netcurmudgeon (netcurmudgeon) wrote,

  • Mood:
  • Music:

Ah Monday...

At around noon today one of our firewalls (a Cisco PIX that handles all of the school and library Internet traffic) crashed. Well, not really crashed per se, but it stopped forwarding traffic and had to be restarted. The culprit? Same as the north-end router last week: an overload of traffic from PCs infected with the SdBot worm. Or so I thought.

After getting the PIX restarted, I took a look at the firewall log file (the PIX sends its log entries via syslog to one of my Linux servers). We had captured 1.3GB of log by 12:30. Of that, 1 GB was log entries from the firewall denying access to the Internet by worm-infected PCs. I copied a Perl script that I use for analyzing firewall logs, and dropped in new code to pick out the IP addresses of denied PCs and count up the number of times they were denied. Then I pointed it at the firewall log and said "sic 'em!"

I expected to get a list of twenty to a hundred infected PCs. The script ground through 6,674,944 lines of log, and fingered three machines. Yes, three PCs. On examination of the output file, one (yes one) PC was responsible for 6,674,266 hits. The other two counted only 678 hits between them and probably aren't infected.

I am both relieved and troubled. Relieved in that one PC in a small elementary school is a lot easier to find and clean than scores of PCs all over the city. And troubled in that a lone PC was able to generate enough traffic to flatten the PIX. I feel somewhat like the little Dutch boy running around plugging holes in the dyke. Tomorrow, more surveillance. Perhaps, if I can keep an eye on the log file, I can nab any infected PCs before they crash my firewall.

  • Twenty two and a half hours

    That's how long the MS Exchange repair utility took to run through my department's email store. Starting at 4:00 PM yesterday and running straight…

  • It finally happened.

    My bitching about the cheap hunk-of-junk phone my crew gave me after my beloved LG50 bit the dust has now resulted in my being presented by my very…

  • An old dog learns a new trick...

    It had to happen sooner or later. At least one virus writer has gone back to the methods of the good old days. Following the idea of the floppy-disk…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.