"Elsen Marc" writes:


> I never had this but I would suggest finding out whether you
> are dealing with cache poisoning or perhaps 'browser poisoning' due
> to cookie fiddling or whatever due to earlier visit of a malicious site.
> This could easily be done by querying the cache directly for the
> affected sites as in :

I have checked this, and for the the sites that are affecte (they are
not the same all the time) the expected html content (ie. the
whatever/indec.html or whatnot) is replaced by a meta refresh to

> % telnet squid_host squid_port
> GET http://www.rediff.com/ HTTP/1.0
> Verify this output and see whether this is rediff.com or 'coolsavings'.

This is ecactly what happens when I find a site that is affected.

> Verify also, what is seen in access.log when trying this request.
> Preferably I would do this, in such cases in an 'isolated mode' on squid, meaning
> that squid is not dealing with other requests, to have a clear analysis of
> this problem.

I'm trying to do this now, but I haven't been able to reproduce the
problem in a controlled environment so far.