08-21-2003 09:31 AM - edited 03-09-2019 04:30 AM
We have recently been hit by the Nachi worm pretty hard. At first, one of the ways I was able to tell who was infected was by viewing the xlate table on the PIX 515 and seeing who had an extreme number of open connections. However, today we encountered several PC's that were cleaned that are still opening 100 or more connections to the Internet, causing our T1 to come to a screeching halt.
Does anyone know another reason this may be happening. I'm running myself ragged trying to deny those computers on the PIX, but there is no obvious cause. Several of the computers that were suspect have been rechecked and found to be clean. Any advice?
Solved! Go to Solution.
08-21-2003 12:15 PM
Robert,
Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.
Scott
08-21-2003 09:47 AM
Any chance you can send a piece of the output from a 'sh conn detail'? Tough to help without knowing what kind of connections you are seeing.
Scott
08-21-2003 11:58 AM
Scott,
Thanks for the tip. All of the connections in question look like this, with, obviously, just the IP address and source port number changed. I will also look at Cisco's site to see if I can learn anything from this output.
TCP outside:61.210.251.173/80 inside:172.16.10.75/3617 flags saA
08-21-2003 12:15 PM
Robert,
Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.
Scott
08-21-2003 07:52 PM
Scott,
You were a great help. That was exactly what I needed, but didn't know how to find. It turns out that we DID still have several instances of Nachi. I was able to get them cleaned though. So, until the next big outbreak, I'm safe. Thanks again.
Robert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: