[squid-users] virus attack result in squid slowdown

From: Diamond King <mercyful_fated@dont-contact.us>
Date: Thu, 28 Oct 2004 00:01:23 -0700 (PDT)

there are 3 squid servers in our network and all of
them are seperated from each other. Recently, one of
our server started to strange. After some inspection
from cache.log, we found at least few thousand lines
of the below log :-

Request header is too large (24575 bytes)

Further inspection leads to checking the cache manager
menu under Cache Client List. We found that most of
the infected user has these attributes :-

Address: 192.168.25.100
Name: 192.168.25.100
Currently established connections: 0
    ICP Requests 0
    HTTP Requests 2808
        NONE 2800 100%

ddress: 192.168.23.80
Name: 192.168.23.80
Currently established connections: 0
    ICP Requests 0
    HTTP Requests 7184
        NONE 6330 88%

....

Some of them even have 30000 of NONE request. We
scanned the infected user and the only viruses/worm
detected is worm_sdbot.se. FYI, we are using
Trendmicro's sysclean to scan. After deleting the
virus, they still try to request to port 80 and the
request remains at 24575 bytes. Any idea of what is
happening here? Thanks.
 

                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
Received on Thu Oct 28 2004 - 01:01:34 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST