(No need to send posts to both me and the Squid-users list...I read
Squid-users daily. ;-)
It looks like maybe you're running an open web cache, which is a big
problem to start with and will make this worm much more painful for you
and your users.
Are all of those source IPs in your local networks? (I see at least four
pretty widely separated network blocks there 202.120.136.0,
202.120.152.0, 202.171.144.0, 202.240.152.0.) So close Squid to all but
your clients first, then tell us if the problem seems so big. We've had
no serious service problems from any of our client boxes so far today
(knock on wood), though some are wondering at the rapid growth of their
logs.
khiz code wrote:
> Hi guys
> there hv been massive worm attacks ( not code red) this time havin the
> foll signaturre paterns seems to be sadmind worm
> 202.120.136.142 TCP_MISS/503 1160 GET
> http://www/scripts/..%c0%../winnt/system32/cmd.exe? - NONE/- -
> 1000823300.505 1 202.120.136.142 TCP_MISS/503 1160 GET
> http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- -
> 1000823300.611 1 202.120.136.142 TCP_MISS/503 1160 GET
> http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- -
> 1000823300.731 2 202.120.136.142 TCP_MISS/503 1162 GET
> http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- -
> 1000823300.809 1 202.120.136.142 TCP_MISS/503 1158 GET
> http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- -
> 1000821283.850 6123 202.120.152.15 TCP_MISS/503 1110 GET
> http://www/scripts/root.exe? - NONE/- -
> 1000821283.850 6123 202.171.144.123 TCP_MISS/503 1110 GET
> http://www/scripts/root.exe? - NONE/- -
> 1000821289.047 7158 202.171.144.170 TCP_MISS/503 1110 GET
> http://www/scripts/root.exe? - NONE/- -
> 1000821289.047 7158 202.171.144.147 TCP_MISS/503 1110 GET
> http://www/scripts/root.exe? - NONE/- -
> 1000821289.047 7158 202.171.144.147 TCP_MISS/503 1110 GET
> http://www/scripts/root.exe? - NONE/- -
> 1000821289.047 7158 202.240.152.201 TCP_MISS/503 0 GET
> http://www/scripts/root.exe? - NONE/- -
>
> these has been reported on all of my squid boxes leading to the the
> foll messages in cache.log
> 2001/09/18 19:17:41| comm_udp_sendto: FD 4, 202.120.136.69, port 53:
> (105) No buffer space available
> 2001/09/18 19:17:41| idnsSendQuery: FD 4: sendto: (105) No buffer space
> available
> 2001/09/18 19:17:41| comm_udp_sendto: FD 4, 202.134.10.1, port 53:
> (105) No buffer space available
> 2001/09/18 19:17:41| idnsSendQuery: FD 4: sendto: (105) No buffer space
> available
>
> the foll messages in /var/log/messages
> Sep 18 18:25:58 cache-squid kernel: dst cache overflow
> Sep 18 18:25:58 cache-squid kernel: NET: 3324 messages suppressed.
> Sep 18 18:25:58 cache-squid kernel: dst cache overflow
> Sep 18 18:25:58 cache-squid kernel: NET: 3324 messages suppressed
>
> at this level of traffic the linux kernel isnt able to even construct a
> packet for a simple ping due to lack of buffer space. the machines are
> well equipped with abt 512 mB ram
> is there something that we cud do abt this ..
> squid is working as a transparent cache ... duane's code red patch
> which he had posted on the list sometimeback doesnt seem to work for
> transparent wccp enabled caching
> can we hv some sort of acl url_regex s to prevent these attacks..
>
> something like squid acting as an HTTP IDS infront of worm friendly IIS
> servers.. we can hv squid just do attack prevention rather than caching
> /accelerating ..
> hoping for solutions
> rgds
> khizcode
--
Joe Cooper <joe@swelltech.com>
Affordable Web Caching Proxy Appliances
http://www.swelltech.com
Received on Tue Sep 18 2001 - 23:05:32 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:16 MST