Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Firewall and MS Blaster exploit

Status
Not open for further replies.
kirby449

kirby449

Technical User
Jun 15, 2003
47
GB
Hi Guys

Does anybody have any ideas how a network protected by a PIX firewall could be infected with the Blaster virus? We have a few sites that have been affected.

As I understand it, the exploit occurs exclusively through port 135 which of course is not opened on the PIX, yet still the network has been infected.

As far as I know there is no modem access on any of the machines or any other way to bridge the firewall.

Anyone any ideas?

cheers
kirby449
 
Sort by date Sort by votes
Do you have antivirus software checking your external e-mail ? The virus probably came as an attachment to an e-mail which was opened by a user which then propagated itself through your network over port 135. Check the following link for more information.


Smokey
 
Upvote 0 Downvote
I know this is kind of old, but I am having a problem with this. We have got hit 3 times with Blaster/Welchia. We got all three incidents handled quickly, but afterwards, we always have about 10-15 machines that can't access internet or email (server on DMZ). It's not the same 10-15 each time, and it's never internet AND email. It's alway one or the other. ie, some machines can get email, but not to internet. Some to internet, but not DMZ (email). We've tried all the ipconfig/release, renew etc. We've even tried removing them from the network and uninstalling TCP/IP. The other 200+ pc's work just fine, and have the same DNS settings as the 10-15 that don't work (assigned from DHCP). All internal traffic works fine, which leads me to believe it may somehow be the PIX, and passing traffice betwwen the interfaces. We are running a PIX 515R, with OS 6.2.2. Aside from these 3 little hiccups, everyting works fine. After about 2 days, these 10-15 pc's start working just fine as if there never was a problem. Any advice? Thanks.
 
Upvote 0 Downvote
Do some packet sniffing to verify that your requests are reaching their destinations and you dont have virus/trojans hogging up all your resources. Run netstat from the command prompt and see if you have a ton of port connections established at the problematic computers. If you do, then its most likely you experiencing network lag and are infected. We have Symantec AV 8 and a pix 515. The only instance of the blaster worm came from a dial-up connection (gvnmt. contractor) who received it via external email. Not bad for 250+ machines.
 
Upvote 0 Downvote
Do you have anybody who has a laptop that they take home/elsewhere and use on the internet without a firewall? (via broadband or dial up?) If it is not properly patched, it could get infected off site and get carried back to you.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
285
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
209
Nitta84
Nitta84
SamBones
  • Locked
  • Question
Interesting JavaScript Exploit -- JSF**K
Replies
0
Views
61
SamBones
SamBones
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
113
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top