From: Jay Hennigan (jay@west.net)
Date: Sat Sep 21 2002 - 18:19:39 GMT-3
On Sat, 21 Sep 2002, Chuck Church wrote:
> Jay's right. We had an infected machine behind our 2611 router
> running FWFS, and that behaved the same way, 90-100% CPU. Luckily the FWFS
> logged the errors (host x.x.x.x getting aggressive, etc), so it was easy to
> find the culprit. I think a server needs to be running IIS to be infected
> (could be wrong on this one though), so an easy thing to do is one-by-one,
> disable the switch port of each of your IIS servers, while watching the CPU
> utilization. We tracked another problem server down this way pretty
> quickly. Good luck. By the way, did this problem just start?
My guess is that it started on Friday the 13th, which is a popular virus
trigger date. Note that Cisco has classified the high CPU from NAT as a
bug and implemented an IOS fix that helps the situation, although it would
still be a nice thing to disinfect the problem host(s). My first post on
this thread had a pointer to the CCO page addressing the bug.
Rather than disabling the switch ports, it's fairly easy to spot the
offender by looking at the NAT translations on the router. That will
give you the IP of the box with the problem. Of course if you're in a
DHCP environment you then need to match the IP to a specific machine.
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:59 GMT-3