Re: [squid-users] Strange user name in SQUID log

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 06 May 2012 10:47:52 +1200

On 6/05/2012 12:53 a.m., Pavel Bychykhin wrote:
> Hi!
>
> My SQUID version is 3.1.19. Recently I noticed very strange log record
> (strange user name):
>
> 1335604655.033 49 192.168.1.20 TCP_DENIED/407 481 HEAD
> http://s7.addthis.com/static/r07/sh084.html
> %ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%90%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%b1%ef%bf%af%ef%be%bf%ef%be%91%ef%bf%af%ef%be%be%ef%be%80%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%b0%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%ba%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%be%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%b4%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%b0%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%b2%ef%bf%af%ef%be%bf%ef%be%91%ef%bf%af%ef%be%be%ef%be%80%ef%bf%af%ef%be%bf%ef%be%90%ef%bf%af%ef%be%be%ef%be%b0
> NONE/- text/html
>
> All my users have their accounts in plain ASCII.
> It would not be a big problem (such record occurred only once), but
> SARG was unable to process this record and does not generate a report.
> I wonder, is it a correct log record, or it's a bug?
>

This looks like the correct log entry for a mangled (attack?) request.
An asian name appears when decoded as Unicode. It was rejected due to
incorrect auth credentials by your system.

Amos
Received on Sat May 05 2012 - 22:47:57 MDT

This archive was generated by hypermail 2.2.0 : Mon May 07 2012 - 12:00:03 MDT