Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 296290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    It seems that the cause isn't from the firewall acting as a dns open relay. Further, these don't seem likely to be associated with hosts inside your networks making the requests, otherwise ATP would be triggering on the request, not on the reply. The ATP alerts do seem to be triggering on the data contained inside the DNS reply packets - specifically the "anmorencai.com" domain, and not the apparent origin or destination IPs, so requests shold contain a payload . So these apparently seem to be unsolicited DNS replies (hitting the external interface of your firewalls. 

    Being UDP, who knows what the origin actually is, though. It may have been from China, as the IP suggests, but there's really no way to tell. This does just seem to be an excessive blast of activity directed a large number of machines across the internet.

Reply
  • 0

    It seems that the cause isn't from the firewall acting as a dns open relay. Further, these don't seem likely to be associated with hosts inside your networks making the requests, otherwise ATP would be triggering on the request, not on the reply. The ATP alerts do seem to be triggering on the data contained inside the DNS reply packets - specifically the "anmorencai.com" domain, and not the apparent origin or destination IPs, so requests shold contain a payload . So these apparently seem to be unsolicited DNS replies (hitting the external interface of your firewalls. 

    Being UDP, who knows what the origin actually is, though. It may have been from China, as the IP suggests, but there's really no way to tell. This does just seem to be an excessive blast of activity directed a large number of machines across the internet.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML