On 21/05/11 00:36, Boniforti Flavio wrote:
> Hy Amos...
>
> [cut]
>
>> .. or in this case, it appears, some security penetration
>> testing software. Somehow installed on a users PC.
>>
>>> Here you can find trace: http://www.sendspace.com/file/ij5qpe
>>>
>>
>> Sorry, that seems to be a summary packet log. Just confirms
>
> Sorry, I just took over your previously suggested command (tcpdump
> -s0)...
Ah, Mea Culpa. No problemo.
>
>> that the PC and Squid are chattering away. I need it to be a
>> full binary packet dump. The binary bit is saved with -w to a file.
>> So "tcpdump -s0 -w infected-dump.cap" should grab the bit I
>> need to look at.
>> If its already cleaned up thats fine. This is just for my
>> interest to confirm details.
>
> Well, "cleaned" in terms of "I removed McAfee Suite", yes! :-)
>
> [cut]
>
>> Could be "McAfee Network Security Agent" doing a network-wide
>> scan/check?
>
> Well, maybe! But that's weird behaviour... why should my "protection
> suite" scan my whole subnet on port 80?
From the (marketing) docs that particular McAfee component is designed
for admins to do network wide security with. Active scans are one way to
do things. Why its on a users box is the question.
At least it has worked and made you aware of the proxy config
vulnerability.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1Received on Fri May 20 2011 - 13:12:09 MDT
This archive was generated by hypermail 2.2.0 : Fri May 20 2011 - 12:00:03 MDT