Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 4848 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Thousand of IPS-Mails and "Drops".

vpRoot

Hi all,

I need some help again...

since two days we have permanent IPS-Actions:


2016:08:25-10:09:11 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="195.88.208.108" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="52865" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

2016:08:25-10:09:13 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="8.8.8.8" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="53933" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

2016:08:25-10:09:14 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="195.88.208.108" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="55061" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

2016:08:25-10:09:16 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="8.8.8.8" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="52857" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

2016:08:25-10:09:17 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="8.8.4.4" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="53933" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

2016:08:25-10:09:20 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="8.8.4.4" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="52857" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

2016:08:25-10:09:21 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="195.88.208.108" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="54176" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

2016:08:25-10:09:23 astaro snort[4691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" group="241" srcip="8.8.8.8" dstip="172.16.XXX.YY" proto="17" srcport="53" dstport="54804" sid="31600" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

XXX.YY is our internal DNS-2. We get these messages also for our primary DNS (not in these logs).

There are about 1-5 warns about per Second. I'm kinda confused about the two google-DNS-Servers. What has google to do with that spheral.ru-page or the Glupteba? And the other thing is the normal IP: 195.88.208.108 - a russian IP. Can't find much about it in Whois etc.

Should I worry? I started to scan our DNS-Servers for Malware / Rootkits (Botnet was a thought) etc, but without success.

Does anyone has some tips, solutions or workarounds? Well, we get about 100 Mails every hour, after that, the mail-limitation becomes activated.

Greets and thanks for coming replys.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Always have your IPS up2date.

    Trojan.Glupteba is a Trojan horse that downloads and executes potentially malicious files on the compromised computer.

    We cannot be sure if the DNS server is infected, so scanning the DNS server might not hit the conclusion. With the source and destination, it could just be a packet which is the reply of reverse DNS lookup request . Now why would that request be sent in first place is an question and worth investigation. Verify the IP address resolved for spheral.ru and then try to source out which endpoint initiated the request. Sometimes, it could be an AV or security product trying to do reverse DNS lookup for a suspicious IP.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • 0

    Hi,

    Always have your IPS up2date.

    Trojan.Glupteba is a Trojan horse that downloads and executes potentially malicious files on the compromised computer.

    We cannot be sure if the DNS server is infected, so scanning the DNS server might not hit the conclusion. With the source and destination, it could just be a packet which is the reply of reverse DNS lookup request . Now why would that request be sent in first place is an question and worth investigation. Verify the IP address resolved for spheral.ru and then try to source out which endpoint initiated the request. Sometimes, it could be an AV or security product trying to do reverse DNS lookup for a suspicious IP.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?