Hello. I was trying to check whether there is some security hole or
issue with our squid &/or ICP that I should know about. I looked around
the www.squid-cache.org & the web, but didn't find anything relevant to
the case below. I'd appreciate any pointers.
BACKGROUND:
Someone from web site X claimed that someone from our site was launching
a DoS against them. The IP he gave was our proxy. It turns out someone
from our site *was* repeatedly trying to download a certain audio URL
(perhaps non maliciously).
When checking our squid logs, I found the following message:
ploni.jct.ac.il - - [01/Aug/2007:16:30:02 +0300]
"ICP_QUERY
http://www.a.org/uploadfile/radio/pu2.wma?lang=hebrew
HTTP/0.0" 0 80 UDP_MISS:NONE
I changed the 2 host names. "ploni" is our wireless network server. It
runs its own squid, which uses our proxy server's squid as a parent.
That's the ICP_QUERY above. Not knowing much about ICP, I first thought
the above message was suspicious, though I don't think so now.
CONFIGURATION:
Our proxy server runs:
* Squid Cache: Version 2.5.STABLE6-CVS
* Red Hat Enterprise Linux WS release 3 (Taroon Update 1)
* kernel 2.4.21-9.ELsmp
Our wireless server runs:
* Squid Cache: Version 2.5.STABLE3
* Red Hat Enterprise Linux WS release 3 (Taroon Update 5)
* kernel 2.4.21-37.ELsmp
Thanks
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Haim (Howard) Roman Computer Center, Jerusalem College of Technology roman@jct.ac.il Phone: 052-8-592-599 (6022 from within Machon Lev)Received on Thu Aug 02 2007 - 10:12:20 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT