Ergent Please help! Virus Alert as well...

[tekkid]

Yesterday we were enfected by the w32/lovegate.f@M virus. It spreads through the email server along with shared files on your network. Unfortunately, the virus made its way to some of our facilities before we nabbed it. We have shutdown all access and are forced to go into these facilities one by one to remove this virus.

I am trying to block the ports on our Cisco 3640 router ( port 25 and port 465 ) which handle the smtp stuff. Since I am new to the router configurations issues.. I'm not exactly sure how to do this. Is there anyone that can please tell me how? If you have additional advice on how to stop this virus from spreading please post here too.


Thanks in advance for your help!!!

kidd

 

[thethmon]

kidd,

The following ACL should block any incoming or outgoing port 25 and 465.

access-list 101 deny tcp any any eq 25
access-list 101 deny tcp any any eq 465
access-list 101 permit ip any any

You would need to apply this to your WAN interfaces similar to this:

interface Serial 0/0
ip access-group 101 in
ip access-group 101 out

This assumes that smtp traffic the virus is using is standard TCP on both ports. If it uses UDP you would need to duplicate the lines above and change the tcp to udp. To look like this:

access-list 101 deny tcp any any eq 25
access-list 101 deny udp any any eq 25
access-list 101 deny tcp any any eq 465
access-list 101 deny udp any any eq 465
access-list 101 permit ip any any

Hopefully that will help.

Todd Hethmon
thethmon@hethmon.com

 

[tekkid]

thethmon,

Thanks for the help this worked and we are well on our way to getting things back up and going.

kidd