Log do squid estranho [RESOLVIDO]

1. Log do squid estranho [RESOLVIDO]

FLAVIO GOMES BERNARDES
flaviog

(usa CentOS)

Enviado em 19/05/2014 - 12:07h

Olha pessoal, tenho um servidor proxy com squid e dansguardian.

O log esta aparecendo em volume muito grande a seguinte linha
1400533055.559 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html

como mostro


tail -f /var/log/squid/access.log
1400533055.450 499 localhost.localdomain TCP_MISS/200 737 CONNECT apoc.varian.com:443 varian DIRECT/209.202.167.185 -
1400533055.559 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533055.644 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533055.668 106 localhost.localdomain TCP_MISS/200 535 POST http://www.99-5fm.com.br/tocando_agora/pega_tocando_agora p1a-msj DIRECT/189.1.163.226 text/html
1400533055.709 51 localhost.localdomain TCP_MISS/302 799 GET http://www.goiania.go.gov.br/sistemas/siscv/asp/siscv00020a0.asp? - DIRECT/187.52.105.213 text/html
1400533055.752 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533055.833 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533055.938 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.022 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.082 2420 localhost.localdomain TCP_MISS/200 58493 GET http://ut69.xhcdn.com/t/169/s_3041169.jpg don-rhs DIRECT/46.229.172.82 image/jpeg
1400533056.126 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.246 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.305 933 localhost.localdomain TCP_MISS/200 111911 GET http://www.maxmangas.com.br/wp-content/manga/1/80/20.jpg spt-nfb DIRECT/141.101.117.247 image/jpeg
1400533056.332 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.438 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.523 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.629 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.714 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.826 332 localhost.localdomain TCP_MISS/200 1400 GET http://www.maxmangas.com.br/cdn-cgi/pe/bag2? spt-nfb DIRECT/141.101.117.247 multipart/mixed
1400533056.832 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533056.917 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.021 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.106 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.212 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.297 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.309 446 localhost.localdomain TCP_MISS/200 1417 GET http://www.maxmangas.com.br/cdn-cgi/pe/bag2? spt-nfb DIRECT/141.101.117.247 multipart/mixed
1400533057.414 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.499 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.604 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.688 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.701 47018 localhost.localdomain TCP_MISS/200 4207 CONNECT onsite.chaordicsystems.com:443 scc-kxs DIRECT/54.243.219.13 -
1400533057.702 11920 localhost.localdomain TCP_MISS/200 14083 CONNECT clients1.google.com.br:443 scc-kxs DIRECT/177.159.154.152 -
1400533057.702 6510 localhost.localdomain TCP_MISS/200 13144 CONNECT clients1.google.com.br:443 scc-kxs DIRECT/177.159.154.152 -
1400533057.741 12012 localhost.localdomain TCP_MISS/200 36354 CONNECT www.google.com.br:443 scc-kxs DIRECT/177.99.203.241 -
1400533057.793 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533057.930 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.047 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.132 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.187 9 localhost.localdomain TCP_MISS/200 553 GET http://www.google-analytics.com/__utm.gif? - DIRECT/177.159.154.176 image/gif
1400533058.236 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.320 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.364 374 localhost.localdomain TCP_MISS/200 2641 GET http://disqus.com/embed/comments/? spt-nfb DIRECT/173.192.42.188 text/html
1400533058.374 241 localhost.localdomain TCP_MISS/200 1224 GET http://www.maxmangas.com.br/cdn-cgi/pe/bag2? spt-nfb DIRECT/141.101.117.247 multipart/mixed
1400533058.426 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.445 743 localhost.localdomain TCP_MISS/200 12839 CONNECT encrypted-tbn1.gstatic.com:443 scc-kxs DIRECT/177.159.154.152 -
1400533058.509 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.627 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.711 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.770 311 localhost.localdomain TCP_MISS/200 876 GET http://www.maxmangas.com.br/cdn-cgi/pe/bag2? spt-nfb DIRECT/141.101.117.247 multipart/mixed
1400533058.818 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533058.901 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533059.006 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html
1400533059.090 2 localhost.localdomain TCP_DENIED/407 4029 POST http://hacker83.no-ip.info:1989/is-ready - NONE/- text/html


estou desconfiado que pode algum virus, malware ou algo do genero.


rodei o sarg para ver se me mostrava o ip de origem da requisição mas nada. Estou pensando tcpdump (mas nao sou familiazido com ele)
Se alguem puder me esclarecer o que pose isso.

Obrigado...