This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic Botnet Traffic

Hi All,

So I have a Sophos UTM in bridge mode that basically inspects traffic then passes it to the router an Asus N66U. The UTM does not do routing.

About a month ago I started getting Command and Control notices from the UTM. After some research, it seems my IP is trying to connect to a domain by the name of: worldtvpro.zapto.org.anbdyn.info

After some googling I found out that teh worldtvpro.zapto.org doamin is owned by a company in Reno NV called Vitalwerks Internet Solutions, LLC which from their site appears to offer DYNDNS like serivces.

Im having a hard time trying to pinpoint where this 'infection' is coming from, all nodes on my network have been scanned with Malwarebyres Pro, Hitman Pro and the default Sophos AV. Im fairly certain my machines are ok but I dont want to label this a false positive until I can be sure. Ive read from some Sophos posts that sometimes software phoning home can trigger it but the hard part is the Sophos logs only report my public IP and no an internal so I cant see if anything with a private IP is trying to call out somewhere.

I do run Kodi with some plugins so this seemed like a likely cause but even with the PC off the alerts are still generated and the system has been scanned with no results.

Sophos classifies it as a C2/Generic-A. This is the link is gives as support but isnt really of any help.

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A

Any suggestions is appreciated.



This thread was automatically locked due to age.
Parents
  • Hi,

    If you have public IPs, "Any" or "Internet" listed under Network Services > DNS > Global > Allowed Networks then change it to "Internal network". 

    Finally, do you have DNS server defined in the Network Protection | Intrusion Prevention | Advanced | DNS server tab? In order to increase the performance and minimize the amount of false positive alerts, you can specify your internal servers that are protected by the IPS.

    There was a known issue with the previous firmware where UDP DNS packets affected UTM's ATP detection. This was fixed and mentioned in NUTM-3340. 

    If the issue is not resolved from the steps mentioned above, please report it to Support for deep inspection.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Thanks for your response.

     

    I dont have anything listed under the spots you suggested I look so Im good there.

     

    How do I log a support request with Sophos for this?  Also, is this a service that I have to pay for?

     

    Also, is it possible for me to block this domain at the firewall level?  Within Sophos that is.

  • My bad, I thought you have a paid subscription for support.

    This could be a possible DNS cache poisoning attempt on your IP address which is dropped by the UTM's ATP module. The quick fix is to get your public IP address changed by the ISP. Alongside, go to Management | up2date and verify that the UTM patterns are up to date. This could also be caused by a pattern update.

    Finally, if you have an internal server hosted through a DNAT policy then it could be listed as the destination in the logs.

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • My bad, I thought you have a paid subscription for support.

    This could be a possible DNS cache poisoning attempt on your IP address which is dropped by the UTM's ATP module. The quick fix is to get your public IP address changed by the ISP. Alongside, go to Management | up2date and verify that the UTM patterns are up to date. This could also be caused by a pattern update.

    Finally, if you have an internal server hosted through a DNAT policy then it could be listed as the destination in the logs.

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children