From: James Fields (jvfieldstds.net)
Date: Tue Sep 16 2003 - 04:59:29 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You need to go back to Cisco. Assuming you have a contract with them, open
a case with TAC. Stay on them. Give them your Pix model, the code version,
and your COMPLETE configuration. Escalate to the next level if they assign
you a dork. They WILL find it and fix it if you stay on them. This is from
MANY past experiences - my company should have some bugs named after us or
something, but sometimes you have to press them on the weird stuff.

----- Original Message -----
From: "Jared Ingersoll" <jaredcswv.com>
To: <incidentssecurityfocus.com>
Sent: Monday, September 15, 2003 4:09 PM
Subject: Strange Pix message

> Hi,
>
> I was reviewing my pix syslog messages today and found a strange one from
> yesterday morning at around 3 AM, Sunday:
>
>
> Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10 seconds =
> 45305562%
>
> The odd thing is that the percent utilization is somewhere around 45
million
> percent. Our company operates during "bank hours" so activity at that time
> of day is always viewed with a suspicious eye. I called Cisco support and
> they were absolutely no help. They tried to pass it off as spoofed ip
error
> messages related to the blaster worm. With minimal questioning the tech
> could not support that supposition at all (though I'm not saying he wasn't
> right).
>
> Leading up to the CPU message was a sequence of UDP port scans on port 135
> and 1026, originating from port 666 (as follows):
>
> Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
> 64.156.39.12/666 to x.x.x.x/135 on interface outside
> Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
> 64.156.39.12/666 to x.x.x.x/1026 on interface outside
>
> Can anyone shed some light on this?
>
> Thanks,
> Jared
>
> ---------------------
> Jared Ingersoll
> Fiserv CSW, Inc.
> 125 CambridgePark Dr.
> Cambridge, MA 02140
> t.617.354.1400 x237
> f.617.498.0959
> ---------------------
>
> --------------------------------------------------------------------------
-
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symantec is the Diamond sponsor. Early-bird registration ends September
6.Visit us: www.blackhat.com
> --------------------------------------------------------------------------
--
>
>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]