Re: [squid-users] My Squid Under Attack - Help with info please.

From: Marc Elsen <[email protected]>
Date: Mon, 23 Dec 2002 09:19:27 +0100

Cliff wrote:
>
> Squid 2.4STABLE6 on RH7.3
>
> What exploit is happening?
>
> IP addresses attacking me:
> 209.189.55.195 to 205. (10 consecutive addresses)
>
> They are hitting port 3128.
> They are causing my RH Box to send
> ALOT of traffic to all kinds of places
> with names that include mx...hotmail...yahoo mail...etc.
>
> I assume some spammer is exploiting port 3128
> to cause me to relay spam for them? I killed
> sendmail but the spamming continued.
>
> I can kill squid, which stops me from being
> a spam conduit. I prefer not to kill squid.
>
> So I put in a firewall rule to deny everything
> from 209.189.55.x when going to my external
> port 3128.
>
> This seems to have blocked it however I am still
> currently under attack from the miscreant.
>
> The attack was going on for 4 hours before I stopped it.
> I suppose that for 4 hours the spammer pumped lots
> of spam through my box???
>
> It is still going on, though thank goodness I put
> in the firewall rule and stopped it.
>
> Any links to exploits and information is much appreciated.
> I wonder how long this spammer is gonna keep on trying
> to pump spam through my port 3128?
>
 Doesn't matter , as you are stating : make sure that SQUID can
only be accessed by your Intranet users.
Can be accomplished with the correct acl statements in squid.conf
and/or firewalling setup at the Internet perimeter.

M.
> Thx gurus.

-- 
 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)
Received on Mon Dec 23 2002 - 01:19:30 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:11 MST