We have recently been hit by the Nachi worm pretty hard. At first, one of the ways I was able to tell who was infected was by viewing the xlate table on the PIX 515 and seeing who had an extreme number of open connections. However, today we encountered several PC's that were cleaned that are still opening 100 or more connections to the Internet, causing our T1 to come to a screeching halt.
Does anyone know another reason this may be happening. I'm running myself ragged trying to deny those computers on the PIX, but there is no obvious cause. Several of the computers that were suspect have been rechecked and found to be clean. Any advice?
Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.