Urgent Virus Issue > Block IP Address - Cabling-Design.com Forums

- P
- paul_tomlin
  
  Contact options for registered users
posted
15 years ago

Mon, Jul 21, 2008 11:49 PM

we've got a virus infection and it keeps reinstalling a remote management tool , I've used some monitoring tools and can see it's trying to communicate with the public IP 123.119.253.199, I assumed i'd be able to block this by putting in :

access-list in2out deny ip any host 123.119.253.199 access-list in2out permit ip any any access-list in2out permit icmp any any access-group in2out in interface inside

I thought the above lines would resolve it , but I can still see the virus communicating with that IP address both in and outbound

Anybody have any ideas what i've missed?

- B
- Brian V
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Tue, Jul 22, 2008 2:03 AM

How about where you applied it, on what interface and in what direction?

- P
- paul_tomlin
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Tue, Jul 22, 2008 6:51 AM

I've read through this

formatting link

can't see where I could have gone wrong

Anybody got any ideas?

- F
- Francois Labreque
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Wed, Jul 23, 2008 4:36 PM

paul snipped-for-privacy@hotmail.com a écrit :

If there's an active "xlate" for the infected host(s), new access-lists won't take effect.

Try issuing a "clear xlate local x.x.x.x" where x.x.x.x is the ip address of the infected host(s). If you do not have mission critical traffic through your pix (including the vpn tunnel you're currently using to access it!), you can just "clear xlate". This will kill all current connections and force new ones to be rebuilt using the new in2out access-list.