cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
4
Helpful
11
Replies

Virus infection in Inside network?

David Lin
Level 1
Level 1

Dear all,

I found one of my servers from Inside network built a lot of connections with unknown outside hosts.

From the that server, I saw the server itself keeps setting up TCP connection to outside host and the destination port is 445. I think the server got virus but I don't know how this server got virus infection.

I tried to imit the maximum TCP connection to 100 for the NAT but it doesn't help.

nat (inside) 1 0.0.0.0 0.0.0.0 tcp 100 100

What can I prevent this issue and what should I do in this situation? thanks a lot.

TCP outside 172.5.48.170:445 inside 192.168.1.63:2128, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.169:445 inside 192.168.1.63:2127, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.168:445 inside 192.168.1.63:2126, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.167:445 inside 192.168.1.63:2125, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.166:445 inside 192.168.1.63:2124, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.165:445 inside 192.168.1.63:2123, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.164:445 inside 192.168.1.63:2122, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.163:445 inside 192.168.1.63:2121, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.162:445 inside 192.168.1.63:2120, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.161:445 inside 192.168.1.63:2119, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.160:445 inside 192.168.1.63:2118, idle 0:00:27, bytes 0, flags saA

11 Replies 11

Collin Clark
VIP Alumni
VIP Alumni

Add a line to the beginning of the ACL applied to the inside interface.

access-list inside_out ext deny tcp host 192.168.1.63 172.5.48.0 255.255.255.0

This will block all TCP communications from your server to the outside host.

The issue is the destined IP's is always changed.

How come the maximum TCP connection limit doesn't take effect?

Thank you.

Howcome the packets is still going through ASA when I remove the NAT for every inside hosts?

After applying a ACL on port 445 on inside infterface, it stopped going out.

Post your NAT config please.

Hi Collin,

NAT config is pretty normal as following,

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 tcp 500 300

nat (inside) 1 192.168.1.63 255.255.255.255 tcp 100 100 udp 100

All the hosts with Inside network can access the Internet(Outside).

I added the TCP connection limit but didn't help. When I remove all the NAT setting, the packet from malware is still going out.

Thanks.

If the connection was already established when you removed the NAT statements, it would have to wait until the timeout. As far as the limiting, we're you hitting 100?

Yes, The connection from infected server had reached more than above 500.(roughly 30 packets per soecond).

I did a test to block the 445 dest. port on Outside Interface. The packet was still hitting Outside interface and blocked at there.

I don't understand how it works.

Can you post your access-group (show run | i access-group) config? I think it might be applied either on the wrong interface or in the wrong direction.

The current ACL is as below and works fine.

access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445

access-list Inside-out extended permit ip any any

access-group Inside-out in interface inside

The ACL for the test is as following,

access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445 (didn't get any hit)

access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445

access-list Inside-out extended permit ip any any

access-group Inside-out out interface outside

Thanks a lot.

I suspect the second one is not being blocked because of NAT.

Yes you are right. The 2nd one got the hit at

access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445

But this way didn't lighten the connection amount on firewall.

ACL is ok now. I just don't understant what the packet is going through even i removed the NAT setting. I am sure I stopped it for more than 10 minutes and the new connection was still setting up.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: