RE: NACHI !!!

From: MMoniz (ccie2002@tampabay.rr.com)
Date: Wed Aug 27 2003 - 19:34:47 GMT-3

• Next message: MMoniz: "RE: NACHI !!!"
• Previous message: Adam Asay: "RE: NACHI !!!"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: MMoniz: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes it does, this is what you should see depending on your logging.

Syslog logging: enabled
    Facility: 4
    Timestamp logging: enabled
    Standby logging: enabled
    Console logging: disabled
    Monitor logging: level alerts, 0 messages logged
    Buffer logging: disabled
    Trap logging: level notifications, 17002051 messages logged
        Logging to inside 10.10.10.1
        Logging to inside 10.10.10.2
    History logging: disabled
    Device ID: disabled

From the Config

logging on
logging timestamp
logging standby
logging monitor alerts
logging trap notifications
logging facility 4
logging host inside 10.12.1.12
logging host inside 10.12.1.2

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
George Gittins
Sent: Wednesday, August 27, 2003 6:15 PM
To: ccielab@groupstudy.com
Subject: FW: NACHI !!!

I enable logging on my pix however when I do I show logging
I get this. Does it mean logging is disabled

ECISD-PIX# show logging
Syslog logging: disabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level warnings, 0 messages logged
        Logging to inside 10.143.88.100
    History logging: disabled
    Device ID: disabled

George Gittins
Network Maintenance Supervisor
ECISD

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Rajagopal S
Sent: Wednesday, August 27, 2003 9:30 AM
To: ccielab@groupstudy.com
Subject: NACHI !!!

Hi guys,
 
Nachi virus stroke my network. My router melted down after the attack.
 
As such, there are huge no of PC's sitting on the inside interface of
the firewall. the router having the internet link is sitting on the
outside interface of the firewall.
 
The internal users/servers are connected to the PIX via a 4507 internal
L3 switch.
 
I have identified the traffic coming from inside to outside on port 0800
(icmp type 8 packet) from the patted IP to some arbitarty IPs on
internet. I have blocked icmp on PIX and stabilised the situation.
 
But I still am not sure, which hosts on the internal network is pushing
this traffic (ie affected with nachi). Am ready to put nachi patches in
all the 500 odd machines,
but is a bit tough !!!
 
Is there any way to find the machine pumping this traffic from the
switch ? am not able to enable ip route-cache flow or ip accounting on
the vlan interface nor able to enable MLS. Is there any other way to see
this information?
 
Cheers
Raj

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

• Next message: MMoniz: "RE: NACHI !!!"
• Previous message: Adam Asay: "RE: NACHI !!!"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: MMoniz: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:08 GMT-3