ATT notified my company we have a virus infected pc on one our networks which sits behind a Cisco ASA 5505 running 7.2(4).
The set up is a basic inside/outside NAT configuration. They gave us the destination ip address and port which the our pc is contacting. I have been tasked to track down the infected pc. I created the following access-list and applied to the inside interface:
access-list VIRUS extended permit TCP ANY host x.x.x.x EQ YYYYY log debugging interval 600
access-group VIRUS in interface inside
I enable logging to the console whose output did not list the IP address of the infected pc, only the ip address of the DNS servers we were using. I then used the following capture commands to try locate the internal ip address of the infected pc:
capture in-cap interface inside access-list VIRUS-CAP buffer 1000000 packet 1522
capture in-cap access-list VIRUS-CAP interface inside
Neither step worked and the resulting console output overwhelmed the firewall in a very short period of time. Before attempting this task again, I would like to know if I am going about this the right way or if there is a better methodology?
Any help is greatly appreciated.
Try a "show conn port xxx" or show xlate.
You should be able to spot the guy because he would have a an excessive amount of connections on that port.
Also "show local-host brief" might help, you would see a host with an unsual number of embryonic connections.
I hope this helps.
Thanks for all your suggestions. So far no luck find the IP address or port. The commands which help the most since I know the remote computers ip address and port # is:
show conn all - shows all the inside & outside ip addresses and port #
show conn protocol tcp all - shows all the inside & outside TCP ip addresses and port #'s
show local-host brief - shows all the inside & outside ip addresses and port # plus the embryonic count
Any suggestions for a syslog program so I can review logs instead of watching a console all day?
I wouldnt rely on the destination IP your ISP gave you becuase it might change. I would use the port number instead.
Now just to be clear if you do a show conn port yyy you dont get anything ?
For Syslog you can use Kiwi, it's pretty simple to install and use. If you wanna to try logging with an ACL use just the port number. Like I mentioned, the destinations tend to change becuase they are usually Command and Control servers used by the person that designed the virus and they keep on changing them.
Just out of curiosity, what port is the virus infected pc using according to your ISP?
hmm that looks like source port, and those tend to change to, did they give you the destination port ? The destination port is unlikely to change.
You are not getting any output because there are no connections going on that port at this time.
Try something like show conn port 80 and you'll see the difference.
Also if you do something like show conn | inc 56164 you'll probably get nothing.
We were given the following info
destination ip 220.127.116.11 port 56164.
That is all the information we were given.
hmm to be honest, its going to be hard to track it down becuase that looks like a source port, I dont think they are giving you enought info. You can still do the ACL with the syslog server but I doubt you are going to get any results. You might wanna do one line for any traffic on that port and another line for any traffic going to that destination to avoid making it way too specific.
Viruses usually scan other hosts on vulnerable ports such as 445, 139, 135 ,23 if they are worms trying to infect other users and ports like 6667,6668,6669, and 7000 if they are IRC bots.
Also, you might wanna do the show conn port with those ports I mentioned, maybe you get lucky and spot the guy becuase he would have an usual number of connections to lots and lots of destinations (typically sequencial destinations) or because he is using an IRC port to communicate .
Create an object group with all your internal hosts listed within your DHCP scope or your servers. A little tedious and maybe over the top but it may help in addition to what Luis posted.
object-group network VIRUS-FINDER
network-object host 192.168.1.1
network-object host 192.168.1.2
Next, create an ACL and apply access group to the inside interface
access-list inside_access_out permit tcp object-group VIRUS-FINDER any eq 445 (or any ports mentioned by Luis)
Show access-list inside_access_out and the node with the most hits will most likely be your culprit
We contacted ATT to find out if they could provide us with a little more information which is current. When I get to work, I will start working on the suggestion above.
Below is the most current information we have received from ATT:
IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center
- "Conficker Traffic Detected"
Our investigation shows the following IP was assigned to your log-on session
at the indicated time and was being used to provide DNS services to a zombie
computer network, also known as a Botnet.
At Tue, 02 Aug 2011 09:38:29 +0000, your IP address was: 18.104.22.168
Type of infection (if known): downadup Source Port: 61863 Destination IP:
Botnets are networks of compromised computers under the control of a hacker
or group of hackers. Botnets are often used to conduct various attacks
ranging from denial of service attacks on websites, to spamming, click
fraud, and distribution of malicious software.
Based on our data we believe the specific malware you are infected with is
known as "Conficker". We recommend you check your computer(s) with the
We are in the process of setting up a syslog server running Kiwi. I will keep you posted on the details.
Conficker uses a variety of the mechanisms to propagate, the latest variants even use P2P. Again the ISP is giving you a source port and that's totally useless becuase it changes in a matter of seconds or even less. Same with the destination IPs.They'll keep on changing.
I think your best option would be to watch for connections on ports 445 and 139, with the show conn port 445 command.
Another option would be to install nmap on your PC and scan your network, here is a post that mentions that you could nmap to detect conficker infected systems:
Using the latest development version of Nmap one would run a command to scan systems for Conficker signature.
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
BTW this comes from a linux forum but you can install nmap on windows.
Quick question: On a ASA 5505 running 7.2(5) can you block a mac address? It appears we have a computer using one of our Cisco 1200 AP with just a ton of open connections:
See attached for list of open connections: