Re: [squid-users] Squid Proxy Vulnerability.

From: Amos Jeffries <[email protected]>
Date: Fri, 30 Nov 2007 11:36:43 +1300 (NZDT)

> Shouldn't this line override that?
>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>

It should be yes. But as your log provides it somehow is not.

If you want to see exactly how it is done, try a wireshark/tcpdump trace
on teh incoming traffic.

You should check that the proxy is using the squid.conf you think it is.
The startup script is able to override the default file.

Secondly, you should try a small re-configuration:

If you need the proxy for internal users you should have a localnet ACL
defining the local networks and:
   http_access deny !localnet
   http_access deny all

Also for the accelerator portion, you should have explicit:
  http_access allow sites_on_bradbury_ats_za
next to each cache_peer_access.

If it's a pure accelerator you should also have:
  never_direct allow all
to prevent any non-served traffic.

BTW: Which squid release is it?

Amos

>
> On Nov 29, 2007 3:18 PM, Alexandre Correa <alexandre@sabbath.com.br>
> wrote:
>> check your config (http_access allow all) ...
>>
>>
>> change it to
>> http_access deny all
>>
>>
>>
>> On Nov 29, 2007 4:21 PM, Josh Fritts <reikoshea@gmail.com> wrote:
>> > Hello,
>> >
>> > We got a notification from our ISP that our squid server was being
>> > used to relay emails.
>> >
>> > We checked the logs and found 2.5 Million hits just like this snippit:
>> >
>> > ----------------------------------------------------------------------------
>> >
>> > 1196170398.384 837 64.237.46.55 TCP_MISS/200 222 CONNECT
>> > 146.217.15.240:25 - DIRECT/146.217.15.240 -
>> > 1196170398.656 8175 64.237.46.132 TCP_MISS/200 665 CONNECT
>> > 216.157.254.253:25 - DIRECT/216.157.254.253 -
>> > 1196170399.049 1132 64.237.46.55 TCP_MISS/200 165 CONNECT
>> > 209.44.115.50:25 - DIRECT/209.44.115.50 -
>> > 1196170399.201 4603 64.237.46.55 TCP_MISS/200 139 CONNECT
>> > 62.148.180.192:25 - DIRECT/62.148.180.192 -
>> > 1196170399.458 14482 64.237.46.132 TCP_MISS/200 224 CONNECT
>> > 65.75.75.57:25 - DIRECT/65.75.75.57 -
>> > 1196170400.072 10406 64.237.46.132 TCP_MISS/200 279 CONNECT
>> > 127.0.0.1:25 - DIRECT/127.0.0.1 -
>> > 1196170400.460 2044 208.167.225.68 TCP_MISS/200 444 CONNECT
>> > 192.75.254.1:25 - DIRECT/192.75.254.1 -
>> > 1196170400.486 9305 64.237.46.132 TCP_MISS/200 1343 CONNECT
>> > 211.41.82.89:25 - DIRECT/211.41.82.89 -
>> > 1196170400.662 6576 208.167.225.68 TCP_MISS/200 257 CONNECT
>> > 64.18.4.10:25 - DIRECT/64.18.4.10 -
>> > 1196170401.406 17183 64.237.46.132 TCP_MISS/200 2130 CONNECT
>> > 195.50.106.135:25 - DIRECT/195.50.106.135 -
>> > 1196170401.503 645 208.167.225.68 TCP_MISS/200 180 CONNECT
>> > 216.32.180.22:25 - DIRECT/216.32.180.22 -
>> > 1196170401.682 939 208.167.225.68 TCP_MISS/200 306 CONNECT
>> > 216.9.208.251:25 - DIRECT/216.9.208.251 -
>> > 1196170401.747 10433 64.237.46.132 TCP_MISS/200 279 CONNECT
>> > 127.0.0.1:25 - DIRECT/127.0.0.1 -
>> > 1196170401.775 10413 64.237.46.132 TCP_MISS/200 279 CONNECT
>> > 127.0.0.1:25 - DIRECT/127.0.0.1 -
>> > 1196170402.079 120 208.167.225.68 TCP_MISS/200 15 CONNECT
>> > 17.148.20.66:25 - DIRECT/17.148.20.66 -
>> > 1196170402.267 5056 208.167.225.68 TCP_MISS/200 245 CONNECT
>> > 202.54.61.113:25 - DIRECT/202.54.61.113 -
>> > 1196170403.291 31145 64.237.46.132 TCP_MISS/200 121 CONNECT
>> > 62.40.36.103:25 - DIRECT/62.40.36.103 -
>> > 1196170403.578 5218 208.167.225.68 TCP_MISS/200 273 CONNECT
>> > 66.235.248.64:25 - DIRECT/66.235.248.64 -
>> > 1196170403.707 810 208.167.225.68 TCP_MISS/200 452 CONNECT
>> > 207.69.189.219:25 - DIRECT/207.69.189.219 -
>> > 1196170404.115 1850 64.237.46.55 TCP_MISS/200 121 CONNECT
>> > 202.78.116.253:25 - DIRECT/202.78.116.253 -
>> > 1196170404.166 1502 208.167.225.68 TCP_MISS/200 250 CONNECT
>> > 193.134.210.132:25 - DIRECT/193.134.210.132 -
>> > 1196170404.208 4983 208.167.225.68 TCP_MISS/200 2060 CONNECT
>> > 209.191.118.103:25 - DIRECT/209.191.118.103 -
>> > 1196170404.249 30567 208.167.225.68 TCP_MISS/200 0 CONNECT
>> > 64.29.222.22:25 - DIRECT/64.29.222.22 -
>> > 1196170404.887 7863 64.237.46.55 TCP_MISS/200 2223 CONNECT
>> > 209.191.88.247:25 - DIRECT/209.191.88.247 -
>> > 1196170404.916 627 208.167.225.68 TCP_MISS/200 150 CONNECT
>> > 208.97.132.73:25 - DIRECT/208.97.132.73 -
>> > 1196170405.288 14668 64.237.46.132 TCP_MISS/200 3520 CONNECT
>> > 211.115.216.226:25 - DIRECT/211.115.216.226 -
>> > 1196170405.324 1670 64.237.46.52 TCP_MISS/200 249 CONNECT
>> > 146.131.119.26:25 - DIRECT/146.131.119.26 -
>> > 1196170405.659 882 64.237.46.55 TCP_MISS/200 159 CONNECT
>> > 199.224.89.185:25 - DIRECT/199.224.89.185 -
>> > 1196170405.917 1555 64.237.46.55 TCP_MISS/200 201 CONNECT
>> > 204.10.18.136:25 - DIRECT/204.10.18.136 -
>> > 1196170406.776 30671 64.237.46.55 TCP_MISS/200 0 CONNECT
>> > 193.252.22.142:25 - DIRECT/193.252.22.142 -
>> > 1196170407.099 6405 208.167.225.68 TCP_MISS/200 339 CONNECT
>> > 216.219.253.216:25 - DIRECT/216.219.253.216 -
>> > 1196170407.214 30834 64.237.46.132 TCP_MISS/200 164 CONNECT
>> > 12.206.33.39:25 - DIRECT/12.206.33.39 -
>> > 1196170407.446 30690 64.237.46.132 TCP_MISS/200 0 CONNECT
>> > 80.95.172.3:25 - DIRECT/80.95.172.3 -
>> > 1196170407.875 4719 64.237.46.55 TCP_MISS/200 1898 CONNECT
>> > 204.15.82.30:25 - DIRECT/204.15.82.30 -
>> > 1196170407.948 5745 64.237.46.55 TCP_MISS/200 404 CONNECT
>> > 216.122.128.125:25 - DIRECT/216.122.128.125 -
>> > 1196170407.969 217 208.167.225.68 TCP_MISS/200 0 CONNECT
>> > 213.246.154.213:25 - DIRECT/213.246.154.213 -
>> > 1196170408.043 17180 64.237.46.132 TCP_MISS/200 945 CONNECT
>> > 207.88.96.47:25 - DIRECT/207.88.96.47 -
>> > 1196170408.739 17415 64.237.46.132 TCP_MISS/200 2266 CONNECT
>> > 192.43.228.202:25 - DIRECT/192.43.228.202 -
>> > 1196170408.816 19751 208.167.225.68 TCP_MISS/200 2188 CONNECT
>> > 66.196.97.250:25 - DIRECT/66.196.97.250 -
>> > 1196170408.896 2385 64.237.46.55 TCP_MISS/200 253 CONNECT
>> > 67.152.80.132:25 - DIRECT/67.152.80.132 -
>> > 1196170409.017 693 64.237.46.55 TCP_MISS/200 108 CONNECT
>> > 132.77.4.177:25 - DIRECT/132.77.4.177 -
>> > 1196170409.112 779 64.237.46.55 TCP_MISS/200 436 CONNECT
>> > 99.161.100.123:25 - DIRECT/99.161.100.123 -
>> > 1196170409.400 10512 64.237.46.132 TCP_MISS/200 145 CONNECT
>> > 203.181.255.19:25 - DIRECT/203.181.255.19 -
>> > 1196170409.434 25 64.237.46.55 TCP_MISS/503 0 CONNECT
>> > 63.73.11.8:25 - DIRECT/63.73.11.8 -
>> > 1196170409.560 2179 208.167.225.68 TCP_MISS/200 135 CONNECT
>> > 213.154.128.18:25 - DIRECT/213.154.128.18 -
>> > 1196170409.621 5326 208.167.225.68 TCP_MISS/200 421 CONNECT
>> > 65.220.11.24:25 - DIRECT/65.220.11.24 -
>> > 1196170410.099 885 64.237.46.132 TCP_MISS/200 429 CONNECT
>> > 64.18.4.13:25 - DIRECT/64.18.4.13 -
>> > 1196170410.241 1800 64.237.46.55 TCP_MISS/200 411 CONNECT
>> > 81.193.127.75:25 - DIRECT/81.193.127.75 -
>> > 1196170410.388 852 208.167.225.68 TCP_MISS/200 87 CONNECT
>> > 65.183.202.5:25 - DIRECT/65.183.202.5 -
>> > 1196170410.517 512 64.237.46.55 TCP_MISS/200 369 CONNECT
>> > 129.179.7.249:25 - DIRECT/129.179.7.249 -
>> > 1196170411.091 2823 64.237.46.55 TCP_MISS/200 489 CONNECT
>> > 194.25.134.8:25 - DIRECT/194.25.134.8 -
>> > 1196170411.716 1678 208.167.225.68 TCP_MISS/200 421 CONNECT
>> > 67.139.199.68:25 - DIRECT/67.139.199.68 -
>> > 1196170411.719 7196 208.167.225.68 TCP_MISS/200 2266 CONNECT
>> > 74.128.0.19:25 - DIRECT/74.128.0.19 -
>> > 1196170412.230 2212 64.237.46.55 TCP_MISS/200 409 CONNECT
>> > 202.216.228.86:25 - DIRECT/202.216.228.86 -
>> > 1196170412.380 8 64.237.46.55 TCP_MISS/503 0 CONNECT
>> > 207.44.208.37:25 - DIRECT/207.44.208.37 -
>> > 1196170412.384 2676 64.237.46.55 TCP_MISS/200 204 CONNECT
>> > 193.86.123.25:25 - DIRECT/193.86.123.25 -
>> > 1196170412.538 30581 64.237.46.132 TCP_MISS/200 0 CONNECT
>> > 206.46.232.11:25 - DIRECT/206.46.232.11 -
>> > 1196170413.732 1078 64.237.46.55 TCP_MISS/200 347 CONNECT
>> > 71.40.47.7:25 - DIRECT/71.40.47.7 -
>> > 1196170413.804 30987 64.237.46.132 TCP_MISS/200 286 CONNECT
>> > 64.18.7.10:25 - DIRECT/64.18.7.10 -
>> > 1196170413.908 1745 64.237.46.55 TCP_MISS/200 255 CONNECT
>> > 158.39.31.190:25 - DIRECT/158.39.31.190 -
>> > 1196170413.910 31616 64.237.46.132 TCP_MISS/200 180 CONNECT
>> > 194.88.228.80:25 - DIRECT/194.88.228.80 -
>> > 1196170414.076 850 64.237.46.55 TCP_MISS/200 341 CONNECT
>> > 63.254.35.250:25 - DIRECT/63.254.35.250 -
>> > 1196170414.404 5472 208.167.225.68 TCP_MISS/200 300 CONNECT
>> > 65.215.152.148:25 - DIRECT/65.215.152.148 -
>> > 1196170415.526 1812 64.237.46.55 TCP_MISS/200 328 CONNECT
>> > 209.139.247.226:25 - DIRECT/209.139.247.226 -
>> > 1196170415.596 929 208.167.225.68 TCP_MISS/200 257 CONNECT
>> > 64.18.6.13:25 - DIRECT/64.18.6.13 -
>> > 1196170415.607 742 64.237.46.55 TCP_MISS/200 432 CONNECT
>> > 63.255.0.140:25 - DIRECT/63.255.0.140 -
>> > 1196170416.001 59441 64.237.46.132 TCP_MISS/503 0 CONNECT
>> > 194.193.14.235:25 - DIRECT/194.193.14.235 -
>> > 1196170416.118 426 208.167.225.68 TCP_MISS/200 311 CONNECT
>> > 206.54.145.17:25 - DIRECT/206.54.145.17 -
>> > 1196170416.484 50 64.237.46.55 TCP_MISS/503 0 CONNECT
>> > 162.40.15.200:25 - DIRECT/162.40.15.200 -
>> > 1196170416.604 768 208.167.225.68 TCP_MISS/200 443 CONNECT
>> > 70.62.222.50:25 - DIRECT/70.62.222.50 -
>> > 1196170416.682 1210 64.237.46.55 TCP_MISS/200 241 CONNECT
>> > 194.159.138.87:25 - DIRECT/194.159.138.87 -
>> > 1196170417.010 59063 64.237.46.132 TCP_MISS/503 0 CONNECT
>> > 68.142.202.247:25 - DIRECT/68.142.202.247 -
>> > 1196170417.169 964 64.237.46.55 TCP_MISS/200 215 CONNECT
>> > 198.96.180.81:25 - DIRECT/198.96.180.81 -
>> > 1196170417.352 797 208.167.225.68 TCP_MISS/200 231 CONNECT
>> > 80.168.70.65:25 - DIRECT/80.168.70.65 -
>> > 1196170417.377 1073 208.167.225.68 TCP_MISS/200 318 CONNECT
>> > 69.20.101.219:25 - DIRECT/69.20.101.219 -
>> > 1196170417.649 30692 208.167.225.68 TCP_MISS/200 0 CONNECT
>> > 194.106.221.130:25 - DIRECT/194.106.221.130 -
>> > 1196170418.282 30006 64.237.46.132 TCP_MISS/200 1994 CONNECT
>> > 209.191.88.247:25 - DIRECT/209.191.88.247 -
>> > 1196170418.505 25804 208.167.225.68 TCP_MISS/200 723 CONNECT
>> > 204.127.217.16:25 - DIRECT/204.127.217.16 -
>> > 1196170418.884 1374 64.237.46.55 TCP_MISS/200 342 CONNECT
>> > 205.174.162.116:25 - DIRECT/205.174.162.116 -
>> > 1196170419.099 31938 64.237.46.132 TCP_MISS/200 193 CONNECT
>> > 216.86.100.72:25 - DIRECT/216.86.100.72 -
>> > 1196170419.181 30630 64.237.46.132 TCP_MISS/200 0 CONNECT
>> > 12.43.220.7:25 - DIRECT/12.43.220.7 -
>> > 1196170419.614 1078 208.167.225.68 TCP_MISS/200 407 CONNECT
>> > 75.126.136.142:25 - DIRECT/75.126.136.142 -
>> > 1196170419.659 1339 208.167.225.68 TCP_MISS/200 257 CONNECT
>> > 64.18.6.14:25 - DIRECT/64.18.6.14 -
>> > 1196170419.850 733 208.167.225.68 TCP_MISS/200 336 CONNECT
>> > 24.173.119.6:25 - DIRECT/24.173.119.6 -
>> > 1196170419.936 5533 208.167.225.68 TCP_MISS/200 174 CONNECT
>> > 203.112.24.188:25 - DIRECT/203.112.24.188 -
>> > 1196170420.102 4395 208.167.225.68 TCP_MISS/200 166 CONNECT
>> > 216.229.67.195:25 - DIRECT/216.229.67.195 -
>> > 1196170420.964 30718 64.237.46.132 TCP_MISS/200 0 CONNECT
>> > 195.252.127.36:25 - DIRECT/195.252.127.36 -
>> > 1196170421.105 1115 208.167.225.68 TCP_MISS/200 105 CONNECT
>> > 204.101.14.165:25 - DIRECT/204.101.14.165 -
>> > 1196170421.114 574 208.167.225.68 TCP_MISS/200 192 CONNECT
>> > 84.96.93.166:25 - DIRECT/84.96.93.166 -
>> > 1196170421.410 1829 208.167.225.68 TCP_MISS/200 234 CONNECT
>> > 195.76.174.39:25 - DIRECT/195.76.174.39 -
>> > 1196170421.602 171 208.167.225.68 TCP_MISS/200 78 CONNECT
>> > 24.71.223.11:25 - DIRECT/24.71.223.11 -
>> > 1196170421.848 155 208.167.225.68 TCP_MISS/200 78 CONNECT
>> > 24.71.223.11:25 - DIRECT/24.71.223.11 -
>> > 1196170421.858 645 64.237.46.55 TCP_MISS/200 328 CONNECT
>> > 69.20.116.136:25 - DIRECT/69.20.116.136 -
>> > 1196170421.957 59 64.237.46.55 TCP_MISS/200 0 CONNECT
>> > 64.18.5.10:25 - DIRECT/64.18.5.10 -
>> > 1196170422.101 30770 64.237.46.132 TCP_MISS/200 0 CONNECT
>> > 203.135.130.131:25 - DIRECT/203.135.130.131 -
>> > 1196170422.298 17913 64.237.46.55 TCP_MISS/200 577 CONNECT
>> > 168.95.5.19:25 - DIRECT/168.95.5.19 -
>> > 1196170422.551 1265 208.167.225.68 TCP_MISS/200 268 CONNECT
>> > 218.5.77.18:25 - DIRECT/218.5.77.18 -
>> > 1196170422.723 37 64.237.46.55 TCP_MISS/503 0 CONNECT
>> > 208.4.52.29:25 - DIRECT/208.4.52.29 -
>> > 1196170423.019 197 208.167.225.68 TCP_MISS/200 334 CONNECT
>> > 65.54.244.8:25 - DIRECT/65.54.244.8 -
>> >
>> > ----------------------------------------------------------------------------
>> >
>> > As you can see thats nearly 100 hits in 8 seconds. I know this is
>> > come kind of tool, but I cannot figure out a way to reproduce these
>> > results.
>> >
>> > Our conf for this server is as follows (Host Names and IP addresses
>> > have been changed incase our other servers are also vulnerable):
>> >
>> > ----------------------------------------------------------------------------
>> >
>> > http_port 3128
>> > icp_port 3130
>> >
>> >
>> > cache_dir ufs /var/spool/squid3 100 16 256
>> > debug_options ALL,9
>> >
>> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
>> > no-query no-digest login=PASS originserver name=bradbury_ats_za
>> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
>> > no-query no-digest login=PASS originserver name=weasel_ats
>> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
>> > no-query no-digest login=PASS originserver name=reynolds_ats
>> > cache_peer xxx.xxx.xxx.xxx parent 443 7 ssl sslflags=DONT_VERIFY_PEER
>> > no-query no-digest login=PASS originserver name=asimov_ats
>> >
>> >
>> > acl sites_on_bradbury_ats_za dstdomain stuff.us.com
>> > acl sites_on_weasel_ats dstdomain stuff2.us.com
>> > acl sites_on_reynolds_ats dstdomain stuff3.us.com
>> > acl sites_on_reynolds_ats dstdomain stuff4.us.com
>> > acl sites_on_asimov_ats dstdomain stuff5.us.com
>> > acl sites_on_asimov_ats dstdomain stuff6.us.com
>> > acl sites_on_asimov_ats dstdomain stuff7.us.com
>> >
>> > cache_peer_access bradbury_ats_za allow sites_on_bradbury_ats_za
>> > cache_peer_access weasel_ats allow sites_on_weasel_ats
>> > cache_peer_access reynolds_ats allow sites_on_reynolds_ats
>> > cache_peer_access asimov_ats allow sites_on_asimov_ats
>> >
>> >
>> > acl all src 0.0.0.0/0.0.0.0
>> > acl localhost src 127.0.0.1/255.255.255.255
>> > acl to_localhost dst 127.0.0.0/8
>> > acl SSL_ports port 443
>> > acl Safe_ports port 80 # http
>> > acl Safe_ports port 443 # https
>> > acl CONNECT method CONNECT
>> > http_access deny !Safe_ports
>> > http_access deny CONNECT !SSL_ports
>> >
>> > http_access allow all
>> > icp_access allow all
>> >
>> >
>> > coredump_dir /var/spool/squid3
>> >
>> >
>> > httpd_suppress_version_string on
>> > visible_hostname proxy-us.hrsmart.com
>> >
>> > ----------------------------------------------------------------------------
>> >
>> > Anyone have any idea how this was being done? If so please respond to
>> > the list. If you know how to do this, I would appreciate a way to
>> > reproduce this for my superiors.
>> >
>>
>>
>>
>> --
>>
>> Sds.
>> Alexandre J. Correa
>> Onda Internet / OPinguim.net
>> http://www.ondainternet.com.br
>> http://www.opinguim.net
>>
>
Received on Thu Nov 29 2007 - 15:36:48 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:03 MST