Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 296290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    Does anyone experiencing this happen to have public IPs, "Any", or "Internet" listed under Network Services > DNS > Global > Allowed Networks?

    The DNS proxy is not designed to be left openly internet facing, and if anyone is, they are almost certainly being used as a proxy for DNS reflection attacks. If that's what's happening here, it seems the target of this particular attack, is also something we detect via ATP. 

    -Alan

  • 0 in reply to AlanT

    I saw this on multiple clients (over 10) -- The are all set to only internal for DNS Allowed Networks.  The only clients I have that were not affected are ones that geoblock China.

  • 0 in reply to CraigW
    I've had China geoblocked since Day 1 - I still got hit.
  • 0 in reply to CraigW

    Maybe they weren't hit because the portscan from china was unsuccessful?

    If a device doesn't block china, the portscan can poke and see that something is there so then they try hitting it again, hard.

    (apologies for double post, I still mistake what bloody page I am on because it doesn't tell me unless I check and recheck all the time)

Reply
  • 0 in reply to CraigW

    Maybe they weren't hit because the portscan from china was unsuccessful?

    If a device doesn't block china, the portscan can poke and see that something is there so then they try hitting it again, hard.

    (apologies for double post, I still mistake what bloody page I am on because it doesn't tell me unless I check and recheck all the time)

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML