Re: please tell me what is "ip input" process?it cost me more [7:16482]

Sat, 18 Aug 2001 18:25:40 -0700 

This was how I tackled it:

1) Create an access-list that blocks traffic from coming into tcp port 80

    ip access-list extended deny-port-80
       deny tcp any any eq 80
       permit ip any any

2) Apply the access-list onto all your router's interfaces for incoming
traffic

    ip access-group deny-port-80 in

3) After you've done all that and looking forward to finding out the
infected host, on each interfaces, disable the above access-list and enable
"ip route-cache flow" and then get out of config mode and perform a "show ip
cache flow" you will be able to see certain traffic that are from a single
source to multiple different destination on port 80 (reflected as 0050 under
destination port).

4) Get out there and patch the infected host !!!!!

Good luck.

----- Original Message -----
From: "Erick B." 
To: "Ron Tan" ; 
Sent: Saturday, August 18, 2001 11:32 PM
Subject: Re: please tell me what is "ip input" process?it cost me more
[7:16457]


> Can you post your config (clean up IP info)?
>
> --- Ron Tan  wrote:
> > looks like you've got the code red worm running wild
> > on your network.
> >
> > Refer to:
> >
> >
> http://www.cisco.com/warp/customer/63/ts_codred_worm.shtml
> >
> > ----- Original Message -----
> > From: "cslx"
> > To:
> > Sent: Saturday, August 18, 2001 9:56 PM
> > Subject: please tell me what is "ip input"
> > process?it cost me more than
> > [7:16455]
> >
> >
> > > CPU utilization for five seconds: 99%/3%; one
> > minute: 99%; five minutes:
> > 99%
> > > PID  Runtime(ms)  Invoked  uSecs    5Sec   1Min
> > 5Min TTY Process
> > >   23    18762964    280084  66991  81.81% 92.45%
> > 92.58%   0 IP Input
> > > it makes my network so slow,how can I resolve the
> > problem?
> > > thanks
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16482&t=16482
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to