Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
2
Replies

Malware Infection FWSM

rakuntal
Level 1
Level 1

‎04-20-2023 08:01 AM

Hi Folks,

In our data center vulnerability scanning from outside we are getting these two infections. we have two FWSM one at the internet gateway and the other internal FWSM. Now the management wants me to trace the source of this infection and stop them. But as we can see in the below image we have not enabled ports 9817 and 3077  anywhere in FWSM but still connections are established via these ports. I am not able to trace the endpoints also from where these connections are created. Please help me with how to stop these. I have denied connections to these IPs in FWSM rules also but still, these connections are happening. Please suggest a way to get rid of these 

rakuntal_0-1682002608092.png

 

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-20-2023 11:01 AM

It appears those are source ports on the affected hosts. They are communicating outbound to the suspicious server on tcp 55507. It is that destination address or port that you need to block.

0 Helpful

rakuntal
Level 1
Level 1
In response to Marvin Rhoads

‎04-21-2023 02:58 AM

I would like to clarify two points FWSM we have already blocked these IPs but it is not stopping. in FWSM by default, everything is denied and we have not permitted any such port plus the port number is also changing daily. But we don't see these IPs anywhere in translations, so could not locate the source.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card