Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 5410 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection: False positive to Google owned IP address?

A Warre

The last 2 days we are getting constant notifications of clients and servers attempting to reach to a "command and control" server of:

216.239.36.21

The entire 216.239.32.0/19 block is owned by Google, and it appears this address is used for the Google.com site.

http://216.239.36.21

No blacklist is even showing this IP as threat, so I am not sure where this is coming from.

https://www.cyren.com/security-center/cyren-ip-reputation-check

https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a216.239.36.21&run=toolpage



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to AdamB

    @AdamBasalyga very helpful info. I was just going to update that msn.lockerdome.com is what is triggering this and you had already edited.

    I do see there were recently other shady sites hosted at this IP, so I am not sure lockerdome.com is directly to at fault for the security warnings, but they are definitely hosting ads on an IP address that has hosted malicious sites in the recent past on Google's cloud platform.

    2020:05:01-07:58:49 severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" dstip="216.239.36.21" url="https://x.mdhv.io/"

    2020:05:01-08:07:32 severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" dstip="216.239.36.21" url="https://msn.lockerdome.com/"
     
    It appears WebMD hosts lockerdome ads, though I'm sure many other sites do as well.
     
Children
Unfiltered HTML