Trojan - Possible configuration problem

guenter · ‎06-14-2004

Hello,

we have problems with some cisco 800 on our customers networks.

in the last weeks some of them started temporarily not to disconnect the isdn interface after the configured timeout. In one case the call lasted 24 hours until it was disconnected by the provider.

we found out that there's no traffic on the ethernet interface but every 5 to 10 seconds there's activity on the isdn interface.

it seems as if the cisco is receiving data pakets and sending answers to them.

We guess that external computers might ping or trace for open ports on the cisco. Maybe especially if the temporary assigned ip comoes from a previous connection with a computer infected by a worm or trojan.

how can we configure the cisco not to hold the isdn line in such cases ?

any help is very valuable.

regards

g.

sbilgi · ‎06-18-2004

Check if you have dialer-group command under the Bri/dialer interface and also a global command dialer-list protocol permit. The commanddialer-list protocol permit will permit all traffic, so any traffic come in to the router the idle time out will reset. The router is doing it job by reseting the timer when traffic is send to it. You can find out who send the traffic to the router and prevent it from sending the traffic. For finding out which device is sending the traffic, perform the following:

a) Debug dialer

b) either 1) shut and no shut on the bri 0 interface or 2) clear int bri 0

c) When the call come up you can see the debug will show the source ip address(S) and the destination ip address(D).Once you get the source ip address, find out what traffic

being sent from that device. When you find out the type of the traffic from the other device, you can put an access-list in your router to deny that traffic.