Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 2776 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

An attempt to communicate with a botnet or command and control server has been detected.

MJ_P1

I found some malware on a client PC not long ago, which we discussed at length in this thread: https://community.sophos.com/intercept-x-endpoint/f/discussions/132693/mal-polazert-a-removal/491955#491955.

Intercept X is deployed throughout the network for our last client getting these reports of 'An attempt to communicate with a botnet or command and control server has been detected' from the XG firewall. Not once has Intercept X detected malicious software or any alerts for this one client, yet the log file gets 4-5 entries per day like this in the screenshot:

The 52. and 54. servers you see are two we use from WebTitan for DNS filtering. Those appear in AD DNS, but the XG is configured for the two from OpenDNS. This leads me to believe the traffic is coming from inside the network and filtering through the AD DNS servers.

I enabled Sysmon DNS to capture the traffic, but that isn't converting these requests to an IP on the network after the 25.6. The 25.6 IP address is the domain controller/DNS server for this client. It is a small office, so the only DC/DNS server in the network.

I am at a loss to figure out where this traffic is coming from and how I can stop it. I have some DNS logs I have captured, but I'd rather not post these up here. I can't figure out how to trace the traffic from 25.6 to see what on the network is making the call to this bad website. I looked up the website. It's been cleaned up, but something in this client network is still making calls to it.

Are there some folks among us who could help me sort this out please? I can provide more details and DNS logs from the DC.

-Mike



This thread was automatically locked due to age.
Parents
  • 0

    What you need to do: XG Firewall has detected and possibly blocked this traffic. It is recommended that you configure the firewall to block these events if it is not already configured to do so. Under Advanced threat menu, check that the policy is set to "Log and Drop". If it is already set to drop these events, then no further action is needed.

    ePayitonline Login

  • 0 in reply to Joe Phillips

    I've already done that.

    This happens, 9, 10, sometimes more times per day. While I'm glad the traffic is being blocked, we need to know which device on the network is making calls to this former C&C server.

    -Mike

  • 0 in reply to MJ_P1

    I assume, it's not the FQDN that ATP is detecting as C&C but the IP replied from public DNS back to the DC's.

    if the XG is routing (can see) the DNS traffic from your devices, I'd tcpdump on XG like this.

    SFOS 18.5.2 MR-2-Build380# tcpdump -i any port 53 -nvv | grep virusdomain> /tmp/tcpdump_virusdomain.log

    give it a chance to catch the traffic

  • 0 in reply to LHerzog

    Thank you  for the tip. I created the command for this issue, tcpdump -i any port 53 -nvv | grep vxvhwcixcxqxd> /tmp/tcpdump_vxvhwcixcxqxd.log, and ran it from the XG115. We are on build 380 like you are.

    Now I'll wait to see when it happens again. If I miss it happen in real time, is there a way to download/export that log and view it later?

    -Mike

  • 0 in reply to MJ_P1

    yes, you can connect to XG with SCP tools or you can view the file

    /tmp/tcpdump_vxvhwcixcxqxd.log

    on CLI with

    cat /tmp/tcpdump_vxvhwcixcxqxd.log

    It's only a logging into text, not a tcpdump file you can load into wireshark.

Reply Children
  • 0 in reply to LHerzog

    Well then. After about 15 minutes the SSH connection (using putty) timed out and went inactive.

    I started it again.

    -Mike

  • 0 in reply to MJ_P1

    I finally captured some of the traffic. The log file is attached. I am uinsure what is going on though.

    Here is a screenshot of the interfaces since one of them is called out in the log file:

    Fullscreen vxvhwcixcxqxd.txt Download 
    XG115_XN03_SFOS 18.5.2 MR-2-Build380# cat /tmp/tcpdump_vxvhwcixcxqxd.log
    127.0.0.1.6022 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xba6d!] 37265+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.6022: [bad udp cksum 0xfe3f -> 0x35ea!] 37265 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.42226 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x683c!] 22102+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.42226: [bad udp cksum 0xfe3f -> 0xe3b8!] 22102 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.33087 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x87eb!] 23130+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.33087: [bad udp cksum 0xfe3f -> 0x0368!] 23130 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.38368 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xdab1!] 62194+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.38368: [bad udp cksum 0xfe3f -> 0x562e!] 62194 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.42471 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xf8d8!] 50372+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.42471: [bad udp cksum 0xfe3f -> 0x7455!] 50372 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.30749 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x30ad!] 47802+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.30749: [bad udp cksum 0xfe3f -> 0xac29!] 47802 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.52948 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x8fab!] 1285+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.52948: [bad udp cksum 0xfe3f -> 0x0b28!] 1285 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.59258 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x4ad9!] 12593+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.59258: [bad udp cksum 0xfe3f -> 0xc655!] 12593 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.21010 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x5bbd!] 46517+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.21010: [bad udp cksum 0xfe3f -> 0xd739!] 46517 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.34458 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x8593!] 22359+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.34458: [bad udp cksum 0xfe3f -> 0x0110!] 22359 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.25950 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x567f!] 42919+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.25950: [bad udp cksum 0xfe3f -> 0xd1fb!] 42919 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.45302 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xeeca!] 50115+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.45302: [bad udp cksum 0xfe3f -> 0x6a47!] 50115 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.51572 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xdf55!] 47802+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.51572: [bad udp cksum 0xfe3f -> 0x5ad2!] 47802 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.18470 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xaff3!] 27499+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.18470: [bad udp cksum 0xfe3f -> 0x2b70!] 27499 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.53149 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xe033!] 46003+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.53149: [bad udp cksum 0xfe3f -> 0x5bb0!] 46003 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.51669 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xa4ba!] 62708+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.51669: [bad udp cksum 0xfe3f -> 0x2037!] 62708 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.60209 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xebc6!] 35980+ A? vxvhwcixcxqxd.info. (36)
    10.1.10.118.37389 > 208.67.222.222.53: [udp sum ok] 54382+ A? vxvhwcixcxqxd.info. (36)
    208.67.222.222.53 > 10.1.10.118.37389: [udp sum ok] 54382 NXDomain q: A? vxvhwcixcxqxd.info. 0/1/0 ns: info. SOA a0.info.afilias-nst.info. hostmaster.donuts.email. 1648662745 7200 900 1209600 3600 (115)
    127.0.0.1.53 > 127.0.0.1.60209: [bad udp cksum 0xfe3f -> 0x6743!] 35980 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.57885 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x896f!] 63479+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.57885: [bad udp cksum 0xfe3f -> 0x04ec!] 63479 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.16671 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x5fa3!] 49858+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.16671: [bad udp cksum 0xfe3f -> 0xdb1f!] 49858 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.60412 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xf202!] 34181+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.60412: [bad udp cksum 0xfe3f -> 0x6d7f!] 34181 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.47926 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x08af!] 40863+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.47926: [bad udp cksum 0xfe3f -> 0x842b!] 40863 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.41316 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x5fbe!] 25186+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.41316: [bad udp cksum 0xfe3f -> 0xdb3a!] 25186 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.55326 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x3611!] 21845+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.55326: [bad udp cksum 0xfe3f -> 0xb18d!] 21845 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.44249 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xe9de!] 52428+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.44249: [bad udp cksum 0xfe3f -> 0x655b!] 52428 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.52323 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xb43e!] 58082+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.52323: [bad udp cksum 0xfe3f -> 0x2fbb!] 58082 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.62499 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x0f01!] 24672+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.62499: [bad udp cksum 0xfe3f -> 0x8a7d!] 24672 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    192.168.25.6.56204 > 52.9.90.57.53: [udp sum ok] 32648+ [1au] A? vxvhwcixcxqxd.com. ar: . OPT UDPsize=4000 DO (46)
    10.1.10.118.56204 > 52.9.90.57.53: [udp sum ok] 32648+ [1au] A? vxvhwcixcxqxd.com. ar: . OPT UDPsize=4000 DO (46)
    52.9.90.57.53 > 10.1.10.118.56204: [udp sum ok] 32648 q: A? vxvhwcixcxqxd.com. 2/0/0 vxvhwcixcxqxd.com. A 192.73.252.18, vxvhwcixcxqxd.com. A 192.73.252.25 (67)
    52.9.90.57.53 > 192.168.25.6.56204: [udp sum ok] 32648 q: A? vxvhwcixcxqxd.com. 2/0/0 vxvhwcixcxqxd.com. A 192.73.252.18, vxvhwcixcxqxd.com. A 192.73.252.25 (67)
    192.168.25.6.55515 > 52.9.90.57.53: [udp sum ok] 30675+ [1au] AAAA? vxvhwcixcxqxd.com. ar: . OPT UDPsize=4000 DO (46)
    10.1.10.118.55515 > 52.9.90.57.53: [udp sum ok] 30675+ [1au] AAAA? vxvhwcixcxqxd.com. ar: . OPT UDPsize=4000 DO (46)
    52.9.90.57.53 > 10.1.10.118.55515: [udp sum ok] 30675 q: AAAA? vxvhwcixcxqxd.com. 2/0/0 vxvhwcixcxqxd.com. AAAA 2607:f740:0:3f::1d0, vxvhwcixcxqxd.com. AAAA 2607:f740:0:3f::1c7 (91)
    52.9.90.57.53 > 192.168.25.6.55515: [udp sum ok] 30675 q: AAAA? vxvhwcixcxqxd.com. 2/0/0 vxvhwcixcxqxd.com. AAAA 2607:f740:0:3f::1d0, vxvhwcixcxqxd.com. AAAA 2607:f740:0:3f::1c7 (91)
    127.0.0.1.41099 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xe81e!] 56026+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.41099: [bad udp cksum 0xfe3f -> 0x639b!] 56026 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.59172 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x7357!] 2313+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.59172: [bad udp cksum 0xfe3f -> 0xeed3!] 2313 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.17804 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x2c07!] 61937+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.17804: [bad udp cksum 0xfe3f -> 0xa783!] 61937 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.55261 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xf40f!] 38807+ A? vxvhwcixcxqxd.info.

    -Mike

  • 0 in reply to MJ_P1

    Hi,

    at least these internal clients are trying to resolve the URL. Probably some more. You need to remove the malware from them.

    10.1.10.118
    192.168.25.6

    they are trying to use external DNS servers.

    You should disallow your clients to use public DNS servers and force them to use your XG firewall or other internal Server as DNS resovler. That's the only way you can see whats going on your network.

    Putty:

  • 0 in reply to LHerzog

    192.168.25.6 is the DNS server for the network. It's a 2012 R2 server. I have Intercept X Advanced installed, as it is on the other 14 computers in this office. So far, it has not detected any malicious/suspicious software as I thought it would for whatever is generating this traffic.

    10.1.10.118 is assigned to the XG.

    -Mike

  • 0 in reply to MJ_P1

    This traffic keeps showing up multiple times per day. I am unable to pinpoint the source. Are there any thoughts on what I can check next?

    127.0.0.1.45434 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x82db!] 12079+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.45434: [bad udp cksum 0xfe3f -> 0xfe57!] 12079 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.36926 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x37ab!] 39835+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.36926: [bad udp cksum 0xfe3f -> 0xb327!] 39835 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.29143 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x8541!] 27756+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.29143: [bad udp cksum 0xfe3f -> 0x00be!] 27756 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.16442 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xf41b!] 12079+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.16442: [bad udp cksum 0xfe3f -> 0x6f98!] 12079 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.33411 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x7a9b!] 26214+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.33411: [bad udp cksum 0xfe3f -> 0xf617!] 26214 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.34296 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x7625!] 26471+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.34296: [bad udp cksum 0xfe3f -> 0xf1a1!] 26471 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.40827 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x9ce2!] 10023+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.40827: [bad udp cksum 0xfe3f -> 0x185f!] 10023 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.50504 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x7b19!] 8995+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.50504: [bad udp cksum 0xfe3f -> 0xf695!] 8995 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.29813 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x5071!] 40606+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.29813: [bad udp cksum 0xfe3f -> 0xcbed!] 40606 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.27048 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x5437!] 42405+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.27048: [bad udp cksum 0xfe3f -> 0xcfb3!] 42405 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.36083 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xe09b!] 62965+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.36083: [bad udp cksum 0xfe3f -> 0x5c18!] 62965 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.41452 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x14ec!] 44204+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.41452: [bad udp cksum 0xfe3f -> 0x9068!] 44204 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.48354 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xf0ec!] 46517+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.48354: [bad udp cksum 0xfe3f -> 0x6c69!] 46517 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.43776 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xbf8b!] 63736+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.43776: [bad udp cksum 0xfe3f -> 0x3b08!] 63736 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.58741 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x2bbd!] 21074+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.58741: [bad udp cksum 0xfe3f -> 0xa739!] 21074 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.9447 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x81e1!] 48316+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.9447: [bad udp cksum 0xfe3f -> 0xfd5d!] 48316 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.33367 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0xea36!] 63222+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.33367: [bad udp cksum 0xfe3f -> 0x65b3!] 63222 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0 (36)
    127.0.0.1.37847 > 127.0.0.1.53: [bad udp cksum 0xfe3f -> 0x9b79!] 13364+ A? vxvhwcixcxqxd.info. (36)
    127.0.0.1.53 > 127.0.0.1.37847: [bad udp cksum 0xfe3f -> 0x16f6!] 13364 NXDomain* q: A? vxvhwcixcxqxd.info. 0/0/0

    -Mike

  • 0 in reply to MJ_P1

    this looks like XG is resolving the virus hosts on it's own.

    Do you have this host as FQDN Host in your firewall configuration? If yes, the XG will resolve it from time to time.

    Eventually you have created a block rule to that host?

    btw: you dont need to care about the bad checksum

  • 0 in reply to LHerzog

      yes, I did find it there.

       

    I don't know how it got on this list.

    Does this mean it is only the firewall trying to resolve the address, and not malware on the client network?

    It tries to resolve 5-10 times per day, sometimes more, only when the client office is open for business.

    If I remove it from here, will it stop the alerts?

    -Mike

  • 0 in reply to MJ_P1

    Someone created it manually.

    I'd remove it from there, but first check, if there is a firewall rule, referencing on this host. I assume, there is one. Check with your team if it's OK to delete it.

    Have you re-configured your clients not to use 8.8.8.8 as DNS but your firewall or other internal DNS?

    You asked:

    Does this mean it is (only) the firewall trying to resolve the address: YES

    and not malware on the client network?: PROBABLY not -> you need to continue tcpdump for that host

  • 0 in reply to LHerzog

    All endpoints in the network point to the domain controller which is also the only DNS server in the network, the 192.168.25.6 address. The DNS server uses 52.9.90.57, 54.241.17.112, then also 8.8.8.8. The XG is using those same three DNS servers.

    My plan will be to remove this entry, and any rule referring to it. There is one other person who manages this firewall with me who has confirmed he did not create a rule for this .info address and does not see a need for it.

    I will run the tcpdump throughout the day and wait to see if I get an alert from Sophos Central.

    Thank you for helping me get this far.

    -Mike

  • 0 in reply to MJ_P1

    you can check the admin log from live viewer to see who created it (if not the "admin" user). but do not expect too much. It goes only back 2 or 3 days back in time. Is your firewall reporting to sophos Central? you could use the report generator on central to check older logs.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?