https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760387#M529711 <HTML><HEAD></HEAD><BODY><P>sh xlate</P></BODY></HTML> Fri, 30 Sep 2011 16:01:35 GMT smsneteng 2011-09-30T16:01:35Z https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760383#M529707 <P>Is there any way to use an asa 5510 to detect which computer on the inside of my network is connecting to ip 87.255.51.229.&nbsp; I am being blacklisted for w win32/Zbot connection, I need to identify this computer and get it disconnected from the network ASAP.</P><P></P><P>David</P> Mon, 11 Mar 2019 21:31:31 GMT https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760383#M529707 crash5050 2019-03-11T21:31:31Z https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760384#M529708 <HTML><HEAD></HEAD><BODY><P>The we handle it is to setup a rule blocking any to 87.255.51.229 ip. Make sure logging is setup on that rule then monitor for which IPs attempt to connect to that external ip address. Once you have the IPs then do a DNS lookup to get the hostname. This works if you have time to monitor the log all day. </P><P></P><P>It is better to have a SIEM tool to do this but it is possible with the ASA. Also you can enable syslog (and\or netflow) on the ASA and have the ASA send it's logs to a server and then you can go back in time and look for connection attempts.</P></BODY></HTML> Wed, 28 Sep 2011 17:40:20 GMT https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760384#M529708 jason.giambrone 2011-09-28T17:40:20Z https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760385#M529709 <HTML><HEAD></HEAD><BODY><P>Hello David,</P><P></P><P>Adding to the great answer of Jason Giambrone you could perform a show conn | include 87.255.51.229.</P><P></P><P>I have worked in an issue like that and this was the answer.</P><P></P><P>I hope this helps.</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Wed, 28 Sep 2011 19:34:16 GMT https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760385#M529709 Julio Carvajal 2011-09-28T19:34:16Z https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760386#M529710 <HTML><HEAD></HEAD><BODY><P>Hi David,</P><P></P><P>Enable NetFlow on the ASA, install some free NetFlow monitoring tool, analyze the destinaltion IP Address and find the related source IP's involved. You can then clean up those machines.</P><P></P><P>To enable NetFlow on the ASA, check the below blog. You will need IOS 8.2 and above.</P><P><A class="jive-link-external-small" href="http://blogs.manageengine.com/netflowanalyzer/2010/07/22/configuring-cisco-asa-netflow-via-asdm">http://blogs.manageengine.com/netflowanalyzer/2010/07/22/configuring-cisco-asa-netflow-via-asdm</A></P><P></P><P>Regards,</P><P>Don Thomas Jacob</P><P><A href="http://www.manageengine.com/products/netflow/">ManageEngine NetFlow Analyzer</A></P></BODY></HTML> Fri, 30 Sep 2011 13:39:40 GMT https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760386#M529710 Don Jacob 2011-09-30T13:39:40Z https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760387#M529711 <HTML><HEAD></HEAD><BODY><P>sh xlate</P></BODY></HTML> Fri, 30 Sep 2011 16:01:35 GMT https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760387#M529711 smsneteng 2011-09-30T16:01:35Z https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760388#M529712 <HTML><HEAD></HEAD><BODY><P>Additionally, I forgot to mention, you could not only trace the connection, but deny the inbound at the same time---you would set up an access-list outbound on the inside interface allowing TCP-SYN to that IP address (or even block)---this is NOT to be confused with CBAC or allowing any any esytablished, as that allows the SYN-ACK back in---you want to allow SYN out, but deny the SYN-ACK back in, and log outbound connections all day long, WITHOUT worrying about anything coming back in.</P><P></P><P>It looks like the host is filtering 997 ports, has one closed, and is using 53 (DNS) and 80 (duh). It could be any of these OS's...: </P><P>AVM FRITZ!Box FON WLAN 7050, Linksys WAG200G, or Netgear DG834GT wireless broadband router (94%), Western Digital MyBook World Edition 2 NAS device (Linux 2.6.17.14) (90%), ISS Proventia GX3002C firewall (Linux 2.4.18) (87%), Linux 2.6.9 (86%), ISS Proventia GX3002 firewall (Linux 2.4.18) (85%), Linux 2.6.26 (85%), Linux 2.6.18 (85%), AVM FRITZ!Box FON WLAN 7170 WAP (85%), Linux 2.6.11 (85%), D-Link DNS-323 NAS device or Linksys WRT300N wireless broadband router (85%)</P><P></P><P>and this is interesting...</P><P></P><P>| robots.txt: has 1 disallowed entry </P><P></P><P>|_/</P><P></P><P>and it has been up for 2 hours so far.</P><P></P><P>|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E</P></BODY></HTML> Fri, 30 Sep 2011 16:18:31 GMT https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760388#M529712 smsneteng 2011-09-30T16:18:31Z https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760389#M529713 <HTML><HEAD></HEAD><BODY><P>Why do I keep hitting "Reply"? It's as temptiong as my email "Reply All"...lol</P><P></P><P>So anyway, your outside address could be the one in the robots.txt. You're not the only one getting black-holed/rerouted through evo-fiberring.com...</P><P></P><P>have a read</P><P></P><P><A class="jive-link-external-small" href="http://forums.darkfallonline.com/showthread.php?t=285685">http://forums.darkfallonline.com/showthread.php?t=285685</A></P><P></P><P>and good luck!</P><P></P><P>-Tim</P></BODY></HTML> Fri, 30 Sep 2011 16:27:02 GMT https://community.cisco.com/t5/network-security/zbot-infection/m-p/1760389#M529713 smsneteng 2011-09-30T16:27:02Z