S.O. : Freebsd 6.1
Havp : 0.83 - Listen on port 8080
ipfw rules : fwd 192.168.0.85,8080 tcp from 192.168.0.0/24 to any dst-port 80
In some case HAVP report : Invali Request Method
This is the request:
GET / HTTP/1.1
Accept: */*
Accept-Language: it
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Cookie: MC1=V=3&GUID=56f3964a5e5a4474b56fbbd82ad5463e; ebPanelFrequency_.it.msn.com=351382%3A2%3A1%3A1166288683183
Connection: Keep-Alive
Host: it.msn.com
havp configuration:
$ cat /usr/local/etc/havp/havp.config
#
# This is the configuration file for HAVP
#
# All lines starting with a hash (#) or empty lines are ignored.
# Uncomment parameters you want to change!
#
# All parameters configurable in this file are explained and their default
# values are shown. If no default value is defined "NONE" is specified.
#
# General syntax: Parameter Value
# Value can be: true/false, number, or path
#
# Extra spaces and tabs are ignored.
#
# You must remove this line for HAVP to start.
# This makes sure you have (hopefully) reviewed the configuration.
# Hint: You must enable some scanner! Find them in the end..
#
# For reasons of security it is recommended to run a proxy program
# without root rights. It is recommended to create user that is not
# used by any other program.
#
# Default:
USER clamav
GROUP clamav
# If this is true HAVP is running as daemon in background.
# For testing you may run HAVP at your text console.
#
# Default:
# DAEMON true
#
# Process id (PID) of the main HAVP process is written to this file.
# Be sure that it is writeable by the user under which HAVP is running.
# /etc/init.d/havp script requires this to work.
#
# Default:
PIDFILE /var/run/havp.pid
#
# For performance reasons several instances of HAVP have to run.
# Specify how many servers (child processes) are simultaneously
# listening on port PORT for a connection. Minimum value should be
# the peak requests-per-second expected + 5 for headroom.
#
# For single user home use, 8 should be minimum.
# For 500 users corporate use, start at 40.
#
# Value can and should be higher than recommended. Memory and
# CPU usage is only affected by the number of concurrent requests.
#
# More childs are automatically created when needed, up to MAXSERVERS.
#
# Default:
SERVERNUMBER 20
MAXSERVERS 99
#
# Files where to log requests and info/errors.
# Needs to have write permission for HAVP user.
#
# Default:
ACCESSLOG /var/log/havpaccess.log
ERRORLOG /var/log/havperror.log
#
# Syslog can be used instead of logging to file.
# For facilities and levels, see "man syslog".
#
# Default:
USESYSLOG true
SYSLOGNAME havp
SYSLOGFACILITY local6
SYSLOGLEVEL info
#
# true: Log every request to access log
# false: Log only viruses to access log
#
# Default:
LOG_OKS false
#
# Level of HAVP logging
# 0 = Only serious errors and information
# 1 = Less interesting information is included
#
# Default:
LOGLEVEL 0
#
# Temporary scan file.
# This file must reside on a partition for which mandatory
# locking is enabled. For Linux, use "-o mand" in mount command.
# See "man mount" for details. Solaris does not need any special
# steps, it works directly.
#
# Specify absolute path to a file which name must contain "XXXXXX".
# These characters are used by system to create unique named files.
#
# Default:
SCANTEMPFILE /var/tmp/tinyproxy/havp-XXXXXX
#
# Directory for ClamAV and other scanner created tempfiles.
# Needs to be writable by HAVP user. Use ramdisk for best performance.
#
# Default:
TEMPDIR /var/tmp/clamav
#
# HAVP reloads scanners virus database by receiving a signal
# (send SIGHUP to PID from PIDFILE, see "man kill") or after
# a specified period of time. Specify here the number of
# minutes to wait for reloading.
#
# This only affects library scanners (clamlib, trophie).
# Other scanners must be updated manually.
#
# Default:
# DBRELOAD 60
#
# Run HAVP as transparent Proxy?
#
# If you don't know what this means read the mini-howto
# TransparentProxy written by Daniel Kiracofe.
# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html)
# Definitely you have more to do than setting this to true.
# You are warned!
#
# Default:
TRANSPARENT true
#
# Specify a parent proxy (e.g. Squid) HAVP should use.
#
# Default: NONE
# PARENTPROXY localhost
# PARENTPORT 3128
#
# Write X-Forwarded-For: to log instead of connecters IP?
#
# If HAVP is used as parent proxy by some other proxy, this allows
# to write the real users IP to log, instead of proxy IP.
#
# Default:
# FORWARDED_IP false
#
# Send X-Forwarded-For: header to servers?
#
# If client sent this header, FORWARDED_IP setting defines the value,
# then it is passed on. You might want to keep this disabled for security
# reasons. Enable this if you use your own parent proxy after HAVP, so it
# will see the original client IP.
#
# Default:
# X_FORWARDED_FOR false
#
# Port HAVP is listening on.
#
# Default:
PORT 8080
#
# IP address that HAVP listens on.
# Let it be undefined to bind all addresses.
#
# Default: NONE
BIND_ADDRESS 192.168.0.85
#
# IP address used for sending outbound packets.
# Let it be undefined if you want OS to handle right address.
#
# Default: NONE
# SOURCE_ADDRESS 1.2.3.4
#
# Path to template files.
#
# Default:
TEMPLATEPATH /usr/local/etc/havp/templates/it
#
# Set to true if you want to prefer Whitelist.
# If URL is Whitelisted, then Blacklist is ignored.
# Otherwise Blacklist is preferred.
#
# Default:
# WHITELISTFIRST true
#
# List of URLs not to scan.
#
# Default:
# WHITELIST /usr/local/etc/havp/whitelist
#
# List of URLs that are denied access.
#
# Default:
# BLACKLIST /usr/local/etc/havp/blacklist
#
# Is scanner error fatal?
#
# For example, archive types that are not supported by scanner
# may return error. Also if scanner has invalid pattern files etc.
#
# true: User gets error page
# false: No error is reported (viruses might not be detected)
#
# Default:
# FAILSCANERROR true
#
# When scanning takes longer than this, it will be aborted.
# Timer is started after HAVP has fully received all data.
# If set too low, complex files/archives might produce timeout.
# Timeout is always a fatal error regardless of FAILSCANERROR.
#
# Default:
SCANNERTIMEOUT 30
#
# Allow HTTP Range requests?
#
# false: Broken downloads can NOT be resumed
# true: Broken downloads can be resumed
#
# Allowing Range is a security risk, because partial
# HTTP requests may not be properly scanned.
#
# Whitelisted sites are allowed to use Range in any case.
#
# Default:
# RANGE false
#
# If you really need more performance, you can disable scanning of
# JPG, GIF and PNG files. These are probably the most common files
# around, so it will save lots of CPU. But be warned, image exploits
# exist and more could be found. Think twice if you want to disable!
#
# Default:
SCANIMAGES true
#
# Temporary file will grow only up to this size. This means scanner
# will scan data until this limit is reached.
#
# NOTE: Setting limit is a security risk, because some archives like
# ZIP need all the data to be scanned properly! Use this only if you
# can't afford temporary space for big files. Also scanner settings
# will affect how many files will be scanned inside an archive etc.
#
# VALUE IN BYTES NOT KB OR MB!!!!
# 0 = No size limit
#
# Default:
MAXSCANSIZE 524288
#
# Amount of data going to browser that is held back, until it
# is scanned. When we know file is clean, this held back data
# can be sent to browser. You can safely set bigger value, only
# thing you will notice is some "delay" in beginning of download.
# Virus found in files bigger than this might not produce HAVP
# error page, but result in a "broken" download.
#
# VALUE IN BYTES NOT KB OR MB!!!!
#
# Default:
# KEEPBACKBUFFER 200000
#
# This setting complements KEEPBACKBUFFER. It tells how many Seconds to
# initially receive data from server, before sending anything to client.
# Even trickling is not done before this time elapses. This way files that
# are received fast are more secure and user can get virus report page for
# files bigger than KEEPBACKBUFFER.
#
# Setting to 0 will disable this, and only KEEPBACKBUFFER is used.
#
# Default:
# KEEPBACKTIME 5
#
# After Trickling Time (seconds), some bytes are sent to browser
# to keep the connection alive. Trickling is not needed if timeouts
# are not expected for files smaller than KEEPBACKBUFFER, but it is
# recommended to set anyway.
#
# 0 = No Trickling
#
# Default:
# TRICKLING 30
#
# Downloads larger than MAXDOWNLOADSIZE will be blocked.
# Only if not Whitelisted!
#
# VALUE IN BYTES NOT KB OR MB!!!!
# 0 = Unlimited Downloads
#
# Default:
# MAXDOWNLOADSIZE 0
#
# Space separated list of strings to partially match User-Agent: header.
# These are used for streaming content, so scanning is generally not needed
# and tempfiles grow unnecessary. Remember when enabled, that user could
# fake header and pass some scanning. HTTP Range requests are allowed for
# these, so players can seek content.
#
# You can uncomment here a list of most popular players.
#
# Default: NONE
# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
#
# Bytes to scan from beginning of streams.
# When set to 0, STREAMUSERAGENT scanning will be completely disabled.
# It is not recommended as there are some exploits for players.
#
# Default:
# STREAMSCANSIZE 20000
#####
##### ClamAV Library Scanner (libclamav)
#####
ENABLECLAMLIB true
# HAVP uses libclamav hardcoded pattern directory, which usually is
# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are
# using non-default DatabaseDirectory setting in clamd.conf.
#
# Default: NONE
# CLAMDBDIR /path/to/directory
# Should we block encrypted archives?
#
# Default:
# CLAMBLOCKENCRYPTED false
# Should we block files that go over maximum archive limits?
#
# Default:
# CLAMBLOCKMAX false
# Scanning limits inside archives (filesize = MB):
#
# Default:
# CLAMMAXFILES 1000
# CLAMMAXFILESIZE 10
# CLAMMAXRECURSION 8
# CLAMMAXRATIO 250
#####
##### ClamAV Socket Scanner (clamd)
#####
##### NOTE: ClamAV Library Scanner should be preferred (less overhead)
#####
ENABLECLAMD false
# Path to clamd socket
#
# Default:
# CLAMDSOCKET /tmp/clamd
# ..OR if you use clamd TCP socket, uncomment to enable use
#
# Clamd daemon needs to run on the same server as HAVP
#
# Default: NONE
# CLAMDSERVER 127.0.0.1
# CLAMDPORT 3310
#####
##### F-Prot Socket Scanner
#####
ENABLEFPROT false
# F-Prot daemon needs to run on same server as HAVP
#
# Default:
# FPROTSERVER 127.0.0.1
# FPROTPORT 10200
#####
##### AVG Socket Scanner
#####
ENABLEAVG false
# AVG daemon needs to run on the same server as HAVP
#
# Default:
# AVGSERVER 127.0.0.1
# AVGPORT 55555
#####
##### Kaspersky Socket Scanner
#####
ENABLEAVESERVER false
# Path to aveserver socket
#
# Default:
# AVESOCKET /var/run/aveserver
#####
##### Sophos Scanner (Sophie)
#####
ENABLESOPHIE false
# Path to sophie socket
#
# Default:
# SOPHIESOCKET /var/run/sophie
#####
##### Trend Micro Library Scanner (Trophie)
#####
ENABLETROPHIE false
# Scanning limits inside archives (filesize = MB):
#
# Default:
# TROPHIEMAXFILES 1000
# TROPHIEMAXFILESIZE 10
# TROPHIEMAXRATIO 250
#####
##### NOD32 Socket Scanner
#####
ENABLENOD32 false
# Path to nod32d socket
#
# Default:
# NOD32SOCKET /tmp/nod32d.sock
#####
##### Avast! Socket Scanner
#####
ENABLEAVAST false
# Path to avastd socket
#
# Default:
# AVASTSOCKET /var/run/avast4/local.sock
# ..OR if you use avastd TCP socket, uncomment to enable use
#
# Avast daemon needs to run on the same server as HAVP
#
# Default: NONE
# AVASTSERVER 127.0.0.1
# AVASTPORT 5036
Any suggestion?
20061912
The problem are generated by this request:
Dec 19 15:53:19 havp[78592]: GET http://69.31.41.193/user2/bond0001/cc3.txt HTTP/1.0^M Host: 69.31.41.193^M
Dec 19 15:53:19 havp[78620]: GET http://195.225.176.34/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 195.225.176.34^M
Dec 19 15:53:19 havp[78621]: GET http://195.225.176.34/user2/winsyst32.exe HTTP/1.0^M Host: 195.225.176.34^M
Dec 19 15:53:19 havp[78615]: GET http://69.31.41.177/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.177^M
Dec 19 15:53:19 havp[78608]: GET http://69.31.41.193/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.193^M
Dec 19 15:53:20 havp[78590]: ( ????????????????????? )
Dec 19 15:53:20 havp[78591]: GET http://195.225.176.34/user2/bond0001/cc1.txt HTTP/1.0^M Host: 195.225.176.34^M
Dec 19 15:54:20 havp[78625]: GET http://69.31.41.177/user2/bond0001/cc2.txt HTTP/1.0^M Host: 69.31.41.177^M
Dec 19 15:55:20 havp[78596]: GET http://69.31.41.193/user2/bond0001/cc3.txt HTTP/1.0^M Host: 69.31.41.193^M
Dec 19 15:55:20 havp[78598]: GET http://195.225.176.34/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 195.225.176.34^M
Dec 19 15:55:20 havp[78600]: GET http://195.225.176.34/user2/winsyst32.exe HTTP/1.0^M Host: 195.225.176.34^M
Dec 19 15:55:20 havp[78603]: GET http://69.31.41.177/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.177^M
Dec 19 15:55:20 havp[78599]: GET http://69.31.41.193/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.193^M
Dec 19 15:55:20 havp[78610]: GET http://69.31.41.193/user2/winsyst32.exe HTTP/1.0^M Host: 69.31.41.193^M
Dec 19 15:55:20 havp[78597]: GET http://195.225.176.34/user2/bond0001/cc1.txt HTTP/1.0^M Host: 195.225.176.34^M
Dec 19 15:56:20 havp[78611]: GET http://69.31.41.177/user2/bond0001/cc2.txt HTTP/1.0^M Host: 69.31.41.177^M