Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 59360 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS: INDICATOR-COMPROMISE Suspicious .pw dns query

rheptor
Hi,

For a couple of weeks i'm getting this message from the IPS module.

Message........: INDICATOR-COMPROMISE Suspicious .pw dns query
Details........: http://www.snort.org/search/sid/28039?r=1
Time...........: 2014-08-16 07:29:22
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 17 (UDP)

Source IP address: 192.168.*.30 
Source port: 2599 (meridiandata)
Destination IP address: 192.168.*.1 (home)
Destination port: 53 (domain)


These notifications come in batches of 10 at a time.

Source IP (and thus device) is and Android phone and a Macbook Pro.
Source port is variable for each message.

Is this a false positive, or a real problem. Can't find anything on this matter on the web, even the snort.org URL gives me a 404 error.

Should I disable / ignore these notifications?


This thread was automatically locked due to age.
Parents
  • 0
    Was it spam or legitimate email?

    Barry
  • 0 in reply to BarryG
    Was it spam or legitimate email?

    Barry



    It's spam. I have never received legit email from a .pw domain but of course I'm not suggesting all mail from a .pw domain is always going to be spam.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

Reply
  • 0 in reply to BarryG
    Was it spam or legitimate email?

    Barry



    It's spam. I have never received legit email from a .pw domain but of course I'm not suggesting all mail from a .pw domain is always going to be spam.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

Children
  • 0 in reply to Jeff x
    In case it matters, I see the identical warning. In my case, the root cause is visiting a specific website. 

    My guess is that advertising or advertising images coming through that website are in the .pw domain. It does not happen with any other website that I (or anyone in my family) visits, just the one. 

    How do I know? The live logs start displaying the warnings when I visit the website, and stop when I close the browser window.
Unfiltered HTML