Re: [logs] Strange Pix message

• Previous message: Tina Bird: "[logs] Strange Pix message"
• In reply to: Tina Bird: "[logs] Strange Pix message"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 15 Sep 2003, Tina Bird wrote:

> A bit of comic relief after all the intensity of the Windows RPC >crap<.
> Anyone have any ideas what this might be?

For  the logs, this  seems the  classical RPC  stuff (with  the random
source port between 666 and 765). 

For the  PIX utilization,  he should check  various things  like xlate
status  (show  xlate  count)  to   show  if  he  doesn't  run  out  of
translations.  and 'show conn count'  and 'show interface' to show the
queue availability.  'show perf mount'  could help also.  (for example
memory usage and stuff like that). 

Does he  use the "  W32.BLASTER Worm Mitigation  Recommendations" from
Cisco ? With the specific access-list or not ? 

For the PIX in general, maybe it's time use a correct firewall (PF can
do an excellent job ;-)

adulau

> ---------- Forwarded message
> ---------- Date: Mon, 15 Sep 2003 16:09:16 -0400
> From: Jared Ingersoll <jaredat_private>
> To: "'incidentsat_private'" <incidentsat_private>
> Subject: Strange Pix message
> 
> Hi,
> 
> I was reviewing my pix syslog messages today and found a strange one from
> yesterday morning at around 3 AM, Sunday:
> 
> 
> Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10 seconds =
> 45305562%
> 
> The odd thing is that the percent utilization is somewhere around 45 million
> percent. Our company operates during "bank hours" so activity at that time
> of day is always viewed with a suspicious eye. I called Cisco support and
> they were absolutely no help. They tried to pass it off as spoofed ip error
> messages related to the blaster worm. With minimal questioning the tech
> could not support that supposition at all (though I'm not saying he wasn't
> right).
> 
> Leading up to the CPU message was a sequence of UDP port scans on port 135
> and 1026, originating from port 666 (as follows):
> 
> Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
> 64.156.39.12/666 to x.x.x.x/135 on interface outside
> Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
> 64.156.39.12/666 to x.x.x.x/1026 on interface outside
> 
> Can anyone shed some light on this?
> 
> Thanks,
> Jared

-- 
-- 	  	     Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- 	   http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
-- 	   "Knowledge can create problems, it is not through ignorance
-- 				  that we can solve them" Isaac Asimov




_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Philip Webster: "[logs] High Network Load"
• Previous message: Tina Bird: "[logs] Strange Pix message"
• In reply to: Tina Bird: "[logs] Strange Pix message"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 16 2003 - 07:13:18 PDT