Re: Strange Pix message <-- Pix-Bug: CSCdz66410
From: Barbara Loehle (Barbara.Loehle_at_uni-konstanz.de)
Date: 09/16/03
- Previous message: Jared Ingersoll: "Strange Pix message"
- In reply to: Jared Ingersoll: "Strange Pix message"
- Next in thread: Shafi, Shahid: "RE: Strange Pix message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Sep 2003 07:45:30 +0200 To: Jared Ingersoll <jared@cswv.com>
Hello,
that's the characteristics of the Pix-Bug: CSCdz66410 .
Compare this entry in the cisco Bug Toolkit and the discussion
of the Cisco firewalling discussion forum
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee96acd
On Mon, Sep 15, 2003 at 04:09:16PM -0400, Jared Ingersoll wrote:
> Hi,
>
> I was reviewing my pix syslog messages today and found a strange one from
> yesterday morning at around 3 AM, Sunday:
>
>
> Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10 seconds =
> 45305562%
>
> The odd thing is that the percent utilization is somewhere around 45 million
> percent. Our company operates during "bank hours" so activity at that time
> of day is always viewed with a suspicious eye. I called Cisco support and
> they were absolutely no help. They tried to pass it off as spoofed ip error
> messages related to the blaster worm. With minimal questioning the tech
> could not support that supposition at all (though I'm not saying he wasn't
> right).
>
> Leading up to the CPU message was a sequence of UDP port scans on port 135
> and 1026, originating from port 666 (as follows):
>
> Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
> 64.156.39.12/666 to x.x.x.x/135 on interface outside
> Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
> 64.156.39.12/666 to x.x.x.x/1026 on interface outside
>
> Can anyone shed some light on this?
>
> Thanks,
> Jared
>
> ---------------------
> Jared Ingersoll
> Fiserv CSW, Inc.
> 125 CambridgePark Dr.
> Cambridge, MA 02140
> t.617.354.1400 x237
> f.617.498.0959
> ---------------------
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
> ----------------------------------------------------------------------------
>
-
Regards, Barbara Loehle
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Address: Dr. Barbara Loehle e-mail:Barbara.Loehle@uni-konstanz.de
University of Constance Phone: +49 7531 882542
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
- Previous message: Jared Ingersoll: "Strange Pix message"
- In reply to: Jared Ingersoll: "Strange Pix message"
- Next in thread: Shafi, Shahid: "RE: Strange Pix message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
