Re: [logs] Strange Pix message

From: Alexandre Dulaunoy (adulauat_private)
Date: Tue Sep 16 2003 - 02:56:39 PDT

  • Next message: Philip Webster: "[logs] High Network Load"

    On Mon, 15 Sep 2003, Tina Bird wrote:
    > A bit of comic relief after all the intensity of the Windows RPC >crap<.
    > Anyone have any ideas what this might be?
    For  the logs, this  seems the  classical RPC  stuff (with  the random
    source port between 666 and 765). 
    For the  PIX utilization,  he should check  various things  like xlate
    status  (show  xlate  count)  to   show  if  he  doesn't  run  out  of
    translations.  and 'show conn count'  and 'show interface' to show the
    queue availability.  'show perf mount'  could help also.  (for example
    memory usage and stuff like that). 
    Does he  use the "  W32.BLASTER Worm Mitigation  Recommendations" from
    Cisco ? With the specific access-list or not ? 
    For the PIX in general, maybe it's time use a correct firewall (PF can
    do an excellent job ;-)
    > ---------- Forwarded message
    > ---------- Date: Mon, 15 Sep 2003 16:09:16 -0400
    > From: Jared Ingersoll <jaredat_private>
    > To: "'incidentsat_private'" <incidentsat_private>
    > Subject: Strange Pix message
    > Hi,
    > I was reviewing my pix syslog messages today and found a strange one from
    > yesterday morning at around 3 AM, Sunday:
    > Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10 seconds =
    > 45305562%
    > The odd thing is that the percent utilization is somewhere around 45 million
    > percent. Our company operates during "bank hours" so activity at that time
    > of day is always viewed with a suspicious eye. I called Cisco support and
    > they were absolutely no help. They tried to pass it off as spoofed ip error
    > messages related to the blaster worm. With minimal questioning the tech
    > could not support that supposition at all (though I'm not saying he wasn't
    > right).
    > Leading up to the CPU message was a sequence of UDP port scans on port 135
    > and 1026, originating from port 666 (as follows):
    > Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
    > to x.x.x.x/135 on interface outside
    > Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
    > to x.x.x.x/1026 on interface outside
    > Can anyone shed some light on this?
    > Thanks,
    > Jared
    -- 	  	     Alexandre Dulaunoy (adulau) --
    -- 	   "Knowledge can create problems, it is not through ignorance
    -- 				  that we can solve them" Isaac Asimov
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Tue Sep 16 2003 - 07:13:18 PDT