|
Posted by Francois Labreque on July 23, 2008, 12:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> we've got a virus infection and it keeps reinstalling a remote
> management tool , I've used some monitoring tools and can see it's
> trying to communicate with the public IP 123.119.253.199, I assumed
> i'd be able to block this by putting in :
>
> access-list in2out deny ip any host 123.119.253.199
> access-list in2out permit ip any any
> access-list in2out permit icmp any any
> access-group in2out in interface inside
>
> I thought the above lines would resolve it , but I can still see the
> virus communicating with that IP address both in and outbound
>
> Anybody have any ideas what i've missed?
If there's an active "xlate" for the infected host(s), new access-lists
won't take effect.
Try issuing a "clear xlate local x.x.x.x" where x.x.x.x is the ip
address of the infected host(s). If you do not have mission critical
traffic through your pix (including the vpn tunnel you're currently
using to access it!), you can just "clear xlate". This will kill all
current connections and force new ones to be rebuilt using the new
in2out access-list.
--
|Francois Labreque | Unfortunately, there's no such thing as a snooze
| flabreque | button on a cat who wants breakfast.
| @ |
| gmail.com | - Unattributed quote from rec.humor.funny
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map