Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 40 replies
  • Answers 4 answers
  • Subscribers 24 subscribers
  • Views 331147 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A Originating from AFCd?

JohnRiley

Hi everyone, looks like I have a similar situation to a few people.

NO Windows machines on the network, just OSX and Linux (QNAP).   Woke up to over 1400 emails regarding ATP C2/Generic-A.   But the originiating seems to be from AFCd?  Any idea what this is?

Googling has given me no ideas.    Any ideas anyone?



This thread was automatically locked due to age.
  • 0

    I am having the same issue. It seems to be attempting to reach the domain <random>.app.anmorencai.com

    Some information I have found:

    Parent server gave glue for app.anmorencai.com to be app.anmorencai.com.qingcdn.com but we resolve that hostname to 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103

    Local NS list does not match Parent NS list
    140.205.228.52 was reported by the parent, but not locally
    140.205.228.51 was reported by the parent, but not locally
    183.61.63.103 was reported locally, but not by the parent


    Though I am unsure what the Origin AFCd is?

  • 0 in reply to KashifMoazzam

    Is this a massive DNS cache poisoning attempt by the Chinese military?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Reporting in that i've gotten the same traffic today (3/20/16)

    2016:03:20-00:07:09 sophosedge afcd[14692]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" 
    name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="[my ip address]" fwrule="63001" proto="17" 
    threatname="C2/Generic-A" status="1" host="pqyoebe38318.app.anmorencai.com" url="-" action="drop"
  • 0

    We have the same issue to all our public IP adresses:

    2016:03:20-05:39:41 ghp-gw-01-1 afcd[13499]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="OUR-PUBLIC-IP-RANGE" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="XxcO2af85050.app.anmorencai.com" url="-" action="drop"
2016:03:20-05:55:16 ghp-gw-01-1 afcd[13499]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.226" dstip="OUR-PUBLIC-IP-RANGE" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="wfpA2ff85050.app.anmorencai.com" url="-" action="drop"



    Does anyone have an idea what this is?

  • 0 
    Yep, here too (Germany). Started Sunday morning, all chinese IPs:

    2016:03:20-03:46:53 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="62.225.50.101" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="YwTB6532e13e.app.anmorencai.com" url="-" action="drop"
2016:03:20-03:47:51 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="62.225.50.107" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="DnvS6b32e13e.app.anmorencai.com" url="-" action="drop"
2016:03:20-03:57:14 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="62.225.50.97" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="ILxQ6132e13e.app.anmorencai.com" url="-" action="drop"
2016:03:20-04:07:16 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.225" dstip="62.154.197.164" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="zQFna4c59a3e.app.anmorencai.com" url="-" action="drop"
2016:03:20-04:07:16 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="62.154.197.163" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="wQHMa3c59a3e.app.anmorencai.com" url="-" action="drop"
2016:03:20-04:17:28 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.227" dstip="62.154.197.162" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1"
  • 0 in reply to ZachR

    Same here on 3/20/16, in Belgium

    2016:03:20-04:41:11 fwutm61-2 afcd[27912]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="(OUR IP ADDRESS)" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="qFaY264ff651.app.anmorencai.com" url="-" action="drop"

  • 0

    Definitely Chinese IPs : attempting to get assistance from Support to diagnose

  • 0

    Hi all,


    same thing here on Sunday Morning

    2016:03:20-03:48:01 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="my public ip 2" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="aTic4b059350.app.anmorencai.com" url="-" action="drop"
    2016:03:20-04:30:17 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.227" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="MsVW95f9ed2e.app.anmorencai.com" url="-" action="drop"
    2016:03:20-05:28:02 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.225" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="rlSd95f9ed2e.app.anmorencai.com" url="-" action="drop"
    2016:03:20-06:26:19 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="RETV95f9ed2e.app.anmorencai.com" url="-" action="drop"


    I am curious what this is. Seems to go to all our public interfaces.

    Regards

    Jan

Unfiltered HTML