Re: [squid-users] Unusual Denied Request

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 24 Mar 2012 01:27:28 +1300

On 24/03/2012 12:56 a.m., Momen, Mazdak wrote:
> Hi, we have recently noticed unusual denied requests on our Squid servers.
> Thu Mar 22 03:00:24 2012 3 ***.***.***.*** TCP_DENIED/403 3437 CONNECT https:443 - NONE/- text/html
>
> We're not sure what "https:443" exactly is or how it is produced. This was not caused by a user, the servers behind our Squid servers are hosting a web application. Any idea what exactly this is?

It is the URL being passed to Squid on a CONNECT request. Apparently
something wants Squid to create a TCP tunnel to the server named "https"
on port 443.

Like Kinkie said earlier, it is most likely an attacker at IP
***.***.***.*** scanning your site for vulnerabilities. There exist
wrongly configured proxies whose ACL only check for url_regex "^https"
or only for port-443 destination before letting CONNECT tunnels be
setup. Once setup the tunnel can be used for *anything*.

If that is one of your trusted servers check it for infections or
improper input validation problems. Including SQL-injection, XSS
injections, callback hijacking, click-jacking vulnerability, or plain
old broken scripts (it could simply be some automatic script failing to
generate a URL properly).

Amos
Received on Fri Mar 23 2012 - 12:27:35 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 23 2012 - 12:00:04 MDT