cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
0
Helpful
2
Replies

Malware Infection FWSM

rakuntal
Level 1
Level 1

Hi Folks,

In our data center vulnerability scanning from outside we are getting these two infections. we have two FWSM one at the internet gateway and the other internal FWSM. Now the management wants me to trace the source of this infection and stop them. But as we can see in the below image we have not enabled ports 9817 and 3077  anywhere in FWSM but still connections are established via these ports. I am not able to trace the endpoints also from where these connections are created. Please help me with how to stop these. I have denied connections to these IPs in FWSM rules also but still, these connections are happening. Please suggest a way to get rid of these 

rakuntal_0-1682002608092.png

 

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

It appears those are source ports on the affected hosts. They are communicating outbound to the suspicious server on tcp 55507. It is that destination address or port that you need to block.

I would like to clarify two points FWSM we have already blocked these IPs but it is not stopping. in FWSM by default, everything is denied and we have not permitted any such port plus the port number is also changing daily. But we don't see these IPs anywhere in translations, so could not locate the source.

Review Cisco Networking for a $25 gift card