Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 20 replies
  • Subscribers 5 subscribers
  • Views 33420 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP triggers for botnet but scans show nothing on server

Lucas Villanueva

 

Since not quite the first of the month, we've had a very interesting and chronic trigger on our firewall...

 

I have been continually running different malware/antivirus scans on the server and resetting to see if I have cleared off the problem, but to no avail. I know it's possible these could be false positives, but it just seems so odd that there's so dang *many* triggers, up in the thousands per day. I've Googled just about everything I can think of to try to find more information, to try to figure out if indeed we have an infection or if this is a wild goose chase, but I'm not 100% certain yet. Thankfully, this means that any of the packets being sent to that destination are being dropped, so if it is a bad site, it's not as bad as it could be... but I would prefer to get the triggers to stop altogether, rather than just resetting every time I run a scan. There are two destination IPs connected to this host - 208.67.222.222 and 208.67.220.220. A cursory Google will show that both of these are OpenVPN server addresses. We happen to use the VPN built in to the Firewall, but we've been using that for awhile now and it never triggered anything like this.

Has anybody else seen anything like this? Any other thoughts or suggestions? I can only run the same malware and virus scans so many times before it gets old. 



This thread was automatically locked due to age.
Parents
  • 0

    Is the alarm pointing at your dbs server?  If so, then it is probably a suspicious DNS lookup.

    In particular, UTM does this for any .tk lookup.   You have to enable DNS logging to find the DNS query initiator.

  • 0 in reply to DouglasFoster

    I was about to go turn it on when I realized it's already turned on.

    That's one thing I was thinking, though, that it might be a false positive DNS lookup. It was just odd because I googled the url that's been showing up as the destination and it's being reported as a known malware site.

    So I barely understand how to read any of this:

    2017:10:26-00:00:51 nkc_utm ulogd[8981]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" 
    fwrule="60011" initf="eth0" srcmac="d4:ae:52:a0:69:7b" dstmac="00:1a:8c:4b:61:30" srcip="10.0.4.12" dstip="208.67.222.222" proto="17" length="109" 
    tos="0x00" prec="0x00" ttl="128" srcport="57108" dstport="53"


    The IP 208.67.222.222 shows up... 27,749 times in the latest log.

    Is it possible that since we use the VPN built in on our firewall (which uses OpenVPN) that this is just reporting our remote users almost constant connection to the server?

    And it's showing as connected to a bad site because whoever set that site up is using OpenVPN to try to cover their tracks?
  • 0 in reply to Lucas Villanueva

    Hi, Lucas, and welcome to the UTM Community!

    Doug's suggestion is what you need.  This is not a false positive.  Some device is asking your server to resolve a suspicious FQDN.

    You're confusing OpenVPN with OpenDNS.

    You might be interested in DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you for that clarification - I had a feeling I was probably getting some things confused, but I wasn't 100% sure. I am working on adjusting our firewall rules to fit the DNS best practices, see if that helps at all.

    I was looking at the firewall log again and every DNS request for that particular destination IP looks pretty much the same as what I copied. I have Sysmon running on the server, and it's picking up when connections are being attempted, but that's about all the info I get... though that's probably because the Firewall ends up blocking it. I had thought initially that it must be on the server itself, but since it's a DNS query, is it always going to show from our DNS server, no matter what device is actually trying to make the connection?

  • 0 in reply to Lucas Villanueva

    Hey Lucas.

    You should be looking at the queries made to your internal DNS server by your endpoints, not at the UTM. UTM is just doing it's job and blocking the query as it transverses it. I assume you have an Active Directory domain setup and your internal DNS forwards requests to the UTM, right? If so, check this for instructions on how to enable logging/debugging at the internal DNS server. After enabling it, analyze the logs, find the origin and remove whatever malware its making the DNS requests and causing your ATP to react.

    Regards,

    Giovani

  • 0 in reply to giomoda

    That's correct. I will follow these instructions and see what I can find out. I'll post again if I find anything. Thank you!

Reply Children
No Data
Unfiltered HTML