C2/Generic-A Originating from AFCd?

Hi everyone, looks like I have a similar situation to a few people.

NO Windows machines on the network, just OSX and Linux (QNAP).   Woke up to over 1400 emails regarding ATP C2/Generic-A.   But the originiating seems to be from AFCd?  Any idea what this is?

Googling has given me no ideas.    Any ideas anyone?

  • I am having the same issue. It seems to be attempting to reach the domain <random>.app.anmorencai.com

    Some information I have found:

    Parent server gave glue for app.anmorencai.com to be app.anmorencai.com.qingcdn.com but we resolve that hostname to 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103

    Local NS list does not match Parent NS list
    140.205.228.52 was reported by the parent, but not locally
    140.205.228.51 was reported by the parent, but not locally
    183.61.63.103 was reported locally, but not by the parent


    Though I am unsure what the Origin AFCd is?

  • In reply to KashifMoazzam:

    Is this a massive DNS cache poisoning attempt by the Chinese military?

    Cheers - Bob

  • Reporting in that i've gotten the same traffic today (3/20/16)

    2016:03:20-00:07:09 sophosedge afcd[14692]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" 
    name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="[my ip address]" fwrule="63001" proto="17"
    threatname="C2/Generic-A" status="1" host="pqyoebe38318.app.anmorencai.com" url="-" action="drop"
  • We have the same issue to all our public IP adresses:

    2016:03:20-05:39:41 ghp-gw-01-1 afcd[13499]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="OUR-PUBLIC-IP-RANGE" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="XxcO2af85050.app.anmorencai.com" url="-" action="drop"
    2016:03:20-05:55:16 ghp-gw-01-1 afcd[13499]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.226" dstip="OUR-PUBLIC-IP-RANGE" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="wfpA2ff85050.app.anmorencai.com" url="-" action="drop"



    Does anyone have an idea what this is?

  • Yep, here too (Germany). Started Sunday morning, all chinese IPs:

    2016:03:20-03:46:53 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="62.225.50.101" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="YwTB6532e13e.app.anmorencai.com" url="-" action="drop" 2016:03:20-03:47:51 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="62.225.50.107" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="DnvS6b32e13e.app.anmorencai.com" url="-" action="drop" 2016:03:20-03:57:14 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="62.225.50.97" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="ILxQ6132e13e.app.anmorencai.com" url="-" action="drop" 2016:03:20-04:07:16 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.225" dstip="62.154.197.164" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="zQFna4c59a3e.app.anmorencai.com" url="-" action="drop" 2016:03:20-04:07:16 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="62.154.197.163" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="wQHMa3c59a3e.app.anmorencai.com" url="-" action="drop" 2016:03:20-04:17:28 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.227" dstip="62.154.197.162" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1"
  • In reply to ZachR:

    Same here on 3/20/16, in Belgium

    2016:03:20-04:41:11 fwutm61-2 afcd[27912]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="(OUR IP ADDRESS)" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="qFaY264ff651.app.anmorencai.com" url="-" action="drop"

  • Definitely Chinese IPs : attempting to get assistance from Support to diagnose

  • Hi all,


    same thing here on Sunday Morning

    2016:03:20-03:48:01 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="my public ip 2" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="aTic4b059350.app.anmorencai.com" url="-" action="drop"
    2016:03:20-04:30:17 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.227" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="MsVW95f9ed2e.app.anmorencai.com" url="-" action="drop"
    2016:03:20-05:28:02 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.225" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="rlSd95f9ed2e.app.anmorencai.com" url="-" action="drop"
    2016:03:20-06:26:19 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="RETV95f9ed2e.app.anmorencai.com" url="-" action="drop"


    I am curious what this is. Seems to go to all our public interfaces.

    Regards

    Jan

  • I also had this on all of my Appliances.

    For me it seems that they are trying to resolve these domain names at all available IP's, like scanning for open resolvers and since the domain is in ATP there's an alert.

    My2cents ...

  • my reply from Sophos Support :

    "Thank you for contacting Sophos.

    I've checked your details below. It looks as though DNS traffic to "app.anmorebcai.com" are being blocked by ATP. I've seen a few UTM cases like this over the past few days. Your internal network is not exploited and the ATP has done it's job in protecting you. 

    We suggest blocking the source IPs to avoid the alert being triggered again.

    Regards, "

  • In reply to BAlfson:

    Well I would guess that it is more likely to be the Chinese mafia/criminal organisations. Though by seeing the amount of different IP trying to hit my DNS it seems like a large botnet farm.

    I did see the reply BSRIA got from Sophos Support, and advice about blocking the source IP's well 80,000 unique hits so far I would have just blocked the whole country but we have clients in China so that is not really an option, I don't have any interns at the moment either that I could put on to this thankless task of blocking each IP address.

    Open to any suggestions on this one, though thank fully I did turn off email notification of these events after the first 2000 odd emails...

  • In reply to BSRIA-:

    Hi, here the same situation.

    But if the support is saying "DNS traffic TO "app.anmorebcai.com" are being blocked by ATP",  the the traffic is coming from my firewall or my internal networks...or not?

    In my logs I see UDP traffic FROM app.anmorebcai.com:

    2016:03:20-06:00:18 <utm> afcd[8471]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="<ext IP>" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="yebaa602496d.app.anmorencai.com" url="-" action="drop"


    Max.

     

     

  • In reply to MassimoDalla Giustina:

    No, there's a DNS packet trying to resolve the domain, which is on a blacklist. And this packet is destined to your IP address.

    If you have multiple IP addresses on you firewall you get multiple mails to each of the addresses.  And if you have a DNAT to an internal server, your internal server is also listed as destination.