[TCLUG] web cache abuse

Mon Sep 30 23:36:30 CDT 2002

Or... Setup the uplink to a tagged vlan, and compile your kernel with
802 VLAN support, and sniff the vlan on your linux box.

On Mon, 2002-09-30 at 22:38, Bob Tanner wrote:
> Quoting Raymond Norton (admin at lctn.org):
> > Over the last week we had a few Linux servers abused at some member
> > schools. The culprits took advantage of poorly configured squid.conf files
> > that had the default 0.0.0.0/0.0.0.0 statement in the ACL section. We have
> > corrected most of the problem by only letting local LANS use squid. I have
> > one school in particular who is still being abused. It is peculiar because
> 
> Network topology switched or shared?
> 
> If switched, do your switches support port mirroring?
> 
> Does all the traffic do through a firewall?
> 
> What I'm getting at is, can snoop all incoming/outgoing traffic somewhere?
> 
> Install tcpdump and capture a sample of the traffic, or use ethereal to view
> it and see what's going on.
> 
> Both tools are in the tclug's greyhatpak.
> 
> Let's say you are switched, and the switches support port mirroring. At the
> min, mirror your uplink port (router, dsl modem, etc) to an open port.
> 
> Plug a linux box into the open port, run ethereal on the that NIC interface and
> you'll get what you need.
> 
> If you want to do it remotely, it's little more involved, but....
> 
> Let's say you have a linux firewall, ssh to it, install tcpdump, run tcpdump on
> both interfaces.
> 
> /usr/sbin/tcpdump -w eth0.pcap -i eth0 -n
> /usr/sbin/tcpdump -w eth1.pcap -i eth1 -n
> 
> scp the *.pcap files to your linux box running X, load up the files with
> ethereal.
> 
> -- 
> Bob Tanner <tanner at real-time.com>         | Phone : (952)943-8700
> http://www.mn-linux.org, Minnesota, Linux | Fax   : (952)943-8500
> http://www.tcwug.org, Minnesota, Wireless | Coding isn't a crime. 
> Fingerprint: 02E0 2734 A1A1 DBA1 0E15  623D 0036 7327 93D9 7DA3
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
-- 
Jonathan Kline
Milwaukee School of Engineering
klinej at msoe.edu
PGP Key fingerprint = 8923 7266 CC84 6D39 6AEA  2313 4241 7851 068E BD2A
PGP Key ID = 068EBD2A