RE: NACHI !!!

From: Charles Church (cchurch@wamnet.com)
Date: Wed Aug 27 2003 - 14:42:32 GMT-3

• Next message: Bean: "Re: looking to purchase ISDN routers"
• Previous message: David Hickman: "RE: Networkers 2003 CCIE Power Session"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: Adam Asay: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On the switch, look for the interfaces with many packets per second, but not
that much data passing through. The worm will try to ping many devices at
once in it's own classful class B network, so you'll see many packets, but
they're all under 100 bytes in size. It doesn't take too long for the worm
to spread, especially on a LAN. Patching the PCs will prevent future
infection (which you should do regardless), but it won't stop the worm
services if they're already installed on the PC. Patching all PCs, and then
running a cleaner utility on the infected ones is the right way to do it.
MS has a tool on their homepage that can list all the unpatched PCs on a
network. What I'd do is put the patch on a server, and email all users
directions on how to run it. With some luck, you might get 80% of the
people to patch it themselves. Once all PCs are patched, then clean the
ones still infected. It's time consuming, but with Windows, high
maintenance is the name of the game.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Rajagopal S
Sent: Wednesday, August 27, 2003 10:30 AM
To: ccielab@groupstudy.com
Subject: NACHI !!!

Hi guys,

Nachi virus stroke my network. My router melted down after the attack.

As such, there are huge no of PC's sitting on the inside interface of the
firewall. the router having the internet link is sitting on the outside
interface of the firewall.

The internal users/servers are connected to the PIX via a 4507 internal L3
switch.

I have identified the traffic coming from inside to outside on port 0800
(icmp type 8 packet) from the patted IP to some arbitarty IPs on internet. I
have blocked icmp on PIX and stabilised the situation.

But I still am not sure, which hosts on the internal network is pushing this
traffic (ie affected with nachi). Am ready to put nachi patches in all the
500 odd machines,
but is a bit tough !!!

Is there any way to find the machine pumping this traffic from the switch ?
am not able to enable ip route-cache flow or ip accounting on the vlan
interface nor able to enable MLS. Is there any other way to see this
information?

Cheers
Raj

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

• Next message: Bean: "Re: looking to purchase ISDN routers"
• Previous message: David Hickman: "RE: Networkers 2003 CCIE Power Session"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: Adam Asay: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:07 GMT-3