Preface: Squid cachemgr.cgiLogo -Internet Security Systems

Squid cachemgr.cgi
advICE :Intrusions : 2002594
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

An access has been made to the 'cachemgr.cgi' script.

Details

This script is part of the remote management interface for the Squid proxy server. It is installed by default into the standard cgi-bin directory (e.g. /home/httpd/cgi-bin). If the system administrator installs a webserver such as Apache on the system, then this script will be public to the world. A hacker than then use this script to connect to any other machine (on any port).

Action

The biggest danger is in RedHat Linux systems version 6.0 and below. Squid installations based upon these older distributions should be checked to see if this is running. Newer versions of RedHat or other distributions do not put this CGI script in a public directory by default.

Also check squid.conf in order to verify that cachemgr.cgi has a password.

 more information
advICE: CGI attacks  
 
advICE: Squid  
More about the Squid proxy server.  
Potential misuse of squid cachemgr.cgi  
RedHat advisory. Most other systems do not install this script by default.  
BugtraqID: 741   Squid Web Proxy Authentication Failure Vulnerability
 
CVE-1999-0710   RedHat squid program installs cachemgr.cgi in a public web directory, allowing remote attackers to use it as an intermediary to connect to other systems.
 

 parametric information
URLThe suspicious URL.
accessedIndicates whether the URL was successfully accessed.
codeThe HTTP return code.
argThe argument to the GET command (if any).

 
Version appeared: 2.5
Privacy Policy |  Copyright Info