Search squid archive

Re: Squid Proxy Vulnerability.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

check your config (http_access allow all) ...


change it to
http_access deny all


On Nov 29, 2007 4:21 PM, Josh Fritts <reikoshea@xxxxxxxxx> wrote:
> Hello,
>
> We got a notification from our ISP that our squid server was being
> used to relay emails.
>
> We checked the logs and found 2.5 Million hits just like this snippit:
>
> ----------------------------------------------------------------------------
>
> 1196170398.384    837 64.237.46.55 TCP_MISS/200 222 CONNECT
> 146.217.15.240:25 - DIRECT/146.217.15.240 -
> 1196170398.656   8175 64.237.46.132 TCP_MISS/200 665 CONNECT
> 216.157.254.253:25 - DIRECT/216.157.254.253 -
> 1196170399.049   1132 64.237.46.55 TCP_MISS/200 165 CONNECT
> 209.44.115.50:25 - DIRECT/209.44.115.50 -
> 1196170399.201   4603 64.237.46.55 TCP_MISS/200 139 CONNECT
> 62.148.180.192:25 - DIRECT/62.148.180.192 -
> 1196170399.458  14482 64.237.46.132 TCP_MISS/200 224 CONNECT
> 65.75.75.57:25 - DIRECT/65.75.75.57 -
> 1196170400.072  10406 64.237.46.132 TCP_MISS/200 279 CONNECT
> 127.0.0.1:25 - DIRECT/127.0.0.1 -
> 1196170400.460   2044 208.167.225.68 TCP_MISS/200 444 CONNECT
> 192.75.254.1:25 - DIRECT/192.75.254.1 -
> 1196170400.486   9305 64.237.46.132 TCP_MISS/200 1343 CONNECT
> 211.41.82.89:25 - DIRECT/211.41.82.89 -
> 1196170400.662   6576 208.167.225.68 TCP_MISS/200 257 CONNECT
> 64.18.4.10:25 - DIRECT/64.18.4.10 -
> 1196170401.406  17183 64.237.46.132 TCP_MISS/200 2130 CONNECT
> 195.50.106.135:25 - DIRECT/195.50.106.135 -
> 1196170401.503    645 208.167.225.68 TCP_MISS/200 180 CONNECT
> 216.32.180.22:25 - DIRECT/216.32.180.22 -
> 1196170401.682    939 208.167.225.68 TCP_MISS/200 306 CONNECT
> 216.9.208.251:25 - DIRECT/216.9.208.251 -
> 1196170401.747  10433 64.237.46.132 TCP_MISS/200 279 CONNECT
> 127.0.0.1:25 - DIRECT/127.0.0.1 -
> 1196170401.775  10413 64.237.46.132 TCP_MISS/200 279 CONNECT
> 127.0.0.1:25 - DIRECT/127.0.0.1 -
> 1196170402.079    120 208.167.225.68 TCP_MISS/200 15 CONNECT
> 17.148.20.66:25 - DIRECT/17.148.20.66 -
> 1196170402.267   5056 208.167.225.68 TCP_MISS/200 245 CONNECT
> 202.54.61.113:25 - DIRECT/202.54.61.113 -
> 1196170403.291  31145 64.237.46.132 TCP_MISS/200 121 CONNECT
> 62.40.36.103:25 - DIRECT/62.40.36.103 -
> 1196170403.578   5218 208.167.225.68 TCP_MISS/200 273 CONNECT
> 66.235.248.64:25 - DIRECT/66.235.248.64 -
> 1196170403.707    810 208.167.225.68 TCP_MISS/200 452 CONNECT
> 207.69.189.219:25 - DIRECT/207.69.189.219 -
> 1196170404.115   1850 64.237.46.55 TCP_MISS/200 121 CONNECT
> 202.78.116.253:25 - DIRECT/202.78.116.253 -
> 1196170404.166   1502 208.167.225.68 TCP_MISS/200 250 CONNECT
> 193.134.210.132:25 - DIRECT/193.134.210.132 -
> 1196170404.208   4983 208.167.225.68 TCP_MISS/200 2060 CONNECT
> 209.191.118.103:25 - DIRECT/209.191.118.103 -
> 1196170404.249  30567 208.167.225.68 TCP_MISS/200 0 CONNECT
> 64.29.222.22:25 - DIRECT/64.29.222.22 -
> 1196170404.887   7863 64.237.46.55 TCP_MISS/200 2223 CONNECT
> 209.191.88.247:25 - DIRECT/209.191.88.247 -
> 1196170404.916    627 208.167.225.68 TCP_MISS/200 150 CONNECT
> 208.97.132.73:25 - DIRECT/208.97.132.73 -
> 1196170405.288  14668 64.237.46.132 TCP_MISS/200 3520 CONNECT
> 211.115.216.226:25 - DIRECT/211.115.216.226 -
> 1196170405.324   1670 64.237.46.52 TCP_MISS/200 249 CONNECT
> 146.131.119.26:25 - DIRECT/146.131.119.26 -
> 1196170405.659    882 64.237.46.55 TCP_MISS/200 159 CONNECT
> 199.224.89.185:25 - DIRECT/199.224.89.185 -
> 1196170405.917   1555 64.237.46.55 TCP_MISS/200 201 CONNECT
> 204.10.18.136:25 - DIRECT/204.10.18.136 -
> 1196170406.776  30671 64.237.46.55 TCP_MISS/200 0 CONNECT
> 193.252.22.142:25 - DIRECT/193.252.22.142 -
> 1196170407.099   6405 208.167.225.68 TCP_MISS/200 339 CONNECT
> 216.219.253.216:25 - DIRECT/216.219.253.216 -
> 1196170407.214  30834 64.237.46.132 TCP_MISS/200 164 CONNECT
> 12.206.33.39:25 - DIRECT/12.206.33.39 -
> 1196170407.446  30690 64.237.46.132 TCP_MISS/200 0 CONNECT
> 80.95.172.3:25 - DIRECT/80.95.172.3 -
> 1196170407.875   4719 64.237.46.55 TCP_MISS/200 1898 CONNECT
> 204.15.82.30:25 - DIRECT/204.15.82.30 -
> 1196170407.948   5745 64.237.46.55 TCP_MISS/200 404 CONNECT
> 216.122.128.125:25 - DIRECT/216.122.128.125 -
> 1196170407.969    217 208.167.225.68 TCP_MISS/200 0 CONNECT
> 213.246.154.213:25 - DIRECT/213.246.154.213 -
> 1196170408.043  17180 64.237.46.132 TCP_MISS/200 945 CONNECT
> 207.88.96.47:25 - DIRECT/207.88.96.47 -
> 1196170408.739  17415 64.237.46.132 TCP_MISS/200 2266 CONNECT
> 192.43.228.202:25 - DIRECT/192.43.228.202 -
> 1196170408.816  19751 208.167.225.68 TCP_MISS/200 2188 CONNECT
> 66.196.97.250:25 - DIRECT/66.196.97.250 -
> 1196170408.896   2385 64.237.46.55 TCP_MISS/200 253 CONNECT
> 67.152.80.132:25 - DIRECT/67.152.80.132 -
> 1196170409.017    693 64.237.46.55 TCP_MISS/200 108 CONNECT
> 132.77.4.177:25 - DIRECT/132.77.4.177 -
> 1196170409.112    779 64.237.46.55 TCP_MISS/200 436 CONNECT
> 99.161.100.123:25 - DIRECT/99.161.100.123 -
> 1196170409.400  10512 64.237.46.132 TCP_MISS/200 145 CONNECT
> 203.181.255.19:25 - DIRECT/203.181.255.19 -
> 1196170409.434     25 64.237.46.55 TCP_MISS/503 0 CONNECT
> 63.73.11.8:25 - DIRECT/63.73.11.8 -
> 1196170409.560   2179 208.167.225.68 TCP_MISS/200 135 CONNECT
> 213.154.128.18:25 - DIRECT/213.154.128.18 -
> 1196170409.621   5326 208.167.225.68 TCP_MISS/200 421 CONNECT
> 65.220.11.24:25 - DIRECT/65.220.11.24 -
> 1196170410.099    885 64.237.46.132 TCP_MISS/200 429 CONNECT
> 64.18.4.13:25 - DIRECT/64.18.4.13 -
> 1196170410.241   1800 64.237.46.55 TCP_MISS/200 411 CONNECT
> 81.193.127.75:25 - DIRECT/81.193.127.75 -
> 1196170410.388    852 208.167.225.68 TCP_MISS/200 87 CONNECT
> 65.183.202.5:25 - DIRECT/65.183.202.5 -
> 1196170410.517    512 64.237.46.55 TCP_MISS/200 369 CONNECT
> 129.179.7.249:25 - DIRECT/129.179.7.249 -
> 1196170411.091   2823 64.237.46.55 TCP_MISS/200 489 CONNECT
> 194.25.134.8:25 - DIRECT/194.25.134.8 -
> 1196170411.716   1678 208.167.225.68 TCP_MISS/200 421 CONNECT
> 67.139.199.68:25 - DIRECT/67.139.199.68 -
> 1196170411.719   7196 208.167.225.68 TCP_MISS/200 2266 CONNECT
> 74.128.0.19:25 - DIRECT/74.128.0.19 -
> 1196170412.230   2212 64.237.46.55 TCP_MISS/200 409 CONNECT
> 202.216.228.86:25 - DIRECT/202.216.228.86 -
> 1196170412.380      8 64.237.46.55 TCP_MISS/503 0 CONNECT
> 207.44.208.37:25 - DIRECT/207.44.208.37 -
> 1196170412.384   2676 64.237.46.55 TCP_MISS/200 204 CONNECT
> 193.86.123.25:25 - DIRECT/193.86.123.25 -
> 1196170412.538  30581 64.237.46.132 TCP_MISS/200 0 CONNECT
> 206.46.232.11:25 - DIRECT/206.46.232.11 -
> 1196170413.732   1078 64.237.46.55 TCP_MISS/200 347 CONNECT
> 71.40.47.7:25 - DIRECT/71.40.47.7 -
> 1196170413.804  30987 64.237.46.132 TCP_MISS/200 286 CONNECT
> 64.18.7.10:25 - DIRECT/64.18.7.10 -
> 1196170413.908   1745 64.237.46.55 TCP_MISS/200 255 CONNECT
> 158.39.31.190:25 - DIRECT/158.39.31.190 -
> 1196170413.910  31616 64.237.46.132 TCP_MISS/200 180 CONNECT
> 194.88.228.80:25 - DIRECT/194.88.228.80 -
> 1196170414.076    850 64.237.46.55 TCP_MISS/200 341 CONNECT
> 63.254.35.250:25 - DIRECT/63.254.35.250 -
> 1196170414.404   5472 208.167.225.68 TCP_MISS/200 300 CONNECT
> 65.215.152.148:25 - DIRECT/65.215.152.148 -
> 1196170415.526   1812 64.237.46.55 TCP_MISS/200 328 CONNECT
> 209.139.247.226:25 - DIRECT/209.139.247.226 -
> 1196170415.596    929 208.167.225.68 TCP_MISS/200 257 CONNECT
> 64.18.6.13:25 - DIRECT/64.18.6.13 -
> 1196170415.607    742 64.237.46.55 TCP_MISS/200 432 CONNECT
> 63.255.0.140:25 - DIRECT/63.255.0.140 -
> 1196170416.001  59441 64.237.46.132 TCP_MISS/503 0 CONNECT
> 194.193.14.235:25 - DIRECT/194.193.14.235 -
> 1196170416.118    426 208.167.225.68 TCP_MISS/200 311 CONNECT
> 206.54.145.17:25 - DIRECT/206.54.145.17 -
> 1196170416.484     50 64.237.46.55 TCP_MISS/503 0 CONNECT
> 162.40.15.200:25 - DIRECT/162.40.15.200 -
> 1196170416.604    768 208.167.225.68 TCP_MISS/200 443 CONNECT
> 70.62.222.50:25 - DIRECT/70.62.222.50 -
> 1196170416.682   1210 64.237.46.55 TCP_MISS/200 241 CONNECT
> 194.159.138.87:25 - DIRECT/194.159.138.87 -
> 1196170417.010  59063 64.237.46.132 TCP_MISS/503 0 CONNECT
> 68.142.202.247:25 - DIRECT/68.142.202.247 -
> 1196170417.169    964 64.237.46.55 TCP_MISS/200 215 CONNECT
> 198.96.180.81:25 - DIRECT/198.96.180.81 -
> 1196170417.352    797 208.167.225.68 TCP_MISS/200 231 CONNECT
> 80.168.70.65:25 - DIRECT/80.168.70.65 -
> 1196170417.377   1073 208.167.225.68 TCP_MISS/200 318 CONNECT
> 69.20.101.219:25 - DIRECT/69.20.101.219 -
> 1196170417.649  30692 208.167.225.68 TCP_MISS/200 0 CONNECT
> 194.106.221.130:25 - DIRECT/194.106.221.130 -
> 1196170418.282  30006 64.237.46.132 TCP_MISS/200 1994 CONNECT
> 209.191.88.247:25 - DIRECT/209.191.88.247 -
> 1196170418.505  25804 208.167.225.68 TCP_MISS/200 723 CONNECT
> 204.127.217.16:25 - DIRECT/204.127.217.16 -
> 1196170418.884   1374 64.237.46.55 TCP_MISS/200 342 CONNECT
> 205.174.162.116:25 - DIRECT/205.174.162.116 -
> 1196170419.099  31938 64.237.46.132 TCP_MISS/200 193 CONNECT
> 216.86.100.72:25 - DIRECT/216.86.100.72 -
> 1196170419.181  30630 64.237.46.132 TCP_MISS/200 0 CONNECT
> 12.43.220.7:25 - DIRECT/12.43.220.7 -
> 1196170419.614   1078 208.167.225.68 TCP_MISS/200 407 CONNECT
> 75.126.136.142:25 - DIRECT/75.126.136.142 -
> 1196170419.659   1339 208.167.225.68 TCP_MISS/200 257 CONNECT
> 64.18.6.14:25 - DIRECT/64.18.6.14 -
> 1196170419.850    733 208.167.225.68 TCP_MISS/200 336 CONNECT
> 24.173.119.6:25 - DIRECT/24.173.119.6 -
> 1196170419.936   5533 208.167.225.68 TCP_MISS/200 174 CONNECT
> 203.112.24.188:25 - DIRECT/203.112.24.188 -
> 1196170420.102   4395 208.167.225.68 TCP_MISS/200 166 CONNECT
> 216.229.67.195:25 - DIRECT/216.229.67.195 -
> 1196170420.964  30718 64.237.46.132 TCP_MISS/200 0 CONNECT
> 195.252.127.36:25 - DIRECT/195.252.127.36 -
> 1196170421.105   1115 208.167.225.68 TCP_MISS/200 105 CONNECT
> 204.101.14.165:25 - DIRECT/204.101.14.165 -
> 1196170421.114    574 208.167.225.68 TCP_MISS/200 192 CONNECT
> 84.96.93.166:25 - DIRECT/84.96.93.166 -
> 1196170421.410   1829 208.167.225.68 TCP_MISS/200 234 CONNECT
> 195.76.174.39:25 - DIRECT/195.76.174.39 -
> 1196170421.602    171 208.167.225.68 TCP_MISS/200 78 CONNECT
> 24.71.223.11:25 - DIRECT/24.71.223.11 -
> 1196170421.848    155 208.167.225.68 TCP_MISS/200 78 CONNECT
> 24.71.223.11:25 - DIRECT/24.71.223.11 -
> 1196170421.858    645 64.237.46.55 TCP_MISS/200 328 CONNECT
> 69.20.116.136:25 - DIRECT/69.20.116.136 -
> 1196170421.957     59 64.237.46.55 TCP_MISS/200 0 CONNECT
> 64.18.5.10:25 - DIRECT/64.18.5.10 -
> 1196170422.101  30770 64.237.46.132 TCP_MISS/200 0 CONNECT
> 203.135.130.131:25 - DIRECT/203.135.130.131 -
> 1196170422.298  17913 64.237.46.55 TCP_MISS/200 577 CONNECT
> 168.95.5.19:25 - DIRECT/168.95.5.19 -
> 1196170422.551   1265 208.167.225.68 TCP_MISS/200 268 CONNECT
> 218.5.77.18:25 - DIRECT/218.5.77.18 -
> 1196170422.723     37 64.237.46.55 TCP_MISS/503 0 CONNECT
> 208.4.52.29:25 - DIRECT/208.4.52.29 -
> 1196170423.019    197 208.167.225.68 TCP_MISS/200 334 CONNECT
> 65.54.244.8:25 - DIRECT/65.54.244.8 -
>
> ----------------------------------------------------------------------------
>
> As you can see thats nearly 100 hits in 8 seconds.  I know this is
> come kind of tool, but I cannot figure out a way to reproduce these
> results.
>
> Our conf for this server is as follows (Host Names and IP addresses
> have been changed incase our other servers are also vulnerable):
>
> ----------------------------------------------------------------------------
>
> http_port 3128
> icp_port 3130
>
>
> cache_dir ufs /var/spool/squid3 100 16 256
> debug_options ALL,9
>
> cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> no-query no-digest login=PASS originserver name=bradbury_ats_za
> cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> no-query no-digest login=PASS originserver name=weasel_ats
> cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> no-query no-digest login=PASS originserver name=reynolds_ats
> cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
> no-query no-digest login=PASS originserver name=asimov_ats
>
>
> acl sites_on_bradbury_ats_za dstdomain stuff.us.com
> acl sites_on_weasel_ats dstdomain stuff2.us.com
> acl sites_on_reynolds_ats dstdomain stuff3.us.com
> acl sites_on_reynolds_ats dstdomain stuff4.us.com
> acl sites_on_asimov_ats dstdomain stuff5.us.com
> acl sites_on_asimov_ats dstdomain stuff6.us.com
> acl sites_on_asimov_ats dstdomain stuff7.us.com
>
> cache_peer_access bradbury_ats_za allow sites_on_bradbury_ats_za
> cache_peer_access weasel_ats allow sites_on_weasel_ats
> cache_peer_access reynolds_ats allow sites_on_reynolds_ats
> cache_peer_access asimov_ats allow sites_on_asimov_ats
>
>
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 443         # https
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow all
> icp_access allow all
>
>
> coredump_dir /var/spool/squid3
>
>
> httpd_suppress_version_string on
> visible_hostname proxy-us.hrsmart.com
>
> ----------------------------------------------------------------------------
>
> Anyone have any idea how this was being done?  If so please respond to
> the list.  If you know how to do this, I would appreciate a way to
> reproduce this for my superiors.
>



-- 

Sds.
Alexandre J. Correa
Onda Internet / OPinguim.net
http://www.ondainternet.com.br
http://www.opinguim.net
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux