Search squid archive

Re: Unusual Denied Request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 24/03/2012 12:56 a.m., Momen, Mazdak wrote:
Hi, we have recently noticed unusual denied requests on our Squid servers.
Thu Mar 22 03:00:24 2012      3 ***.***.***.*** TCP_DENIED/403 3437 CONNECT https:443 - NONE/- text/html

We're not sure what "https:443" exactly is or how it is produced. This was not caused by a user, the servers behind our Squid servers are hosting a web application. Any idea what exactly this is?

It is the URL being passed to Squid on a CONNECT request. Apparently something wants Squid to create a TCP tunnel to the server named "https" on port 443.

Like Kinkie said earlier, it is most likely an attacker at IP ***.***.***.*** scanning your site for vulnerabilities. There exist wrongly configured proxies whose ACL only check for url_regex "^https" or only for port-443 destination before letting CONNECT tunnels be setup. Once setup the tunnel can be used for *anything*.

If that is one of your trusted servers check it for infections or improper input validation problems. Including SQL-injection, XSS injections, callback hijacking, click-jacking vulnerability, or plain old broken scripts (it could simply be some automatic script failing to generate a URL properly).

Amos



[Linux Audio Users]     [Photo]     [Yosemite News]     [Samba]     [Video Projectors]     [Video Devices]     [Big List of Linux Books]     [LCD TVs]     [Webcams]     [Linux USB]

  Powered by Linux