"Elsen Marc" writes:


[...]

>
> I never had this but I would suggest finding out whether you
> are dealing with cache poisoning or perhaps 'browser poisoning' due
> to cookie fiddling or whatever due to earlier visit of a malicious site.
> This could easily be done by querying the cache directly for the
> affected sites as in :


I have checked this, and for the the sites that are affecte (they are
not the same all the time) the expected html content (ie. the
whatever/indec.html or whatnot) is replaced by a meta refresh to
coolsavings.


>
> % telnet squid_host squid_port
> GET http://www.rediff.com/ HTTP/1.0
>
>
> Verify this output and see whether this is rediff.com or 'coolsavings'.


This is ecactly what happens when I find a site that is affected.

>
> Verify also, what is seen in access.log when trying this request.
> Preferably I would do this, in such cases in an 'isolated mode' on squid, meaning
> that squid is not dealing with other requests, to have a clear analysis of
> this problem.
>


I'm trying to do this now, but I haven't been able to reproduce the
problem in a controlled environment so far.


-HCP