Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New virus??

Hello,

I´ve got this scenary:

router A, 2600 , router B 3640

we have a virus, but we don´t know what virus is it. the cpu is not overloaded, but if we do a ip accounting, we can see..

Source Destination Packets Bytes

127.0.0.1 192.168.33.33 7 280

192.168.1.63 192.168.33.8 1 48

127.0.0.1 192.168.33.32 19 760

192.168.1.63 192.168.33.7 1 48

192.168.1.195 192.168.33.251 1 48

127.0.0.1 192.168.33.47 7 280

192.168.1.63 192.168.33.6 1 48

127.0.0.1 192.168.33.46 8 320

192.168.1.195 192.168.33.250 1 48

192.168.1.63 192.168.33.5 1 48

192.168.1.195 192.168.33.249 1 48

127.0.0.1 192.168.33.45 13 520

192.168.1.63 192.168.33.4 1 48

127.0.0.1 192.168.33.44 6 240

192.168.1.63 192.168.33.3 1 48

127.0.0.1 192.168.33.43 4 160

192.168.1.63 192.168.33.2 1 48

127.0.0.1 192.168.33.42 5 200

192.168.1.195 192.168.33.254 1 48

192.168.1.63 192.168.33.1 1 48

127.0.0.1 192.168.33.41 5 200

192.168.1.195 192.168.33.253 1 48

192.168.1.63 192.168.33.0 1 48

192.168.1.195 192.168.33.252 1 48

127.0.0.1 192.168.33.40 6 240

192.168.1.195 192.168.33.195 1 48

127.0.0.1 192.168.33.23 18 720

192.168.1.195 192.168.33.194 1 48

127.0.0.1 192.168.33.22 6 240

192.168.1.195 192.168.33.193 1 48

127.0.0.1 192.168.33.21 9 360

192.168.1.195 192.168.33.192 1 48

127.0.0.1 192.168.33.20 3 120

192.168.1.195 192.168.33.199 1 48

127.0.0.1 192.168.33.19 15 600

the loopback address is sending a 40 bytes packet to all the ip lan addresses.. and of course, the Frame Relay line is overloaded..

anybody knows about it??

Thanks

3 REPLIES
Silver

Re: New virus??

Am not sure if this is a virus. I haven't encountered such an issue earlier. possibly a bug..

New Member

Re: New virus??

looks like either a bug or someone is possibly running a tool on you network that is constructing pkts (nmap and PackX can do that). Welchia will scan the range like that (using ARP request Broadcast) but it is usually source from a legitimate ip addy. I suggest you run a Protocol analyzer against this and see exactly what kind of data traffic this is.

In the mean time set up rate-limiting and/or acls that block anything from src addy 127.0.0.1

Silver

Re: New virus??

Hi,

It might be the Welchia worm if these are ICMP packets. Welchia tries to discovers networknode via 40-bytes ICMP messages (payload contains A's only, instead of the normal 1234567890). After discoovering reachable devices it scans for open UDP ports to check if the reachable nodes are vulnerable.

Hope this helps,

Leo

219
Views
0
Helpful
3
Replies