Re: [squid-users] Use Squid as browser hijack deterrent (so far not working)

From: Alex Braunegg <alex.braunegg_at_gmail.com>
Date: Tue, 3 Feb 2009 10:24:13 +1100

Have you run the System Information Collector (SIC) Tool
(http://www.trendmicro.com/download/sic.asp) to gather the information
regarding the malware / trojan and submitted this for analysis to
Trend Micro?

On Tue, Feb 3, 2009 at 8:02 AM, <david_at_davidwbrown.name> wrote:
> Hello Squid users all, I have a bad situation partially resolved: the past few days I have been blind-sided by a Trojan based browser hijacking. A script from Trendmicro has allowed me to navigate the net w/o being redirected to a porn site or similar. Notwithstanding I can see from running wireshark the culprit that Trendmicro has not found the signature to as of yet. I am running: a Linux router/gateway, heavily firewalled (iptables) but with the attack I installed Squid. I created two system files with ACLs to match: bad_src_ip and bad_url_regex. From the Linux box ps shows that squid is running but the logs show no activity at all albeit OK access or error. Moreover, I can ping and tracert to the URLs and IPs I think I am blocking. Do I need to be a master of cache proxies to run Squid? An excerpt of my squid.conf is included below in case anyone has any ideas. I looked at redirection (3128) such as Shallalist and other blacklist but I would rather just create my own ACLs
> that work. Thanks in advance and please advise, David.
>
> ***************************************************************
> ACL list
> ***************************************************************
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports_unreg port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080 # Tomcat 8080
> acl Safe_ports port 8082 # Tomcat proxy redirect
> acl Safe_ports port 8009 # Tomcat ajp port
> acl CONNECT method CONNECT
> acl webmin port 10000
> acl usermin port 20000
> acl LAN myip 192.168.1.1-192.168.1.254
> acl Network_DNS srcdomain www.demon.net www.menandmice.com www.network-tools.com
> acl davidbrownhosts dstdomain www.davidwbrown.name www.deanbrown.name www.karlbrown.name
> acl tomcat urlpath_regex pebble
> acl our_networks src 192.168.1.0/24
> ************************************************************************
> Proxy restriction list
> ************************************************************************
> acl bad_src_ip src "/usr/local/etc/squid/bad_src_ip_list"
> acl bad_url_regex url_regex -i "/usr/local/etc/squid/bad_url_regex_list"
> #acl iana_named_ports port "/usr/local/etc/squid/iana_named_ports_list"
> http_access deny manager
> http_access deny !Safe_ports_unreg
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow our_networks
> http_access allow our_networks
>
> # And finally deny all other access to this proxy
> http_access allow localhost
> http_access deny bad_url_regex
> http_access deny bad_src_ip
> http_access deny all
>
Received on Mon Feb 02 2009 - 23:24:16 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 03 2009 - 12:00:02 MST