Client on inside opening 100+ connections

Answered Question
Aug 21st, 2003
User Badges:

We have recently been hit by the Nachi worm pretty hard. At first, one of the ways I was able to tell who was infected was by viewing the xlate table on the PIX 515 and seeing who had an extreme number of open connections. However, today we encountered several PC's that were cleaned that are still opening 100 or more connections to the Internet, causing our T1 to come to a screeching halt.

Does anyone know another reason this may be happening. I'm running myself ragged trying to deny those computers on the PIX, but there is no obvious cause. Several of the computers that were suspect have been rechecked and found to be clean. Any advice?

Correct Answer by scoclayton about 14 years 4 hours ago

Robert,


Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.


Scott


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scoclayton Thu, 08/21/2003 - 09:47
User Badges:
  • Gold, 750 points or more

Any chance you can send a piece of the output from a 'sh conn detail'? Tough to help without knowing what kind of connections you are seeing.


Scott

edmonds_robert Thu, 08/21/2003 - 11:58
User Badges:

Scott,

Thanks for the tip. All of the connections in question look like this, with, obviously, just the IP address and source port number changed. I will also look at Cisco's site to see if I can learn anything from this output.


TCP outside:61.210.251.173/80 inside:172.16.10.75/3617 flags saA

Correct Answer
scoclayton Thu, 08/21/2003 - 12:15
User Badges:
  • Gold, 750 points or more

Robert,


Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.


Scott


edmonds_robert Thu, 08/21/2003 - 19:52
User Badges:

Scott,

You were a great help. That was exactly what I needed, but didn't know how to find. It turns out that we DID still have several instances of Nachi. I was able to get them cleaned though. So, until the next big outbreak, I'm safe. Thanks again.


Robert

Actions

This Discussion