[squid-users] swuid / worm weirdness

This is a discussion on [squid-users] swuid / worm weirdness within the Squid Users forums, part of the Web Server and Related Forums category; This topic has kind of been touched on here in the last few days. Running squid2.5stable3 on Redhat9 Transparent ...


Go Back   Usenet Forums > Web Server and Related Forums > Squid Users

Reload this Page [squid-users] swuid / worm weirdness

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-13-2003
Brad Groshok
 
Posts: n/a
Default [squid-users] swuid / worm weirdness
This topic has kind of been touched on here in the last few days.

Running squid2.5stable3 on Redhat9
Transparent mode from a cisco 7206VXR WCCP1

I was just tailing access.log
and noticed a particular ip address accessing what appeared to be random
IP addresses. (customer using that ip address prolly hit with one of the
latest worms)

So I figgured I'd cut access from that customer till we can contact them
and get their system cleaned up.

Changed their password so they could not get logged back in.
Then disconnected their DSL connection to our network.

So at this point we don't have anybody using this particular address.

Still tailing squid access.log
Its still showing that IP address making requests to random ip addresses.
10 min later!!!

15 min later still a couple requests here and there, Not as frequent, but
they are still showing up in access.log.
And guaranteed nobody is connected to that port/ip address.
(Sample access.log below)

Is it possible that these worms are causing our squid boxes to get this
far behind in processing request. Taking over 10 min to get caught up once
the offending source is disconnected?



Sample access.log:

1063418773.024 240213 x.x.x.x TCP_MISS/504 1353 GET
http://219.30.176.25/ - NONE/- text/html
1063418773.024 240305 x.x.x.x TCP_MISS/504 1351 GET
http://210.90.151.3/ - NONE/- text/html
1063418774.524 240173 x.x.x.x TCP_MISS/504 1353 GET
http://220.71.37.187/ - NONE/- text/html
1063418774.524 240240 x.x.x.x TCP_MISS/504 1355 GET
http://128.90.223.113/ - NONE/- text/html
1063418774.524 241519 x.x.x.x TCP_MISS/504 1353 GET
http://211.37.25.196/ - NONE/- text/html
1063418775.128 240807 x.x.x.x TCP_MISS/504 1355 GET
http://211.114.62.254/ - NONE/- text/html
1063418776.770 240180 x.x.x.x TCP_MISS/504 1355 GET
http://196.46.173.122/ - NONE/- text/html
1063418776.770 244050 x.x.x.x TCP_MISS/504 1355 GET
http://202.123.179.21/ - NONE/- text/html
1063418777.010 245607 x.x.x.x TCP_MISS/504 1353 GET
http://61.214.68.198/ - NONE/- text/html
1063418777.010 246002 x.x.x.x TCP_MISS/504 1355 GET
http://219.101.249.35/ - NONE/- text/html
1063418778.101 240098 x.x.x.x TCP_MISS/504 1355 GET
http://211.50.237.107/ - NONE/- text/html
1063418778.101 240096 x.x.x.x TCP_MISS/504 1353 GET
http://211.28.206.68/ - NONE/- text/html
1063418781.003 239995 x.x.x.x TCP_MISS/504 1355 GET
http://211.204.118.87/ - NONE/- text/html
1063418781.003 239995 x.x.x.x TCP_MISS/504 1355 GET
http://134.128.67.113/ - NONE/- text/html



Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 08:46 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0