Hey guys,
I'm wondering if anyone can help shed some light or otherwise help me understand what's going on here. The advanced threat protection module is reporting that it has detected botnet command and control traffic on one host, however both the source and destination IPs are outside of our network. The alert looks like this:
The host ip address: 195.62.53.168 is located in Russia, and the detination domain lock.bz is located in Ecuador (although it appears to be owned by a Russian). My question is: how does this traffic end up coming across our firewall (which is located in Texas) and generating an alert? It appears to be a TCP SYN packet destined for port 80, which would make sense for establishing a botnet connection, just don't understand how our firewall ends up receiving it being that the source and destination IPs are completely unrelated to us.
I've pasted an example from the firewall log below:
/var/log/packetfilter.log:2016:11:12-00:30:33 sophosdb-2 ulogd[29984]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="00:0c:db:e7:16:00" dstmac="00:1a:8c:f0:10:25" srcip="195.62.53.168" dstip="one.of.our.ips" proto="6" length="40" tos="0x00" prec="0x00" ttl="244" srcport="33597" dstport="80" tcpflags="SYN"
Thanks!
This thread was automatically locked due to age.
