On 24/03/2012 12:56 a.m., Momen, Mazdak wrote:
Hi, we have recently noticed unusual denied requests on our Squid servers. Thu Mar 22 03:00:24 2012 3 ***.***.***.*** TCP_DENIED/403 3437 CONNECT https:443 - NONE/- text/html We're not sure what "https:443" exactly is or how it is produced. This was not caused by a user, the servers behind our Squid servers are hosting a web application. Any idea what exactly this is?
It is the URL being passed to Squid on a CONNECT request. Apparently something wants Squid to create a TCP tunnel to the server named "https" on port 443.
Like Kinkie said earlier, it is most likely an attacker at IP ***.***.***.*** scanning your site for vulnerabilities. There exist wrongly configured proxies whose ACL only check for url_regex "^https" or only for port-443 destination before letting CONNECT tunnels be setup. Once setup the tunnel can be used for *anything*.
If that is one of your trusted servers check it for infections or improper input validation problems. Including SQL-injection, XSS injections, callback hijacking, click-jacking vulnerability, or plain old broken scripts (it could simply be some automatic script failing to generate a URL properly).
Amos
