This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alert with 127.0.0.1 as source an destination to server.aeinow.com

At a customer side i recieved the following alert:

messageid="18010" log_type="ATP" log_component="DNS" log_subtype="Drop" user="" protocol="UDP" src_port="47832" dst_port="53" src_ip="127.0.0.1" dst_ip="127.0.0.1" url="server.aeinow.com" threat="C2/Virut-A" event_id="2FEE641E-F51B-44E5-A46F-938ED5AA4352" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""

How can we identify the source of this packet?

This thread was automatically locked due to age.

0 LuCar Toni over 5 years ago

As it is 127.0.0.1, there could be some reason behind it.

One of the internal services asking for this Domain. In most cases, this is a Email Cluster or the customer created this domain in his setup as a FQDN Service.

Could you quickly look at the MTA to this time frame, if there is something?
Or does the customer has a FQDN Host created for this server?
Cancel
Vote Up 0 Vote Down

Cancel