Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that my only trigger was a common false positive but no random web attacks as produced by the Gentoo version.
I did record attemps from other Gentoo platforms (i.e. raptor.gentoo.osuosl.org) that had the same attack signatures probing my server. I did save one alert log from the Gentoo Squid build and here are some clips: ---------------------------- 11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80 TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF ***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 287314455 7254994 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref => http:/ /www.securityfocus.com/bid/2252] [**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80 TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF ***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 287314455 7254994 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032] [**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443 TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF ***AP*** Seq: 0xBBD22A6D Ack: 0xC6E36C0C Win: 0x2118 TcpLen: 32 TCP Options (3) => NOP NOP TS: 287348635 430347512 [Xref => http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref => http://www.securityfocus.com/bid/10116] [**] [1:972:8] WEB-IIS %2E-asp access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80 TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF ***AP*** Seq: 0xC0300C22 Ack: 0x156D63CD Win: 0x16D0 TcpLen: 20 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref => http://www.securityfocus.com/bid/1814] [**] [1:1564:6] WEB-MISC login.htm access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80 TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF ***AP*** Seq: 0xB256AB50 Ack: 0x16654B17 Win: 0x16D0 TcpLen: 20 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref => http://www.securityfocus.com/bid/665] [**] [1:895:7] WEB-CGI redirect access [**] [Classification: Attempted Information Leak] [Priority: 2] 11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80 TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF ***AP*** Seq: 0xB3019639 Ack: 0x80329EEE Win: 0x6C0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 4294840274 7096916 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref => http://www.securityfocus.com/bid/1179] [**] [1:1333:6] WEB-ATTACKS id command attempt [**] [Classification: Web Application Attack] [Priority: 1] 11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80 TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF ***A**** Seq: 0xDEBFB8B8 Ack: 0xDC15FDA0 Win: 0x16D0 TcpLen: 20 [**] [1:1112:6] WEB-MISC http directory traversal [**] [Classification: Attempted Information Leak] [Priority: 2] 11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80 TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF ***A**** Seq: 0xF4A1B938 Ack: 0xE9F492C2 Win: 0x16D0 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS298] [**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**] [Classification: Web Application Attack] [Priority: 1] 11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80 TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF ***AP*** Seq: 0x2581E951 Ack: 0xF243E594 Win: 0x5B4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 13906685 185043937 [Xref => http://www.securityfocus.com/bid/2527] [**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**] [Classification: Web Application Attack] [Priority: 1] 11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80 TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF ***AP*** Seq: 0x25AB00D1 Ack: 0x8BAB936F Win: 0x16D0 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2527] There has been much more but that's is just some snips of the one alert log that I did save. So far with the new Squid cache I do not get attack signature triggers as with the Gentoo release. I was trying Snortsam to control my iptables and have not really gotten it to work. I will give the flexresp and oinkmaster suite a look. Thank you. Best wishes, JohnF -- [email protected] mailing list
