Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 296270 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
  • 0 in reply to CraigW
    I've had China geoblocked since Day 1 - I still got hit.
  • 0

    It seems that the cause isn't from the firewall acting as a dns open relay. Further, these don't seem likely to be associated with hosts inside your networks making the requests, otherwise ATP would be triggering on the request, not on the reply. The ATP alerts do seem to be triggering on the data contained inside the DNS reply packets - specifically the "anmorencai.com" domain, and not the apparent origin or destination IPs, so requests shold contain a payload . So these apparently seem to be unsolicited DNS replies (hitting the external interface of your firewalls. 

    Being UDP, who knows what the origin actually is, though. It may have been from China, as the IP suggests, but there's really no way to tell. This does just seem to be an excessive blast of activity directed a large number of machines across the internet.

  • 0

    I just logged into my SOPOS UTM Today and I too am receiving this warning from ATP...

  • 0

    Same here, at the first Time the was external addresses as source, after a while comes internal addresses too - but one of the address was a Windows Server, the other one was an OS X Client. I have no inbound DNS allowed, DNS relay only on internal interfaces. Configure Firewall that only DNS from my internal DNS Server can reach Google DNS Servers, no others. On my internal DNS Server create Zone for anmorencai.com and Geoblock China. After Reset the Counter yesterday, they give no warnings again.

    I update the Virusprotection on every Server and scan it, nothings found. Google Search found nothings about this URLs, only Sophos Community informations.

    Is it an false/positive?

  • 0 in reply to AlanT

    Alan,

    thank you for your post. I am sure in Sophos you have analyzed this behaviour. Could you share the analysis's output to community?

    This will eliminate the needs to contact the Support.

    Thanks.

  • 0 in reply to AlanT

    All our clients are set up with internal only DNS allowed, if it was hitting my test firewall I'd love to packet capture and allow the attack to happen to see what it is but sadly our own firewalls were ignored with this :(

    One of our clients had Support enter their machine and do a packet capture and have a record of the raw attack on the box as it was still happening but the contents were complete gibberish.

  • 0 in reply to CraigW

    Maybe they weren't hit because the portscan from china was unsuccessful?

    If a device doesn't block china, the portscan can poke and see that something is there so then they try hitting it again, hard.

    (apologies for double post, I still mistake what bloody page I am on because it doesn't tell me unless I check and recheck all the time)

  • 0 in reply to CraigW

    I too received these alerts.  I am new to this.  I have a host that is unable to connect to the web.  Curious if the UTM blocks outbound traffic of a host if a threat is detected?  If so, how do I unblock outbound traffic and get my host back up and running? 

    I can successfully ping google dns: 8.8.8.8

    But, browser will not connect?

    WD 250GB 5400 RPM 8 MB WD2500LPVX hard drive
    8GB RAM
    SUPERMICRO MBD-A1SAM-2550F-O uATX
    Sophos UTM 9.3

  • 0

    Same thing here with one of my client, attack started at 03:24 and ended at 20:25 on Sunday.
    One of the exam question on Sophos UTM Engineer exam was "Which type of traffic is scanned by the ATP module", right answer was "only outbound"...so this is confusing...:)

  • 0 in reply to MichalHavlicek

    I did not do an in depth intel check, but this is what I do have:

    Indicator 218.60.112.225
    Reverse DNS cncln.online.ln.cn
    Country CN
    ASN 4837
    Organization China Unicom Liaoning
    Insights

    DShield has observed IP 218.60.112.225 scanning 227 targets resulting in 1426 reports from 2015-10-20 to 2016-03-22
    Passive DNS (1)
    SourceDomainRecord DataRecord TypeFirst SeenLast Seen
    Spamhaus vip2.alidns.com 218.60.112.225 A 2015-12-01T00:02:07 2015-12-01T00:02:07
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML