Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 296290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    Does anyone experiencing this happen to have public IPs, "Any", or "Internet" listed under Network Services > DNS > Global > Allowed Networks?

    The DNS proxy is not designed to be left openly internet facing, and if anyone is, they are almost certainly being used as a proxy for DNS reflection attacks. If that's what's happening here, it seems the target of this particular attack, is also something we detect via ATP. 

    -Alan

  • 0 in reply to AlanT

    All our clients are set up with internal only DNS allowed, if it was hitting my test firewall I'd love to packet capture and allow the attack to happen to see what it is but sadly our own firewalls were ignored with this :(

    One of our clients had Support enter their machine and do a packet capture and have a record of the raw attack on the box as it was still happening but the contents were complete gibberish.

Reply
  • 0 in reply to AlanT

    All our clients are set up with internal only DNS allowed, if it was hitting my test firewall I'd love to packet capture and allow the attack to happen to see what it is but sadly our own firewalls were ignored with this :(

    One of our clients had Support enter their machine and do a packet capture and have a record of the raw attack on the box as it was still happening but the contents were complete gibberish.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML