Home > Archive > CCNP > September 2001 > Nimda and CPU utilization





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Nimda and CPU utilization
The Reamer

2001-09-18, 7:14 pm

Hey gang,

Just wondering if any of you have encountered this new worm yet and what you are doing to fight it so far. Got a customer that is having CPU utilization issues. Running at 94%. Just can't pinpoint a single source for the traffic. Still fighting though.

Reamer
darthfeces

2001-09-18, 7:57 pm

the new one spreads thru email as a readme.exe
and seaches for open shares on vulnerable iis
servers. there was a patch issued a year ago
that covers it.

http://www.symantec.com/avcenter/ve...nimda.a@mm.html

http://www.microsoft.com/technet/tr...in/ms00-078.asp

http://www.microsoft.com/technet/tr...in/MS01-020.asp
The Reamer

2001-09-18, 8:12 pm

We've directed the customer to the same links since it is not our responsibility. I just wanted to let everyone know that you might be infected if you are having issues with CPU utilization.

Thanks again,

Reamer
darthfeces

2001-09-18, 8:28 pm

heres a better one
http://www.cert.org/advisories/CA-2001-26.html

increased cpu util on a router
might be caused by an infected
device scanning or being scanned.
007

2001-09-20, 4:11 pm

setup an accesslist such as follows:

access-list 171 deny tcp any any eq www log
access-list 171 permit ip any any
access-list 171 permit icmp any any


this will settle the router down and inform you of infected hosts. See you need to block hosts sending traffic over http<<< youll be able to see wether its regular traffic or if its traffic from an infected host. Remember this access-list must be applied on the lan segment, and will stop all WWW traffic, so if there is business critical sites that must be reached by internal clients than just add a permit statement for that 1 addreess.. This should help you. Believe me its the only way to save your cisco gear from crashing.. The log is very important. once you apply the list, from privelaged mode type (term mon) this will show you all the hosts hitting your access-list. Type (term no mon) to stop messages on your console.


hope this helps.
djo

2001-09-21, 12:09 pm

For complete that is said before:

Do you have "ip accounting output-buffer" on your interface for get the couple of address which discusses the more ? (I Know, you have 94%, nevertheless you can try the "ip acccount" on the good interface) and after that create the good access-list (as suggered by "007").

I don't know your topology, your IOS relase nor your configuration.

I suppose that your system is not busy because the traffic is high.
When I get 90% cpu use, often that comes from to broadcast loops, or bridging loops, or debug command.(I suppose you master the"sh interfaces" and look for if the number of broadcast is increasing".

hope this helps so.
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net