Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 10945 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alert in Network Protection with ATP - C2/Generic-A mrdistrupd.com

Florian Padua

Hello, 

 

First, sorry for my english, you know french guys don't speaks correctly english x) ....

I have an alert on Sophos UTM 9 in network protection Advanced threat protection : 


ip source : (my server DNS) 
adresse ip de destination : mrdistrupd.com
menace : C2/generic-A
origine : DNS

There are 32 alerts for the last 30 days
How can i fixe it ? 

Thanks for your answers 



This thread was automatically locked due to age.
Parents
  • 0

    Salut, Florian, and welcome to the UTM Community!

    This is a warning that a client in your network is trying to contact a C&C server in Russia.  Your DNS Server is only relaying the request from the client.  The DNS log in your server should show which device needs to be cleaned of malware.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob ! 

    Thanks for your answer. 

    My CIO is convinced that the infection comes to the server DNS (10.1.1.25) 
    If I understood correctly, there is a machine that try to contact a Russian server C&C and the server DNS relay the information to the proxy. This information is catch by the proxy (ATP) and it makes a warning.

    How can find the device who attempt to connect to the server msdistrupd.com ? There is no event in the DNS server (log) 

    thank you

     

    Florian

  • 0 in reply to Florian Padua

    Normally, I prefer to use the DNS approach outlined in DNS best practice, but if your internal DNS server doesn't keep logs about which device requested resolution for which FQDN, you will want to temporarily change DHCP until you find the problem.  Instead of passing out your internal DNS server as the first forwarder, remove that, leaving the UTM as the first forwarder.  This will work fine as long as the rest of the recommendations in DNS Best Practice are followed.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Florian Padua

    Hi Florian,

    if your dns server is a microsoft server, you should activate debug logging on that dns server. If not, you should follow bobs suggestion.

    regards

    mod

Reply Children
No Data
Unfiltered HTML