Hi Everyone!
Can anyone help me?
I received several reports from XG Firewall that an attempt to communicate with a botnet or command and control server has been detected.
The source IP is Google's DNS (8.8.8.8 and 8.8.4.4) and my DNS (203.167.97.66 and 203.167.97.200)
The threat URL/IP is superyou.zapto.org.
I tried checking the IP of the superyou.zapto.org so that I can block it on my firewall but no avail.
Hi Chris Anthony1: If any end machine behind XG generates traffic on that malicious domain then an alert may be triggered by ATP. If XG is not set as in DNS on the end machine in that case you may be able to see the source as in those DNS IPs in place of the actual source IP. Here ATP action is "Log & Drop" so no IP-based rule is required to drop it. Also Capturing TCPDUMP on the DNS port may give the actual source if the DNS request is routing via XG. Once you get the source machine you may scan it with antivirus software or may remove unwanted apps or may re-install the OS with only necessary software etc.
Regards,
Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
