> > there are 3 squid servers in our network and all of > them are seperated from each other. Recently, one of > our server started to strange. After some inspection > from cache.log, we found at least few thousand lines > of the below log :- > > Request header is too large (24575 bytes) > > Further inspection leads to checking the cache manager > menu under Cache Client List. We found that most of > the infected user has these attributes :- > > Address: 192.168.25.100 > Name: 192.168.25.100 > Currently established connections: 0 > ICP Requests 0 > HTTP Requests 2808 > NONE 2800 100% > > ddress: 192.168.23.80 > Name: 192.168.23.80 > Currently established connections: 0 > ICP Requests 0 > HTTP Requests 7184 > NONE 6330 88% > > .... > > Some of them even have 30000 of NONE request. We > scanned the infected user and the only viruses/worm > detected is worm_sdbot.se. FYI, we are using > Trendmicro's sysclean to scan. After deleting the > virus, they still try to request to port 80 and the > request remains at 24575 bytes. Any idea of what is > happening here? Thanks. > To find out what is happening ,check access.log and look what kind of requests these clients are (still) sending to SQUID.
M.
