Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 17880 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic Botnet Traffic

Kevin H

Hi All,

So I have a Sophos UTM in bridge mode that basically inspects traffic then passes it to the router an Asus N66U. The UTM does not do routing.

About a month ago I started getting Command and Control notices from the UTM. After some research, it seems my IP is trying to connect to a domain by the name of: worldtvpro.zapto.org.anbdyn.info

After some googling I found out that teh worldtvpro.zapto.org doamin is owned by a company in Reno NV called Vitalwerks Internet Solutions, LLC which from their site appears to offer DYNDNS like serivces.

Im having a hard time trying to pinpoint where this 'infection' is coming from, all nodes on my network have been scanned with Malwarebyres Pro, Hitman Pro and the default Sophos AV. Im fairly certain my machines are ok but I dont want to label this a false positive until I can be sure. Ive read from some Sophos posts that sometimes software phoning home can trigger it but the hard part is the Sophos logs only report my public IP and no an internal so I cant see if anything with a private IP is trying to call out somewhere.

I do run Kodi with some plugins so this seemed like a likely cause but even with the PC off the alerts are still generated and the system has been scanned with no results.

Sophos classifies it as a C2/Generic-A. This is the link is gives as support but isnt really of any help.

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A

Any suggestions is appreciated.



This thread was automatically locked due to age.
  • 0

    Forgot to metion Ive scanned all systems with no malware results. I took it one step further and unhooked all devices and left only the UTM and my router and I still got the alerts.  I also replaced the router with another one and STILL got the alerts. 

    Not sure where to go from here, any help is much appreciated.  This has cost me 3 days of no sleep.

  • 0

    Hi,

    If you have public IPs, "Any" or "Internet" listed under Network Services > DNS > Global > Allowed Networks then change it to "Internal network". 

    Finally, do you have DNS server defined in the Network Protection | Intrusion Prevention | Advanced | DNS server tab? In order to increase the performance and minimize the amount of false positive alerts, you can specify your internal servers that are protected by the IPS.

    There was a known issue with the previous firmware where UDP DNS packets affected UTM's ATP detection. This was fixed and mentioned in NUTM-3340. 

    If the issue is not resolved from the steps mentioned above, please report it to Support for deep inspection.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for your response.

     

    I dont have anything listed under the spots you suggested I look so Im good there.

     

    How do I log a support request with Sophos for this?  Also, is this a service that I have to pay for?

     

    Also, is it possible for me to block this domain at the firewall level?  Within Sophos that is.

  • 0 in reply to Kevin H

    My bad, I thought you have a paid subscription for support.

    This could be a possible DNS cache poisoning attempt on your IP address which is dropped by the UTM's ATP module. The quick fix is to get your public IP address changed by the ISP. Alongside, go to Management | up2date and verify that the UTM patterns are up to date. This could also be caused by a pattern update.

    Finally, if you have an internal server hosted through a DNAT policy then it could be listed as the destination in the logs.

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    How do I open a support ticket and whats the pricing model?

  • 0 in reply to KeithHolton

    It's not practical for a home user, Keith.  What problem are you having?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Its all laid out above, but I will update my latest test.  I removed all devices from the network except the UTM and router and i still get these ATP notices.  Even after getting a new IP address from my ISP via DHCP again, I still get the notices.

    So there is no egress traffic leaving the network, so Im at a loss.  I dont know if this could be a false positive but I want to be sure before I suppress these notifications.

    Any other suggestions on how to get to the bottom of this?

     

    Let me know if you need any other info.  The setup for this network is fairly straightforward, there are no web facing servers or any other obscure settings.

  • 0 in reply to KeithHolton

    DynDNS... I just looked more closely at your original post.  Do you have a No-IP.com entry configured?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I do not, and never did, I wonder if somehow the public IPs Im getting from my ISP were registered with No-IP.com at some point?

Unfiltered HTML