.177:25 - DIRECT/132.77.4.177 - > 1196170409.112 779 64.237.46.55 TCP_MISS/200 436 CONNECT > 99.161.100.123:25 - DIRECT/99.161.100.123 - > 1196170409.400 10512 64.237.46.132 TCP_MISS/200 145 CONNECT > 203.181.255.19:25 - DIRECT/203.181.255.19 - > 1196170409.434 25 64.237.46.55 TCP_MISS/503 0 CONNECT > 63.73.11.8:25 - DIRECT/63.73.11.8 - > 1196170409.560 2179 208.167.225.68 TCP_MISS/200 135 CONNECT > 213.154.128.18:25 - DIRECT/213.154.128.18 - > 1196170409.621 5326 208.167.225.68 TCP_MISS/200 421 CONNECT > 65.220.11.24:25 - DIRECT/65.220.11.24 - > 1196170410.099 885 64.237.46.132 TCP_MISS/200 429 CONNECT > 64.18.4.13:25 - DIRECT/64.18.4.13 - > 1196170410.241 1800 64.237.46.55 TCP_MISS/200 411 CONNECT > 81.193.127.75:25 - DIRECT/81.193.127.75 - > 1196170410.388 852 208.167.225.68 TCP_MISS/200 87 CONNECT > 65.183.202.5:25 - DIRECT/65.183.202.5 - > 1196170410.517 512 64.237.46.55 TCP_MISS/200 369 CONNECT > 129.179.7.249:25 - DIRECT/129.179.7.249 - > 1196170411.091 2823 64.237.46.55 TCP_MISS/200 489 CONNECT > 194.25.134.8:25 - DIRECT/194.25.134.8 - > 1196170411.716 1678 208.167.225.68 TCP_MISS/200 421 CONNECT > 67.139.199.68:25 - DIRECT/67.139.199.68 - > 1196170411.719 7196 208.167.225.68 TCP_MISS/200 2266 CONNECT > 74.128.0.19:25 - DIRECT/74.128.0.19 - > 1196170412.230 2212 64.237.46.55 TCP_MISS/200 409 CONNECT > 202.216.228.86:25 - DIRECT/202.216.228.86 - > 1196170412.380 8 64.237.46.55 TCP_MISS/503 0 CONNECT > 207.44.208.37:25 - DIRECT/207.44.208.37 - > 1196170412.384 2676 64.237.46.55 TCP_MISS/200 204 CONNECT > 193.86.123.25:25 - DIRECT/193.86.123.25 - > 1196170412.538 30581 64.237.46.132 TCP_MISS/200 0 CONNECT > 206.46.232.11:25 - DIRECT/206.46.232.11 - > 1196170413.732 1078 64.237.46.55 TCP_MISS/200 347 CONNECT > 71.40.47.7:25 - DIRECT/71.40.47.7 - > 1196170413.804 30987 64.237.46.132 TCP_MISS/200 286 CONNECT > 64.18.7.10:25 - DIRECT/64.18.7.10 - > 1196170413.908 1745 64.237.46.55 TCP_MISS/200 255 CONNECT > 158.39.31.190:25 - DIRECT/158.39.31.190 - > 1196170413.910 31616 64.237.46.132 TCP_MISS/200 180 CONNECT > 194.88.228.80:25 - DIRECT/194.88.228.80 - > 1196170414.076 850 64.237.46.55 TCP_MISS/200 341 CONNECT > 63.254.35.250:25 - DIRECT/63.254.35.250 - > 1196170414.404 5472 208.167.225.68 TCP_MISS/200 300 CONNECT > 65.215.152.148:25 - DIRECT/65.215.152.148 - > 1196170415.526 1812 64.237.46.55 TCP_MISS/200 328 CONNECT > 209.139.247.226:25 - DIRECT/209.139.247.226 - > 1196170415.596 929 208.167.225.68 TCP_MISS/200 257 CONNECT > 64.18.6.13:25 - DIRECT/64.18.6.13 - > 1196170415.607 742 64.237.46.55 TCP_MISS/200 432 CONNECT > 63.255.0.140:25 - DIRECT/63.255.0.140 - > 1196170416.001 59441 64.237.46.132 TCP_MISS/503 0 CONNECT > 194.193.14.235:25 - DIRECT/194.193.14.235 - > 1196170416.118 426 208.167.225.68 TCP_MISS/200 311 CONNECT > 206.54.145.17:25 - DIRECT/206.54.145.17 - > 1196170416.484 50 64.237.46.55 TCP_MISS/503 0 CONNECT > 162.40.15.200:25 - DIRECT/162.40.15.200 - > 1196170416.604 768 208.167.225.68 TCP_MISS/200 443 CONNECT > 70.62.222.50:25 - DIRECT/70.62.222.50 - > 1196170416.682 1210 64.237.46.55 TCP_MISS/200 241 CONNECT > 194.159.138.87:25 - DIRECT/194.159.138.87 - > 1196170417.010 59063 64.237.46.132 TCP_MISS/503 0 CONNECT > 68.142.202.247:25 - DIRECT/68.142.202.247 - > 1196170417.169 964 64.237.46.55 TCP_MISS/200 215 CONNECT > 198.96.180.81:25 - DIRECT/198.96.180.81 - > 1196170417.352 797 208.167.225.68 TCP_MISS/200 231 CONNECT > 80.168.70.65:25 - DIRECT/80.168.70.65 - > 1196170417.377 1073 208.167.225.68 TCP_MISS/200 318 CONNECT > 69.20.101.219:25 - DIRECT/69.20.101.219 - > 1196170417.649 30692 208.167.225.68 TCP_MISS/200 0 CONNECT > 194.106.221.130:25 - DIRECT/194.106.221.130 - > 1196170418.282 30006 64.237.46.132 TCP_MISS/200 1994 CONNECT > 209.191.88.247:25 - DIRECT/209.191.88.247 - > 1196170418.505 25804 208.167.225.68 TCP_MISS/200 723 CONNECT > 204.127.217.16:25 - DIRECT/204.127.217.16 - > 1196170418.884 1374 64.237.46.55 TCP_MISS/200 342 CONNECT > 205.174.162.116:25 - DIRECT/205.174.162.116 - > 1196170419.099 31938 64.237.46.132 TCP_MISS/200 193 CONNECT > 216.86.100.72:25 - DIRECT/216.86.100.72 - > 1196170419.181 30630 64.237.46.132 TCP_MISS/200 0 CONNECT > 12.43.220.7:25 - DIRECT/12.43.220.7 - > 1196170419.614 1078 208.167.225.68 TCP_MISS/200 407 CONNECT > 75.126.136.142:25 - DIRECT/75.126.136.142 - > 1196170419.659 1339 208.167.225.68 TCP_MISS/200 257 CONNECT > 64.18.6.14:25 - DIRECT/64.18.6.14 - > 1196170419.850 733 208.167.225.68 TCP_MISS/200 336 CONNECT > 24.173.119.6:25 - DIRECT/24.173.119.6 - > 1196170419.936 5533 208.167.225.68 TCP_MISS/200 174 CONNECT > 203.112.24.188:25 - DIRECT/203.112.24.188 - > 1196170420.102 4395 208.167.225.68 TCP_MISS/200 166 CONNECT > 216.229.67.195:25 - DIRECT/216.229.67.195 - > 1196170420.964 30718 64.237.46.132 TCP_MISS/200 0 CONNECT > 195.252.127.36:25 - DIRECT/195.252.127.36 - > 1196170421.105 1115 208.167.225.68 TCP_MISS/200 105 CONNECT > 204.101.14.165:25 - DIRECT/204.101.14.165 - > 1196170421.114 574 208.167.225.68 TCP_MISS/200 192 CONNECT > 84.96.93.166:25 - DIRECT/84.96.93.166 - > 1196170421.410 1829 208.167.225.68 TCP_MISS/200 234 CONNECT > 195.76.174.39:25 - DIRECT/195.76.174.39 - > 1196170421.602 171 208.167.225.68 TCP_MISS/200 78 CONNECT > 24.71.223.11:25 - DIRECT/24.71.223.11 - > 1196170421.848 155 208.167.225.68 TCP_MISS/200 78 CONNECT > 24.71.223.11:25 - DIRECT/24.71.223.11 - > 1196170421.858 645 64.237.46.55 TCP_MISS/200 328 CONNECT > 69.20.116.136:25 - DIRECT/69.20.116.136 - > 1196170421.957 59 64.237.46.55 TCP_MISS/200 0 CONNECT > 64.18.5.10:25 - DIRECT/64.18.5.10 - > 1196170422.101 30770 64.237.46.132 TCP_MISS/200 0 CONNECT > 203.135.130.131:25 - DIRECT/203.135.130.131 - > 1196170422.298 17913 64.237.46.55 TCP_MISS/200 577 CONNECT > 168.95.5.19:25 - DIRECT/168.95.5.19 - > 1196170422.551 1265 208.167.225.68 TCP_MISS/200 268 CONNECT > 218.5.77.18:25 - DIRECT/218.5.77.18 - > 1196170422.723 37 64.237.46.55 TCP_MISS/503 0 CONNECT > 208.4.52.29:25 - DIRECT/208.4.52.29 - > 1196170423.019 197 208.167.225.68 TCP_MISS/200 334 CONNECT > 65.54.244.8:25 - DIRECT/65.54.244.8 - > > ---------------------------------------------------------------------------- > > As you can see thats nearly 100 hits in 8 seconds. I know this is > come kind of tool, but I cannot figure out a way to reproduce these > results. > > Our conf for this server is as follows (Host Names and IP addresses > have been changed incase our other servers are also vulnerable): > > ---------------------------------------------------------------------------- > > http_port 3128 > icp_port 3130 > > > cache_dir ufs /var/spool/squid3 100 16 256 > debug_options ALL,9 > > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER > no-query no-digest login=PASS originserver name=bradbury_ats_za > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER > no-query no-digest login=PASS originserver name=weasel_ats > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER > no-query no-digest login=PASS originserver name=reynolds_ats > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER > no-query no-digest login=PASS originserver name=asimov_ats > > > acl sites_on_bradbury_ats_za dstdomain stuff.us.com > acl sites_on_weasel_ats dstdomain stuff2.us.com > acl sites_on_reynolds_ats dstdomain stuff3.us.com > acl sites_on_reynolds_ats dstdomain stuff4.us.com > acl sites_on_asimov_ats dstdomain stuff5.us.com > acl sites_on_asimov_ats dstdomain stuff6.us.com > acl sites_on_asimov_ats dstdomain stuff7.us.com > > cache_peer_access bradbury_ats_za allow sites_on_bradbury_ats_za > cache_peer_access weasel_ats allow sites_on_weasel_ats > cache_peer_access reynolds_ats allow sites_on_reynolds_ats > cache_peer_access asimov_ats allow sites_on_asimov_ats > > > acl all src 0.0.0.0/0.0.0.0 > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 443 # https > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow all > icp_access allow all > > > coredump_dir /var/spool/squid3 > > > httpd_suppress_version_string on > visible_hostname proxy-us.hrsmart.com > > ---------------------------------------------------------------------------- > > Anyone have any idea how this was being done? If so please respond to > the list. If you know how to do this, I would appreciate a way to > reproduce this for my superiors. > -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net