On 21/05/11 00:36, Boniforti Flavio wrote:
Hy Amos...
[cut]
.. or in this case, it appears, some security penetration
testing software. Somehow installed on a users PC.
Here you can find trace: http://www.sendspace.com/file/ij5qpe
Sorry, that seems to be a summary packet log. Just confirms
Sorry, I just took over your previously suggested command (tcpdump
-s0)...
Ah, Mea Culpa. No problemo.
that the PC and Squid are chattering away. I need it to be a
full binary packet dump. The binary bit is saved with -w to a file.
So "tcpdump -s0 -w infected-dump.cap" should grab the bit I
need to look at.
If its already cleaned up thats fine. This is just for my
interest to confirm details.
Well, "cleaned" in terms of "I removed McAfee Suite", yes! :-)
[cut]
Could be "McAfee Network Security Agent" doing a network-wide
scan/check?
Well, maybe! But that's weird behaviour... why should my "protection
suite" scan my whole subnet on port 80?
From the (marketing) docs that particular McAfee component is designed
for admins to do network wide security with. Active scans are one way to
do things. Why its on a users box is the question.
At least it has worked and made you aware of the proxy config
vulnerability.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
