Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
3
Replies

How can I tell who has a virus on my Lan?

trevorjackson
Level 1
Level 1

‎07-16-2004 08:41 AM - edited ‎03-02-2019 05:07 PM

I have a 1720 series router and I suspect that one of the users on my LAN is infected with a virus that is causing the internet access to perform very slowly. All I have setup really is NAT to translate the private addresses to our one public address and a default route to the ISP's gateway. I know that there are certain commands that I can run that can give me a good idea of which IP addresses are generating traffic on given ports (I.E. port 135 for Blaster.) Could someone please give me assistance in troubleshooting this issue?

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎07-16-2004 09:05 AM

Hello,

you could start out with turning on IP Accounting, without knowing your exact configuration, I would guess you have a dialer interface; configure the following on that interface:

ip accounting

ip accounting output-packets

Then, from the exec prompt, check for the IP source and destination address pairs with the command:

Router#show ip accounting

Which IOS version are you running ? In order to get a better insight in which protocols are running on your network, you could configure the NBAR Protocol Discovery feature; I do not know if your IOS supports it, but if it does, turn on NBAR protocol discovery on your (Fast)Ethernet interface with the command:

ip nbar protocol-discovery

and check the results with the exec command:

show ip nbar protocol-discovery

HTH,

Georg

0 Helpful

d_pinto
Level 1
Level 1
In response to Georg Pauwen

‎07-16-2004 01:11 PM

Ip accounting is one way to go about it.... if you would like more detailed info though I would suggest using netflow....

Turn cef on within the router...

cisco# config t

cisco(config)# ip cef

then go into the interface in question and turn on ip route-cache flow

so what I've done in the past is to go to the border router and turn on ip route-cache flow on both the fast ehternet that connects to my network and the serial interface that faces my isp.

cisco(config-if) ip route-cache flow

once this is done you can issue a show ip cache flow and receive more detailed info...

show ip accounting output

Source Destination Packets Bytes

131.108.19.40 192.67.67.20 7 306

131.108.13.55 192.67.67.20 67 2749

131.108.2.50 192.12.33.51 17 1111

131.108.2.50 130.93.2.1 5 319

131.108.2.50 130.93.1.2 463 30991

131.108.19.40 130.93.2.1 4 262

131.108.19.40 130.93.1.2 28 2552

sh ip cache flow

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

AT1/0.1 10.1.10.1 Fa4/0 192.168.10.1 01 0000 0800 1131

Fa4/0 192.168.10.1 AT1/0.1 10.1.10.1 01 0000 0000 1131

Fa4/0 192.168.10.1 AT1/0.1 10.1.10.1 06 2AF8 0017 3

AT1/0.1 10.1.10.1 Fa4/0 192.168.10.1 06 0017 2AF8 3

I know this probably looks really crappy but if you look at the description of the fields on the show ip cache flow command you'll see that you get more detailed info including src port and dest port...(results are in hex mind you). This will allow you to determine what port your internal devices are trying to get to and help you filter out legit traffic from infected hosts...

-DP

0 Helpful

degg
Level 1
Level 1

‎07-16-2004 12:39 PM

One thing I like to do that is really simple, is make a very basic ACl and apply it 'in' on your LAN interface. it would be something like this:

permit tcp any any eq 135 log

permit ip any any

this will log all hits against port 135, and then you can look at your log and see what IP it is coming from. this doesnt stop any traffic, but lets you see if there is suspicious activity. you can also use any port you want to monitor, such as 445, 25, etc. if you are suspect of them.

0 Helpful
Customers Also Viewed These Support Documents