Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1199 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

An attempt to communicate with a botnet or command and control server has been detected.

Chris Anthony1

Hi Everyone!

Can anyone help me?

I received several reports from XG Firewall that an attempt to communicate with a botnet or command and control server has been detected.

The source IP is Google's DNS (8.8.8.8 and 8.8.4.4) and my DNS (203.167.97.66 and 203.167.97.200)

The threat URL/IP is superyou.zapto.org.

I tried checking the IP of the superyou.zapto.org so that I can block it on my firewall but no avail.



This thread was automatically locked due to age.
Parents
  • 0

    Hi : If any end machine behind XG generates traffic on that malicious domain then an alert may be triggered by ATP. If XG is not set as in DNS on the end machine in that case you may be able to see the source as in those DNS IPs in place of the actual source IP. Here ATP action is "Log & Drop" so no IP-based rule is required to drop it. Also Capturing TCPDUMP on the DNS port may give the actual source if the DNS request is routing via XG. Once you get the source machine you may scan it with antivirus software or may remove unwanted apps or may re-install the OS with only necessary software etc.



    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Reply
  • 0

    Hi : If any end machine behind XG generates traffic on that malicious domain then an alert may be triggered by ATP. If XG is not set as in DNS on the end machine in that case you may be able to see the source as in those DNS IPs in place of the actual source IP. Here ATP action is "Log & Drop" so no IP-based rule is required to drop it. Also Capturing TCPDUMP on the DNS port may give the actual source if the DNS request is routing via XG. Once you get the source machine you may scan it with antivirus software or may remove unwanted apps or may re-install the OS with only necessary software etc.



    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?