Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 457 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS/Outgoing traffic strange IP Adresses

PascalN

Hi, 

because of another issue, I recognized those DCOM events with ID 10028 on my DC from STAS. After deeper investigation I saw a lot of unknown private IP addresses in those events. In the Firewall Log they are tracked as outgoing over WAN. My net is 192.168.0.0/24. Where are those IPs from? Whats going on here?

DC/DNS: 192.168.0.100

SophosXG 192.168.0.1

Here are some Logs:

Eventlog:
DCOM konnte über keines der konfigurierten Protokolle mit dem Computer 100.87.48.96 kommunizieren. Während der Aktivierung von CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} von PID     36a4 (C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite\stas.exe) angefordert.  

STAS Log:

DEBUG [0x5078] 29.07.2021 08:29:01 : net_recvfrom: 20 bytes received

DEBUG [0x5078] 29.07.2021 08:29:01 : SSO_server_RecvReqCR: 20 bytes received

DEBUG [0x5078] 29.07.2021 08:29:01 : convert_netaddr_to_str: IP Address String: 192.168.0.1:34799

MSG [0x5078] 29.07.2021 08:29:01 : SSO_server_RecvReqCR: received message code 11

DEBUG [0x5078] 29.07.2021 08:29:01 : SSO_server_RecvReqCR: packet size: 20

DEBUG [0x5078] 29.07.2021 08:29:01 : SSO_server_handle_wrkstpoll_req: Request Type: Workstation-Poll

DEBUG [0x5078] 29.07.2021 08:29:01 : SSOclient_filter_CR_subnet: Entering filter function

DEBUG [0x5078] 29.07.2021 08:29:01 : SSOclient_filter_CR_subnet: authnet not specified, send request to XG

MSG [0x5078] 29.07.2021 08:29:01 : SSO_server_handle_wrkstpoll_req: Workstation IP: 100.87.48.96

DEBUG [0x5078] 29.07.2021 08:29:01 : userdb_process_known_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='100.87.48.96';

DEBUG [0x5078] 29.07.2021 08:29:01 : SSO_server_handle_wrkstpoll_req: no matched userinfo found

DEBUG [0x5078] 29.07.2021 08:29:01 : threadpool_run: Submitting Function 0x456c10

DEBUG [0x5078] 29.07.2021 08:29:01 : threadpool_run: adding function at tail

DEBUG [0x5078] 29.07.2021 08:29:01 : list_add_tail: first element added

DEBUG [0x5078] 29.07.2021 08:29:01 : threadpool_run: get free thread: ThreadID: 0x3b54

DEBUG [0x5078] 29.07.2021 08:29:01 : SSO_server_handle_wrkstpoll_req: callback submitted

DEBUG [0x3b54] 29.07.2021 08:29:01 : threadpool_threadproc: New Function added

DEBUG [0x3b54] 29.07.2021 08:29:01 : list_remove_head: last element removed

DEBUG [0x3b54] 29.07.2021 08:29:01 : threadpool_get_threadproc: Function 0x456c10

DEBUG [0x3b54] 29.07.2021 08:29:01 : threadpool_threadproc: Executing Function 0x456c10

DEBUG [0x3b54] 29.07.2021 08:29:01 : wrkstpoll_workerthread_wmi: connecting to WMI Namespace '\\100.87.48.96\root\cimv2'

MSG [0x3b54] 29.07.2021 08:29:01 : wrkstpoll_workerthread_wmi: username:mydomain\myadministrator

Firewall Log:




Ressourcemonitor (other IP in the meanwhile :) )



This thread was automatically locked due to age.