Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Urgent Virus Issue > Block IP Address

Reply
Thread Tools

Urgent Virus Issue > Block IP Address

 
 
paul_tomlin@hotmail.com
Guest
Posts: n/a
 
      07-21-2008
we've got a virus infection and it keeps reinstalling a remote
management tool , I've used some monitoring tools and can see it's
trying to communicate with the public IP 123.119.253.199, I assumed
i'd be able to block this by putting in :

access-list in2out deny ip any host 123.119.253.199
access-list in2out permit ip any any
access-list in2out permit icmp any any
access-group in2out in interface inside

I thought the above lines would resolve it , but I can still see the
virus communicating with that IP address both in and outbound

Anybody have any ideas what i've missed?
 
Reply With Quote
 
 
 
 
paul_tomlin@hotmail.com
Guest
Posts: n/a
 
      07-22-2008
I've read through this http://www.cisco.com/en/US/products/...801e419a.shtml
and can't see where I could have gone wrong

Anybody got any ideas?


On 22 Jul, 03:03, "Brian V" <(E-Mail Removed)> wrote:
> <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed)...
>
> > we've got a virus infection and it keeps reinstalling a remote
> > management tool , I've used some monitoring tools and can see it's
> > trying to communicate with the public IP 123.119.253.199, I assumed
> > i'd be able to block this by putting in :

>
> > access-list in2out deny ip any host 123.119.253.199
> > access-list in2out permit ip any any
> > access-list in2out permit icmp any any
> > access-group in2out in interface inside

>
> > I thought the above lines would resolve it , but I can still see the
> > virus communicating with that IP address both in and outbound

>
> > Anybody have any ideas what i've missed?

>
> How about where you applied it, on what interface and in what direction?


 
Reply With Quote
 
 
 
 
Francois Labreque
Guest
Posts: n/a
 
      07-23-2008
http://www.velocityreviews.com/forums/(E-Mail Removed) a écrit :
> we've got a virus infection and it keeps reinstalling a remote
> management tool , I've used some monitoring tools and can see it's
> trying to communicate with the public IP 123.119.253.199, I assumed
> i'd be able to block this by putting in :
>
> access-list in2out deny ip any host 123.119.253.199
> access-list in2out permit ip any any
> access-list in2out permit icmp any any
> access-group in2out in interface inside
>
> I thought the above lines would resolve it , but I can still see the
> virus communicating with that IP address both in and outbound
>
> Anybody have any ideas what i've missed?


If there's an active "xlate" for the infected host(s), new access-lists
won't take effect.

Try issuing a "clear xlate local x.x.x.x" where x.x.x.x is the ip
address of the infected host(s). If you do not have mission critical
traffic through your pix (including the vpn tunnel you're currently
using to access it!), you can just "clear xlate". This will kill all
current connections and force new ones to be rebuilt using the new
in2out access-list.

--
|Francois Labreque | Unfortunately, there's no such thing as a snooze
| flabreque | button on a cat who wants breakfast.
| @ |
| gmail.com | - Unattributed quote from rec.humor.funny
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fo:Block can you check to see if a block contains any text by using the block id? morrell XML 1 10-10-2006 07:18 PM
Problem with enterprise application block - data block Showjumper ASP .Net 1 03-19-2005 03:48 PM
Virus, Virus, Virus..... Phil B Computer Support 2 09-22-2003 05:02 PM



Advertisments