Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Client on inside opening 100+ connections

We have recently been hit by the Nachi worm pretty hard. At first, one of the ways I was able to tell who was infected was by viewing the xlate table on the PIX 515 and seeing who had an extreme number of open connections. However, today we encountered several PC's that were cleaned that are still opening 100 or more connections to the Internet, causing our T1 to come to a screeching halt.

Does anyone know another reason this may be happening. I'm running myself ragged trying to deny those computers on the PIX, but there is no obvious cause. Several of the computers that were suspect have been rechecked and found to be clean. Any advice?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Client on inside opening 100+ connections

Robert,

Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.

Scott

4 REPLIES

Re: Client on inside opening 100+ connections

Any chance you can send a piece of the output from a 'sh conn detail'? Tough to help without knowing what kind of connections you are seeing.

Scott

Community Member

Re: Client on inside opening 100+ connections

Scott,

Thanks for the tip. All of the connections in question look like this, with, obviously, just the IP address and source port number changed. I will also look at Cisco's site to see if I can learn anything from this output.

TCP outside:61.210.251.173/80 inside:172.16.10.75/3617 flags saA

Re: Client on inside opening 100+ connections

Robert,

Perfect. The important part to see here is the flags portion - saA. This means that the PIX built the connection because we saw a SYN packet from an inside host and are awaiting the SYN ACk from the outside host. I would still suspect that these hosts are infected with some sort of worm. My guess based on what we have seen the last few days is the Nachi/Welchia Worm. One of the calling cards of this worm is that it tries to connect to the target machine on port 80 to exploit the WebDav vulnerability. But in this case, the target is not responding. These conns should time-out based on your timeout conn settings. Sorry I cannot be of more help. Good luck.

Scott

Community Member

Re: Client on inside opening 100+ connections

Scott,

You were a great help. That was exactly what I needed, but didn't know how to find. It turns out that we DID still have several instances of Nachi. I was able to get them cleaned though. So, until the next big outbreak, I'm safe. Thanks again.

Robert

108
Views
0
Helpful
4
Replies
CreatePlease to create content