Yesterday and into today, getting hourly alerts from UTM220 9.305-4 about one of our internal (firewalled) Terminal Servers containing a "C2/Generic-A" bit of malware:
[FONT="Courier New"][CRIT-861] Advanced Threat Protection Alert
Advanced Threat Protection
A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: h**p://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2014-12-19 17:01:28
Traffic blocked: yes
Internal source IP address or host: 192.168.***.***
GW1/OrgName/OrgLocation
--
HA Status : CLUSTER MASTER (node id: 2)
System Uptime : 1 day 23 hours 28 minutes
System Load : 0.60
System Version : Sophos UTM 9.305-4
Please refer to the manual for detailed instructions.
The send limit for this notification has been reached. No further
notifications of this type will be sent during this period.[/FONT]
I am skeptical as this server is pretty "locked down" but am running the Sophos scanner tool on it now- nothing has been found yet. Question is- how can I find out more about what is triggering this activity? Could it be a false positive? Anyone else getting these alerts in the past ~2 days?
In the past I've gotten these about various workstations on the LAN and usually finding and cleaning the culprit was pretty easy. This is the first time I've seen an alerts from a server which is making me uneasy - especially with the "North Korean mega-hack" news flying around [:)]
This thread was automatically locked due to age.
