Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 9861 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Detecting from Sophos UTM C2/Generic-A

JasonCantos

Hi Sophos Team,

 

I am receiving this Botnet alert from our Sophos UTM.  I have tried scanning the server who is the Source IP and I didn't detect anything even I used the Sophos virus removal tool but didn't detect anything.  

 

 

1
  
bakjjmkiw.ws
C2/Generic-A
AFCd
2016-11-16 18:57:48
1
0.58
1
0.58
2
  
bredpump.info
C2/Generic-A
AFCd
2016-11-16 18:47:55
1
0.58
1
0.58
3
  
buoxlyw.ws
C2/Generic-A
AFCd
2016-11-16 19:56:40
1
0.58
1
0.58
4
  
cajusst.ws
C2/Generic-A
AFCd
2016-11-16 19:48:14
1
0.58
1
0.58
5
  
cawskq.ws
C2/Generic-A
AFCd
2016-11-16 20:00:31
1
0.58
1
0.58
6
  
cjzyrx.ws
C2/Generic-A
AFCd
2016-11-16 19:09:48
1
0.58
1
0.58
7
  
cuolcsfay.ws
C2/Generic-A
AFCd
2016-11-16 19:49:57
1
0.58
1
0.58
8
  
cysooechujg.ws
C2/Generic-A
AFCd
2016-11-16 19:00:17
1
0.58
1
0.58
9
  
dwohtolv.cn
C2/Generic-A
AFCd
2016-11-16 18:47:15
1
0.58
1
0.58
10
  
fhavidw.cn
C2/Generic-A
AFCd
2016-11-16 19:36:05
1
0.58
1
0.58
11
  
frherhue.cn
C2/Generic-A
AFCd
2016-11-16 19:47:50
1
0.58
1
0.58
12
  
fsbeaa.ws
C2/Generic-A
AFCd
2016-11-16 19:20:06
1
0.58
1
0.58
13
  
gmlcgvkiy.ws
C2/Generic-A
AFCd
2016-11-16 18:43:20
1
0.58
1
0.58
14
  
gvxyfamgwvw.info
C2/Generic-A
AFCd
2016-11-16 19:04:14
1
0.58
1
0.58
15
  
hbjmriz.cn
C2/Generic-A
AFCd
2016-11-16 19:49:33
1
0.58
1
0.58
16
  
hcaxbgugl.cn
C2/Generic-A
AFCd
2016-11-16 20:04:52
1
0.58
1
0.58
17
  
jdztlddtd.cn
C2/Generic-A
AFCd
2016-11-16 18:55:46
1
0.58
1
0.58
18
  
jkyatszhco.ws
C2/Generic-A
AFCd
2016-11-16 19:18:11
1
0.58
1
0.58
19
  
jnnznesl.cn
C2/Generic-A
AFCd
2016-11-16 19:27:19
1
0.58
1
0.58
20
  
kujil.ws
C2/Generic-A
AFCd
2016-11-16 19:22:19
1
0.58
1
0.58


This thread was automatically locked due to age.
Parents
  • 0

    Hello JasonCantos,

    a C2/ detection indicates a potentially compromised endpoint. If the endpoint is protected and MTD is turned on you'll likely see corresponding C2/Generic-B alerts. AFAIK MTD is not available for UTM managed endpoints, thus Dealing with a C2 detection would be only of limited help.

    scanning [...] didn't detect anything
    this is no surprise - if the threat were known it wouldn't get as far as opening a network connection. Apparently whatever it is is constantly trying to connect and it should be possible to identify the process.

    Christian

  • 0 in reply to QC

    Hi Christian,

     

    I have tried Sophos removal tools which is recommended from sophos which is the same didn't detect anything....any idea how to remove this?

     

     

    Regards,

     

    Jason

Reply Children
  • 0 in reply to JasonCantos

    Hello Jason,

    let me try to rephrase:
    You get a C2/Generic-A alert because either

    • there is no AV on the endpoint which could detect and block a threat
    • the AV on the endpoint does not detect the malicious process attempting the connection. In case Sophos is installed on the endpoint no other Sophos tool will detect a threat as they all use the same detection identities (I'm talking about running a tool in a normal Windows session - not Safe Mode or when booting from an external medium)
    • some legitimate process is subverted and makes the connection. The subverting process could be some clever malware, a rogue browser add-on, a redirection from web-search results, or even a human typing a C&C URL into the browser's address bar (in which case it's perhaps not a subversion)

    Thus it's likely a yet unknown "something" and you'd have to find the process making the connections. Sometimes it can be found by simply checking the list of running processes with the Task Manager. Depending on what the UTM does in response to an open attempt you might be able to see the TCP SYN_SENT with netstat -o.  A better (and actually quite simple) method though is monitoring network activity with Process Monitor. Once you've identified the rogue executable please submit it to Sophos.

    Christian

  • 0 in reply to QC

    Hi Christian,

     

    I have Av on the endpoint which is I used SEPM and it is updated. both SEPM and Sophos removal tools didn't detect anything from it.

     

    Regards,

     

    Jason

  • 0 in reply to JasonCantos

    Hello Jason,

    sometimes you have to do some investigation yourself, either give Process Monitor a try - or otherwise reinstall the potentially compromised machine.

    Christian 

  • 0 in reply to JasonCantos

    Jason, you said it was a server that you scanned.  If that was your internal DNS server, you will need to look at its logs to discover which client(s) in your LAN requested name resolution for those domains.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Balfson

     

    Yup I am now investigating from the DNS logs because I noticed that the attack is being made specially in the evening and nobody is here in the office by that time.

     

    Regards,

     

    Jason

  • 0 in reply to QC

    Hi Christian

     

    I got the machine who is sending the query to my local DNS server.  We are now taking action on this then observe again with our Sophos UTM.

     

    Thanks for the advise and help.

     

     

    Regards,

     

    Jason

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML