Have you run the System Information Collector (SIC) Tool (http://www.trendmicro.com/download/sic.asp) to gather the information regarding the malware / trojan and submitted this for analysis to Trend Micro? On Tue, Feb 3, 2009 at 8:02 AM, <david@xxxxxxxxxxxxxxxx> wrote: > Hello Squid users all, I have a bad situation partially resolved: the past few days I have been blind-sided by a Trojan based browser hijacking. A script from Trendmicro has allowed me to navigate the net w/o being redirected to a porn site or similar. Notwithstanding I can see from running wireshark the culprit that Trendmicro has not found the signature to as of yet. I am running: a Linux router/gateway, heavily firewalled (iptables) but with the attack I installed Squid. I created two system files with ACLs to match: bad_src_ip and bad_url_regex. From the Linux box ps shows that squid is running but the logs show no activity at all albeit OK access or error. Moreover, I can ping and tracert to the URLs and IPs I think I am blocking. Do I need to be a master of cache proxies to run Squid? An excerpt of my squid.conf is included below in case anyone has any ideas. I looked at redirection (3128) such as Shallalist and other blacklist but I would rather just create my own ACLs > that work. Thanks in advance and please advise, David. > > *************************************************************** > ACL list > *************************************************************** > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl SSL_ports port 8443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports_unreg port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 8080 # Tomcat 8080 > acl Safe_ports port 8082 # Tomcat proxy redirect > acl Safe_ports port 8009 # Tomcat ajp port > acl CONNECT method CONNECT > acl webmin port 10000 > acl usermin port 20000 > acl LAN myip 192.168.1.1-192.168.1.254 > acl Network_DNS srcdomain www.demon.net www.menandmice.com www.network-tools.com > acl davidbrownhosts dstdomain www.davidwbrown.name www.deanbrown.name www.karlbrown.name > acl tomcat urlpath_regex pebble > acl our_networks src 192.168.1.0/24 > ************************************************************************ > Proxy restriction list > ************************************************************************ > acl bad_src_ip src "/usr/local/etc/squid/bad_src_ip_list" > acl bad_url_regex url_regex -i "/usr/local/etc/squid/bad_url_regex_list" > #acl iana_named_ports port "/usr/local/etc/squid/iana_named_ports_list" > http_access deny manager > http_access deny !Safe_ports_unreg > http_access deny CONNECT !SSL_ports > http_access deny to_localhost > http_access allow our_networks > http_access allow our_networks > > # And finally deny all other access to this proxy > http_access allow localhost > http_access deny bad_url_regex > http_access deny bad_src_ip > http_access deny all >
