Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 14 subscribers
  • Views 108183 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A AFCd

Bethany E

I'm having multiple UTMs reporting a C2/Generic-A from IP address: 45.33.9.234. I have scanned every server/PC that is reporting on and there is never anything there. I believe this is a false positive and I cannot get Sophos to help me out on this one. I've been hung up on twice and all the support reps can tell me is that the PCs are infected and that there's nothing they can do before hanging up.



This thread was automatically locked due to age.
  • 0

    Well that URL is certainly classified as a call home URL.  Even with Sophos Home, the web protection piece returns:

    If I just:
    telnet 45.33.9.234 80

    so the connection gets to the UTM, then looking under:
    "Advanced Threat Protection" -> "Open Live Log"



    Then I see:



    So the client 192.168.0.10 is making an attempt to connect to that IP.

    Do you have one or more clients in this list?  

    What operating system are they?

    Do the timse of the alerts for say the same endpoint fit a pattern?

    Could you run a tool such as Process Monitor (just network activity) during these times to see if a process is making a connection to the IP in question?

    If no pattern can be established and you need to run something silently or for a longer period of time, you could install Sysmon on these clients (again if Windows) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.  E.g. To install and monitor network connections being made:

    Sysmon64.exe -i -n

    If you get a new alert from a client running Sysmon you could then run (Powershell command prompt):

    Get-Winevent -path "C:\windows\System32\Winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | where-object {$_.message -match "DestinationIp: 45.33.9.234" } | out-gridview

    To give you some info about the user/process etc...  Consider a different output format as needed.

    If you can get a process name, you'll be there :)  If you had Sophos XG firewall and the Central Endpoint, then the client would give the firewall the process in question.  https://vimeo.com/144918393 covers it to some degree.

    Regards,
    Jak

  • 0

    I'm also receiving this on two completely separate UTM's at two completely separate companies.

    Here's an example from the ATP log. The internal source IP below is the DNS server at this client so I'm thinking it's technically not coming from there. Exact same logs from the other UTM - the source IP is the internal DNS.

    2017:08:18-13:44:38 utm afcd[13941]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.1.200" dstip="203.50.2.71" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="45.33.9.234" url="-" action="drop"

    One client runs Trend Micro AV and the other ESET. Neither are reporting anything at this stage and neither client has reported any locked files or other ransomware activity and it's now been several days.

    https://ransomwaretracker.abuse.ch/ip/45.33.9.234/

  • 0 in reply to jak

    Jak, 

     

    The clients are always the acting domain controllers. The operating systems are usually Windows Server 2008 R2 and Windows Server 2012 R2. The alerts are always for the same destination IP and the alerts happen within a minute time span and then I never see them again. I have DNS debug set on every server that is effected and I see the traffic but it's always reaching out from the DC to the malicious IP. I have scanned everything on these servers multiple time, across all of the clients that are seeing this, and still nothing. I've tried Wire Shark but the alerts usually never return. I'm currently seeing this across six clients.

  • 0 in reply to TNT

    This is exactly what I'm seeing. Do you get repeated alerts or is it just one day and then it goes away?

  • 0 in reply to Bethany E

    Would you consider running Sysmon on one or two of these in order to confirm the process making the connection to the IP in question?


  • 0 in reply to jak

    Jak, 

    I can certainly try. I'm not sure if the alerts will come up again but I will try this and get back to this if the alerts reoccur. 

  • 0 in reply to Bethany E

    Hi everyone. 

    I'm having the same problems with this IP.

    I ran the TCPlogView from Nirsoft instead of the MS tool. But it doesn't show any connection to this ip address. It should show even if it's blocked?

    I will try with sysmon now. (Tried Hitman Pro and Symantec for Removal. Nothing found)

     

    I'm wondering if any "normal" software had used this IP for development and is now trying to reach it.

    The user who has this problem has:

    Cisco Anywhere Connect, Citrix Receiver, WebEx installed, Bonjour Service - everything else looks like Standard to me.

     

    Best regards

    Stephan

  • 0

    Hi,

     

    I have the same problems with this IP on my UTM.

    Somebody knows from where comes this problem?

    I scanned the concerned computers and I found nothing...

     

    Thanks.

     

     

  • 0 in reply to Rafal P

    I found my problem. It was a hacked DNS entry or misconfiguration of a customer of us.

    The Cisco VPN Client connects to this DNS entry and gets redirected to the malicious IP.

     

    As this is a customer installation i will forward the notice to their IT.

     

    Monitor the DNS servers to get the failed DNS entry. I used sysmon and got nothing because the DNS request got blocked in the first place.

  • 0

    HI

     

    I see the same altert on five different devices. Its always the same IP: 45.33.9.234

    First seen: 21.08.2017

    last seen: today

Unfiltered HTML