We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
I look at this:
Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 126.96.36.199 (a Sophos property which will eliminate the unauthorized traffic):
And found that some of our desktops were communicating with some of these addresses as early as the 4th of April .
Seems anormal to me. Did XG leaked from WAN to make it to our desktops ??????
Please a quick response.
Also, is this normal ????
Pinging sophosproductupdate.com [127.0.0.1] with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
There's no entry in the host file for sure. How this could resolve to local ???
Because its public A record has been set to 127.0.0.1.
Other IP you mentioned is from godaddys shared hosting used by numerous of websites
Ok. But why on earth these DNS record are still valid after 4 days ? Shouldn't Sophos make sure they are disabled ?
Could it be usefull in anyway a public record be 127.0.0.1 ? If not, how come it's allowed ?
My thought are that Sophos reported that malicious domain and they changed DNS record to 127.0.0.1 as band-aid fix until domain is taken down.