RE: NACHI !!!

From: Ashish Modi (am_1974@yahoo.com)
Date: Wed Aug 27 2003 - 13:31:33 GMT-3

• Next message: Hemant_Kumar@BERLEX.COM: "Cisco ICS 7750 experiences"
• Previous message: miken: "Re: NACHI !!!"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: emad: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I had the same problem with this virus. I mirrored PIX
port and captured traffic for about 3 minutes. Did a
filter on ICMP 8 protocol. Saved the file as a CSV
file and did a sort for unique entries on Source
address. It gave me all the machine IPs that had the
virus on them.

--- Kenneth Wygand <KWygand@customonline.com> wrote:
> Where is your NAT (or PAT) being done? Check the
> NAT translation table
> at that point to determine what the actual (pre-NAT
> or pre-PAT) source
> IP address is thrashing your firewall.
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1,
> Network+, A+
> Custom Computer Specialists, Inc.
> "It's not just about ending up where you want to be,
> it's about making
> the most of the trip there."
> -Anonymous
>
> -----Original Message-----
> From: Rajagopal S [mailto:raj_ccie@yahoo.com]
> Sent: Wednesday, August 27, 2003 10:30 AM
> To: ccielab@groupstudy.com
> Subject: NACHI !!!
>
> Hi guys,
>
> Nachi virus stroke my network. My router melted down
> after the attack.
>
> As such, there are huge no of PC's sitting on the
> inside interface of
> the firewall. the router having the internet link is
> sitting on the
> outside interface of the firewall.
>
> The internal users/servers are connected to the PIX
> via a 4507 internal
> L3 switch.
>
> I have identified the traffic coming from inside to
> outside on port 0800
> (icmp type 8 packet) from the patted IP to some
> arbitarty IPs on
> internet. I have blocked icmp on PIX and stabilised
> the situation.
>
> But I still am not sure, which hosts on the internal
> network is pushing
> this traffic (ie affected with nachi). Am ready to
> put nachi patches in
> all the 500 odd machines,
> but is a bit tough !!!
>
> Is there any way to find the machine pumping this
> traffic from the
> switch ? am not able to enable ip route-cache flow
> or ip accounting on
> the vlan interface nor able to enable MLS. Is there
> any other way to see
> this information?
>
> Cheers
> Raj
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site
> design software
>
>
>

• Next message: Hemant_Kumar@BERLEX.COM: "Cisco ICS 7750 experiences"
• Previous message: miken: "Re: NACHI !!!"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: emad: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:07 GMT-3