From: Palacios, Gonzalo (gpalacios@xxxxxxxxxxxxxxxxx)
Date: Fri Nov 02 2001 - 12:41:59 GMT-3
Friend,
--> A way to detect infected hosts is to use something like ZoneAlarm in an
internal host. I think you can download a free version of this software.
Since infected machines try to hit thousands of random hosts per minute,
your zonealarm machine will tell you exactly the IP Address of the infected
machines. (easier than using sniffers).
--> If you have a PIX firewall another easy way is just to do a:
"show conn"
you will see thousands of connections from the same internal host (hosts),
you'll have the IP address of the infected machine in a matter of seconds.
If you are collecting syslog it is also very easy to detect what machines
are infected.
Remember to type "q" to quit the display, or you will have to go through
hundreds of screens!
This trick with the Firewall is what we use to detect infected machines in
our remote sites in Europe and Argentina (not Venezuela)
--> remember to stop the IIS service on the infected machine before you run
a virus scan or update virus definitions (otherwise your machine will be
very very slow).
Hope this helps,
GP.
-----Original Message-----
From: Brian Hescock [mailto:bhescock@cisco.com]
Sent: Friday, November 02, 2001 10:14 AM
To: andrew.2.shore@bt.com
Cc: tbarrus@cisco.com; ccielab@groupstudy.com
Subject: Re: NIMDA Virus
There will be several possible symptoms and you might not see all of
them:
- memory allocation failures (out of memory)
- high cpu
- if running nat, run "show ip nat stat" and you may see an
extraordinary number of translations
- "show ip cache" and look at the number of ip cache entries. If you're
getting memory allocation errors, do "clear ip cache" and you'll see the
amount of free memory skyrocket then start going down again.
Solutions:
- To see if you're infected, configure CEF and configure NBAR, which
will not only block or rate-limit the traffic but will show you how many
matches you have
- or run "show buffers input-interface x" and look for one or more hosts
continually sending to port 80 then filter those addresses.
- if you can't run cef, due to ios code version, create an access-list
blocking all traffic to port 80 (www) and apply it to all interfaces.
Then do "clear ip cache" and see if your memory is stable. If it is,
odds are you have someone infected.
- you could also put a sniffer on the network and look at your top
talkers for web traffic, odds are they're the culprit and filter them.
- you could also use netflow to find the infected host due.
- if no sniffer and nothing above worked, use a binary search with an
access-list to identify the offender. Example:
let's say your networks are on 172.16.x.x. You could block all of that
network with destinatio to port 80 and see if everything is stable. If
it is then the infection is one of your hosts. Then break the address
space in half and see if 172.16.0.0 through 172.16.126.255 and see if
it's still stable when you apply the access-list. If no, then the
infected server is within that segement and break that in half:
172.16.128.0 - 172.16.255.255, and so one until you get it down to a
specific subnet / host.
I've had to do this for customers a few times, just yesterday also and
the only obtion we had was the binary search method and we isolated it
down to an IIS server in Seoul Korea and it was coming in one of his
serial links and was trashing his memory.
Brian
andrew.2.shore@bt.com wrote:
> Check to see if its running Microsoft IIS !!!
>
> Or SHOW Viruses Detail
>
> Andrew Shore. CCNP+Security, MCSE, CCP, BSc
> Network Consultant
> Internetworking Solutions Limited
>
> -----Original Message-----
> From: Tyler Barrus [mailto:tbarrus@cisco.com]
> Sent: 02 November 2001 13:54
> To: ccielab
> Subject: NIMDA Virus
>
> How can you tell if your router has the NIMDA virus?
>
> Tyler
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:02 GMT-3