Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
4
Replies

Client on inside opening 100+ connections

Go to solution
edmonds_robert
Level 1
Level 1

‎08-21-2003 09:31 AM - edited ‎03-09-2019 04:30 AM

We have recently been hit by the Nachi worm pretty hard. At first, one of the ways I was able to tell who was infected was by viewing the xlate table on the PIX 515 and seeing who had an extreme number of open connections. However, today we encountered several PC's that were cleaned that are still opening 100 or more connections to the Internet, causing our T1 to come to a screeching halt.

Does anyone know another reason this may be happening. I'm running myself ragged trying to deny those computers on the PIX, but there is no obvious cause. Several of the computers that were suspect have been rechecked and found to be clean. Any advice?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7
In response to edmonds_robert

‎08-21-2003 12:15 PM

Robert,

Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.

Scott

View solution in original post

0 Helpful
4 Replies 4

Go to solution
scoclayton
Level 7
Level 7

‎08-21-2003 09:47 AM

Any chance you can send a piece of the output from a 'sh conn detail'? Tough to help without knowing what kind of connections you are seeing.

Scott

0 Helpful

Go to solution
edmonds_robert
Level 1
Level 1
In response to scoclayton

‎08-21-2003 11:58 AM

Scott,

Thanks for the tip. All of the connections in question look like this, with, obviously, just the IP address and source port number changed. I will also look at Cisco's site to see if I can learn anything from this output.

TCP outside:61.210.251.173/80 inside:172.16.10.75/3617 flags saA

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to edmonds_robert

‎08-21-2003 12:15 PM

Robert,

Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.

Scott

0 Helpful

Go to solution
edmonds_robert
Level 1
Level 1
In response to scoclayton

‎08-21-2003 07:52 PM

Scott,

You were a great help. That was exactly what I needed, but didn't know how to find. It turns out that we DID still have several instances of Nachi. I was able to get them cleaned though. So, until the next big outbreak, I'm safe. Thanks again.

Robert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents