10-27-2010 07:30 PM - edited 03-11-2019 12:01 PM
Ok so I got a complaint from our public agency which acts as our "ISP" that their IDS system detected a host(s)(in our network) showing malicious activity, connecting outbound to an Internet IP of 94.100.25.138 over port 4723. I did some research and it appears this is definetly a virus/trojan. We are scanning our network to determine which host is infected, however, as a quick reactionary remediation, I figured I could just create an ACL on my ASA 5520 to deny all outbound LAN traffic to the internet host 94.100.25.138 with this rule while I track down the culprit:
access-list DENY-MALWARE extended deny tcp host 94.100.25.138 any eq 4723
or
access-list DENY-MALWARE extended deny tcp host 192.168.100.79 94.100.25.138 255.255.255.255 eq 4723
Aften enabling one of these (I tried both) I then intiated a telnet session from a LAN host:
telnet 94.100.25.138 4723
I was still able to make a connection to that IP and Port with either ACL in place. I then verfied on the CLI of the ASA that the TCP connections were active by using the show conn details protocols tcp command. MY ACL does not seem to be doing what I think it should do. Is my logic off here?
Any help or suggestions would be greatly appreciated.
Dee
10-28-2010 02:13 AM
deezturner1 wrote:
Ok so I got a complaint from our public agency which acts as our "ISP" that their IDS system detected a host(s)(in our network) showing malicious activity, connecting outbound to an Internet IP of 94.100.25.138 over port 4723. I did some research and it appears this is definetly a virus/trojan. We are scanning our network to determine which host is infected, however, as a quick reactionary remediation, I figured I could just create an ACL on my ASA 5520 to deny all outbound LAN traffic to the internet host 94.100.25.138 with this rule while I track down the culprit:
access-list DENY-MALWARE extended deny tcp host 94.100.25.138 any eq 4723
or
access-list DENY-MALWARE extended deny tcp host 192.168.100.79 94.100.25.138 255.255.255.255 eq 4723
Aften enabling one of these (I tried both) I then intiated a telnet session from a LAN host:
telnet 94.100.25.138 4723
I was still able to make a connection to that IP and Port with either ACL in place. I then verfied on the CLI of the ASA that the TCP connections were active by using the show conn details protocols tcp command. MY ACL does not seem to be doing what I think it should do. Is my logic off here?
Any help or suggestions would be greatly appreciated.
Dee
Dee
Are you applying this to the inside interface ?
You first acl is wrong but the 2nd should work as long as -
1) it is TCP and not UDP
and
2) you tried to connect from the host 192.168.100.79
and
3) you applied the acl to the interface
use this -
access-list inside_out deny tcp any host 94.100.25.138 eq 4723
access-list inside_out permit ip any any
access-group inside_out i interface inside
Note - if you already have an acl on the inside interface then you need to add the first line from the acl above to it. You also need to make sure it is before any line that would permit the traffic.
Jon
10-28-2010 09:58 AM
Jon,
Thanks for your reply. So I looked through the ACLs and I see:
access-list Inside_access_in extended permit ip any any
access-group Inside_access_in in interface Inside
This is the only ACL I see attached to the inside interface. So could I add your suggested ACL and access group to the inside interface since the ACL in place seems to be a bit different than what I want to accomplish.
Dee
10-28-2010 11:19 AM
deezturner1 wrote:
Jon,
Thanks for your reply. So I looked through the ACLs and I see:
access-list Inside_access_in extended permit ip any any
access-group Inside_access_in in interface Inside
This is the only ACL I see attached to the inside interface. So could I add your suggested ACL and access group to the inside interface since the ACL in place seems to be a bit different than what I want to accomplish.
Dee
Dee
You need to add the deny line before the permit line. You can do this with ASA acls but it may be easier just to create a new temporary one eg. -
access-list inside_out deny tcp any host 94.100.25.138 eq 4723
access-list inside_out permit ip any any
and apply that one -
access-group inside_out in interface inside
Jon
10-28-2010 12:32 PM
Perfect. Added:
access-list inside_out deny tcp any host 94.100.25.138 eq 4723
access-list inside_out permit ip any any
access-group inside_out in interface inside
And I now cannot establish connection to that IP/Port from my LAN. I'm now
remediating the threat from within.
Thanks,
Dee
10-28-2010 03:19 PM
Dee
No problem, glad to help, hope you get the virus sorted.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: