Re: Looking for Squid Proxies

[batrox () SWBELL NET (Ryan Sweat)]

there are no squid exploits that i am aware of, however they are used often
to bounce to irc, or mask their ip while browsing.

this can be done by :
telnet x.x.x.x 3128

POST http://irc.hostname.com:6667 GET 1.0
<press return twice>

logon as usual to irc

-----Original Message-----
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert () UUMAIL GOV BC CA>
To: INCIDENTS () SECURITYFOCUS COM <INCIDENTS () SECURITYFOCUS COM>
Date: Friday, March 17, 2000 3:17 AM
Subject: Looking for Squid Proxies

> I noticed in my firewall logs for one of the networks I maintain the
> following:
>
> Mar 15 18:11:15 foobar ipmon[98]: 18:11:15.512302 xl0 @0:1 b
> 194.87.6.92,2483 -> w.x.y.z,3128 PR tcp len 20 48 -S IN
>
> This suggests that someone may be looking for Squid proxies.  I don't
> run a Squid proxy on this network, however I do on another.  Are there
> any Squid vulnerabilities this "attacker" is looking for?  Or is this
> fellow trying to find a Squid proxy to bounce through to an IRC or NNTP
> server?  Is his intention to find a Squid proxy in order to breach the
> firewall it is running on in order to gain access to the internal
> network it is protecting, e.g. use the proxy as a portal into the
> internal network as opposed to compromising the Squid application
> itself to gain entry?
>
>
> Regards,                       Phone:  (250)387-8437
> Cy Schubert                      Fax:  (250)387-5766
> Team Leader, Sun/DEC Team   Internet:  Cy.Schubert () osg gov bc ca
> Open Systems Group, ITSD, ISTA
> Province of BC
>                    "COBOL IS A WASTE OF CARDS."