Re: [squid-users] Request header

From: Wei Keong <[email protected]>
Date: Mon, 26 Aug 2002 15:56:22 +0800 (Singapore Standard Time)

I dont have NONE/413 in the access log. Instead i have a lot of
POST request going to some unresolved destination. The problem now is the
requests are behind another proxy (beyond my control).

Is this a new virus?

Mon Aug 26 15:48:02 2002.173 667 x.x.x.x TCP_MISS/200 208 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:02 2002.415 731 x.x.x.x TCP_MISS/200 218 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:03 2002.056 599 x.x.x.x TCP_MISS/200 193 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:03 2002.707 608 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:04 2002.649 632 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:05 2002.822 604 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:06 2002.221 608 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:06 2002.534 586 x.x.x.x TCP_MISS/200 208 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:06 2002.767 765 x.x.x.x TCP_MISS/200 296 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:06 2002.843 573 x.x.x.x TCP_MISS/200 193 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:07 2002.428 611 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:08 2002.192 673 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:08 2002.485 637 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:10 2002.507 606 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:11 2002.279 606 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:13 2002.476 603 x.x.x.x TCP_MISS/200 196 POST
http://63.217.29.194/Update.htm - DIRECT/63.217.29.194 -
Mon Aug 26 15:48:15 2002.310 597 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:18 2002.511 603 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:22 2002.950 602 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:23 2002.683 688 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:29 2002.045 622 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -
Mon Aug 26 15:48:32 2002.580 623 x.x.x.x TCP_MISS/200 196 POST
http://205.252.49.2/Update.htm - DIRECT/205.252.49.2 -

Rgds,
Wei Keong

On Mon, 26 Aug 2002, Henrik Nordstrom wrote:

> On Monday 26 August 2002 08.46, Wei Keong wrote:
> > > You should be able to track the machine by correlate the
> > > cache.log timestamps with errors in access.log.
> >
> > For 'Request header is too large' case, will squid still process
> > the request? will i see TCP_DENIED in access log?
>
> No. The request will be rejected and in access.log your should see a
> line like the following:
>
> 1030344868.475 19 127.0.0.1 NONE/413 1141 NONE
> error:request-too-large - NONE/- text/html
>
> Regards
> Henrik
>
Received on Mon Aug 26 2002 - 01:56:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:50 MST