[Snort-users] readme.eml Part II

Basil Saragoza snortlst at ...125...
Mon Mar 25 12:33:32 EST 2002


This is the decoded payload from the readme.eml attempt I receive:
ts port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl girls url_regex -i aaaaa adult adserv ashole ...
acl music url_regex \.mp3 \.mpeg \.mpg \.mov \.avi \.asf
acl nimda url_regex -i readme.eml
acl valid_url url_regex gsm\.hu index\.hu origo\.hu cisco\.com
tele-satellite\.com satcodx\.com
acl max_user_conn maxconn 5
acl all src 10.0.0.0/255.255.0.0
acl petzval srcdomain "/etc/s

It looks very much like entries from squid.conf file, besides that my
squid.conf doesn't contain the following lines:
acl CONNECT method CONNECT
acl girls url_regex -i aaaaa adult adserv ashole ...
acl music url_regex \.mp3 \.mpeg \.mpg \.mov \.avi \.asf
acl nimda url_regex -i readme.eml
acl valid_url url_regex gsm\.hu index\.hu origo\.hu cisco\.com
tele-satellite\.com satcodx\.com
acl max_user_conn maxconn 5
acl petzval srcdomain "/etc/s

The rest of the lines are present and acl all src 10.0.0.0/255.255.0.0 is
the lien I created myself and 'all' is the acl I created, so some parts from
the payload contain valis lines from my squid.conf.
(run squid proxy on linux machine for internet connections.)

Is my squid hacked, how should I interpret this payload?





More information about the Snort-users mailing list