RE: Strange Pix message

From: Thomas Lenzenhofer (tlenzenh_at_cisco.com)
Date: 09/17/03

  • Next message: James C. Slora, Jr.: "RE: strange HTTP requests" 
    To: "'Dave'" <update@dsrtech.com>, <incidents@securityfocus.com>
Date: Wed, 17 Sep 2003 10:55:16 +1000

    All,

    I have provided the info to Jared below, this is just a FYI for the rest
    of you in case you wonder what the outcome of this discussion was...

    "The problem you are seeing is most likely due to a PIX bug which is
    CSCdz66410 and CSCdt17923.
    In both cases
    this are cosmetic bugs and is not causing any complications in the PIX.
    The reason the CPU is reading such a high % has to do with the old way
    that the PIX calculated the algorithm for total time spent on all the
    processes. I am not sure which SW version you run on this PIX in your
    case, but the problem should be resolved with latest 6.3 code."

    I will talk to the TAC engineer that handled that case and sort this out
    internally.

    Regards
    Thomas

    -----Original Message-----
    From: Dave [mailto:update@dsrtech.com]
    Sent: Tuesday, 16 September 2003 8:25 PM
    To: incidents@securityfocus.com
    Cc: Jared Ingersoll
    Subject: Re: Strange Pix message

    have seen the same message 3 times over the last year. we run 6.2(2)
    code on our 525 pix(s). We also run swatch and know immediately when
    this happens and it always seems to be nothing was the cause. Maybe it
    is a bug in code. Will be upgrading to the latest on Wed. (6.3(3)) so
    hopefully it will resolve the error msg. I'll check to see what were the
    leading packets before the msg today and get back to you.

    On Mon, 2003-09-15 at 16:09, Jared Ingersoll wrote:
    > Hi,
    >
    > I was reviewing my pix syslog messages today and found a strange one
    > from yesterday morning at around 3 AM, Sunday:
    >
    >
    > Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10
    > seconds = 45305562%
    >
    > The odd thing is that the percent utilization is somewhere around 45
    > million percent. Our company operates during "bank hours" so activity
    > at that time of day is always viewed with a suspicious eye. I called
    > Cisco support and they were absolutely no help. They tried to pass it
    > off as spoofed ip error messages related to the blaster worm. With
    > minimal questioning the tech could not support that supposition at all

    > (though I'm not saying he wasn't right).
    >
    > Leading up to the CPU message was a sequence of UDP port scans on port

    > 135 and 1026, originating from port 666 (as follows):
    >
    > Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
    > 64.156.39.12/666 to x.x.x.x/135 on interface outside Sep 14 03:47:45
    > 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from 64.156.39.12/666 to
    > x.x.x.x/1026 on interface outside
    >
    > Can anyone shed some light on this?
    >
    > Thanks,
    > Jared
    >
    > ---------------------
    > Jared Ingersoll
    > Fiserv CSW, Inc.
    > 125 CambridgePark Dr.
    > Cambridge, MA 02140
    > t.617.354.1400 x237
    > f.617.498.0959
    > ---------------------
    >
    > ----------------------------------------------------------------------
    > -----
    > Attend Black Hat Briefings & Training Federal, September 29-30
    (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    > technical IT security event. Modeled after the famous Black Hat event
    in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.

    > Symantec is the Diamond sponsor. Early-bird registration ends
    September 6.Visit us: www.blackhat.com
    >
    ------------------------------------------------------------------------ 

    ----
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
  • Next message: James C. Slora, Jr.: "RE: strange HTTP requests"