I have seen unpatched win2k running IIS just allowing to run executables
with manipulated URL encoding.. When I was reverse proxying our
internal IIS/Win2K servers, I used to have ACLs in squid,
1. preventing requests with :
\.cmd \.exe \.com etc
2. Allowing PUT inly with access control.
because, I could not ensure that the admins of those servers always
kept it patched properly. In this scheme, squid fits perfectly. May be
this is useful....
Sunil
>>> "Mar Matthias Darin" <BDarin@tanaya.net> 09/05/04 03:21PM >>>
Tom Le writes:
> Hi,
>
> I have a website that sits behind squid 2.5 and it got hack into
today.
> Someone from this ip address,
> 200.148.134.206, has put few files into my website through squid.
The
> content of the index.html is
>
> "Simiens Crew 2004 Ownz U"
>
> Here is the log from squid
>
> 1094326387.752 899375 200.148.134.206 TCP_MISS/000 0 PUT
> http://<hostname>/index.html - DIRECT/<my website ip adress> -
>
>
> Can any of you give me some insight into this problem, and how to
tight my
> squid server down?
See previous post and add the following to your squid config:
add the below to your ACL section
acl GETONLY method GET
add this one to the *beginning* of your http_access section
http_access deny !GETONLY
Note that this will STOP all requests that are are not GETs. This is
an
extreme approach. A better way might be to list all valid IPs you
expect
and then
http_access deny !VALIDIPS
Also use authentication esp. if you are providing a public proxy
service.
Received on Tue Sep 07 2004 - 22:32:46 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT