Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 963 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alert with 127.0.0.1 as source an destination to server.aeinow.com

Daniels_UTM

At a customer side i recieved the following alert:

messageid="18010" log_type="ATP" log_component="DNS" log_subtype="Drop" user="" protocol="UDP" src_port="47832" dst_port="53" src_ip="127.0.0.1" dst_ip="127.0.0.1" url="server.aeinow.comthreat="C2/Virut-A" event_id="2FEE641E-F51B-44E5-A46F-938ED5AA4352" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""

 

How can we identify the source of this packet?



This thread was automatically locked due to age.
Parents
  • 0

    As it is 127.0.0.1, there could be some reason behind it. 

    One of the internal services asking for this Domain. In most cases, this is a Email Cluster or the customer created this domain in his setup as a FQDN Service. 

    Could you quickly look at the MTA to this time frame, if there is something? 
    Or does the customer has a FQDN Host created for this server? 

Reply
  • 0

    As it is 127.0.0.1, there could be some reason behind it. 

    One of the internal services asking for this Domain. In most cases, this is a Email Cluster or the customer created this domain in his setup as a FQDN Service. 

    Could you quickly look at the MTA to this time frame, if there is something? 
    Or does the customer has a FQDN Host created for this server? 

Children
No Data