This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alerts Tor Exit Nodes

Hi All,

I wonder if anyone can help me clarify the following, we start receiving standard ATP alerts for the past month as per bellow, usually im able to investigate this alerts and they either are DNS recursive queries performed by out forwarders on Spam domain emails  received and rejected by the SMTP proxy, or Web sessions hijack attempts trying to redirect traffic to malicious domains, but recently i been baffled by a a recurrent alert as bellow where im not able to make much sense, i parsed the logs for our SMTP proxy that shows traffic to a Tor node from what i can only assume being SMTP connections rejected by the UTM  does anyone have any idea on this ?

2021:10:27-12:50:55 srvutm-1 exim-in[8916]: 2021-10-27 12:50:55 SMTP connection from [185.220.100.254]:31034 (TCP/IP connection count = 4)
2021:10:27-12:50:57 srvutm-1 exim-in[23862]: 2021-10-27 12:50:57 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:31034 SSL_accept: TCP connection closed by peer
2021:10:27-12:50:57 srvutm-1 exim-in[8916]: 2021-10-27 12:50:57 SMTP connection from [185.220.100.254]:32560 (TCP/IP connection count = 4)
2021:10:27-12:51:01 srvutm-1 exim-in[23909]: 2021-10-27 12:51:01 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:32560 SSL_accept: TCP connection closed by peer
2021:10:27-17:12:32 srvutm-1 exim-in[8916]: 2021-10-27 17:12:32 SMTP connection from [185.220.100.254]:14154 (TCP/IP connection count = 2)
2021:10:27-17:12:33 srvutm-1 exim-in[5631]: 2021-10-27 17:12:33 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:14154 SSL_accept: TCP connection closed by peer
2021:10:29-03:34:26 srvutm-1 exim-in[6731]: 2021-10-29 03:34:26 SMTP connection from [185.220.100.254]:22392 (TCP/IP connection count = 1)
2021:10:29-03:34:28 srvutm-1 exim-in[18207]: 2021-10-29 03:34:28 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:22392 SSL_accept: TCP connection closed by peer

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Advanced Threat ProtectionDetails
Total Events: 2
User/Host Threat Name Destination Events Origin
1 192.168.7.250 C2/Generic-A 185.220.100.254 
2 192.168.7.250 C2/Generic-A 185.220.100.254 



This thread was automatically locked due to age.
Parents
  • Hi all,  

    we got pretty much the same, since noone is really sharing the logs here you go.  

    I first got the threat protection alerts, there pop up every now and then ever since and look like this:  

    2021:11:04-04:50:46 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-2>"     dstip  =  "176.97.158.104"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:46 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-1>"     dstip  =  "5.189.135.105"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:47 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-2>"     dstip  =  "5.189.135.105"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:48 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-2>"     dstip  =  "192.174.68.104"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:48 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-1>"     dstip  =  "176.97.158.104"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:50 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-2>"     dstip  =  "176.97.158.104"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:50 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-1>"     dstip  =  "192.174.68.104"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:51 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-2>"     dstip  =  "5.189.135.105"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:53 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-2>"     dstip  =  "176.97.158.104"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  
    2021:11:04-04:50:53 afcd[16680]:   id  =  "2022"     severity  =  "warn"     sys  =  "SecureNet"     sub  =  "packetfilter"     name  =  "Packet dropped (ATP)"     srcip  =  "<dns-resolverip-1>"     dstip  =  "176.97.158.104"     fwrule  =  "63001"     proto  =  "17"     threatname  =  "C2/Generic-A"     status  =  "1"     host  =  "185.220.100.254"     url  =  "-"     action  =  "drop"  

    I can also find these IPs or hosts in case of the atp in the smtp.log with a connection to zbau.f3netze.de (which is incidently a big rack of tor exit nodes   ;D):  

    smtp.log:2021:11:04-00:49:20 exim-in[18376]: 2021-11-04 00:49:20 TLS error on connection from tor-exit-1.zbau.f3netze.de [185.220.100.252]:6794 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-00:49:21 exim-in[18391]: 2021-11-04 00:49:21 TLS error on connection from tor-exit-1.zbau.f3netze.de [185.220.100.252]:32658 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-00:49:22 exim-in[18393]: 2021-11-04 00:49:22 TLS error on connection from tor-exit-1.zbau.f3netze.de [185.220.100.252]:20700 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-00:49:35 exim-in[18411]: 2021-11-04 00:49:35 TLS error on connection from tor-exit-15.zbau.f3netze.de [185.220.100.242]:27916 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-00:49:36 exim-in[18415]: 2021-11-04 00:49:36 TLS error on connection from tor-exit-41.for-privacy.net [185.220.101.41]:6746 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-00:49:38 exim-in[18420]: 2021-11-04 00:49:38 TLS error on connection from tor-exit-41.for-privacy.net [185.220.101.41]:16614 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-01:57:53 exim-in[28532]: 2021-11-04 01:57:53 SMTP connection from tor-exit-57.for-privacy.net [185.220.101.57]:32132 lost   D  =9s  
    smtp.log:2021:11:04-02:07:06 exim-in[29956]: 2021-11-04 02:07:06 SMTP connection from tor-exit-3.zbau.f3netze.de (example.com) [185.220.100.254]:16350 lost   D  =14s  
    smtp.log:2021:11:04-02:07:19 exim-in[30050]: 2021-11-04 02:07:19 TLS error on connection from tor-exit-52.for-privacy.net [185.220.101.52]:21002 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-02:07:30 exim-in[30064]: 2021-11-04 02:07:30 TLS error on connection from tor-exit-39.for-privacy.net [185.220.101.39]:3820 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-04:49:30 exim-in[22125]: 2021-11-04 04:49:30 SMTP connection from tor-exit-4.zbau.f3netze.de [185.220.100.255]:31086 lost   D  =9s  
    smtp.log:2021:11:04-04:50:45 exim-in[22329]: 2021-11-04 04:50:45 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:23528 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-04:50:49 exim-in[22357]: 2021-11-04 04:50:49 TLS error on connection from tor-exit-61.for-privacy.net [185.220.101.61]:12074 SSL_accept: TCP connection closed by peer  
    smtp.log:2021:11:04-04:50:49 exim-in[22360]: 2021-11-04 04:50:49 TLS error on connection from tor-exit-61.for-privacy.net [185.220.101.61]:22906 SSL_accept: TCP connection closed by peer  

    Checking the dns-resolver log I see that the queries (which are probably the trigger for the atp) are coming from the same dmz network as our resolvers are in.  

    More precicly the IP of the UTM.  

    query.log:04-Nov-2021 00:49:34.459 queries: info: client <utm-ip-in-same-dmz>  #43912 (tor-exit-15.zbau.f3netze.de): query: tor-exit-15.zbau.f3netze.de IN AAAA +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 00:49:34.478 queries: info: client <utm-ip-in-same-dmz>  #27468 (tor-exit-15.zbau.f3netze.de): query: tor-exit-15.zbau.f3netze.de IN A +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 00:49:36.084 queries: info: client <utm-ip-in-same-dmz>  #29089 (tor-exit-41.for-privacy.net): query: tor-exit-41.for-privacy.net IN AAAA +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 00:49:36.101 queries: info: client <utm-ip-in-same-dmz>  #31538 (tor-exit-41.for-privacy.net): query: tor-exit-41.for-privacy.net IN A +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 02:06:51.686 queries: info: client <utm-ip-in-same-dmz>  #31999 (tor-exit-3.zbau.f3netze.de): query: tor-exit-3.zbau.f3netze.de IN AAAA +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 02:06:51.708 queries: info: client <utm-ip-in-same-dmz>  #42153 (tor-exit-3.zbau.f3netze.de): query: tor-exit-3.zbau.f3netze.de IN A +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 02:06:54.145 queries: info: client <utm-ip-in-same-dmz>  #30893 (tor-exit-3.zbau.f3netze.de): query: tor-exit-3.zbau.f3netze.de IN A +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 02:07:18.885 queries: info: client <utm-ip-in-same-dmz>  #42093 (tor-exit-52.for-privacy.net): query: tor-exit-52.for-privacy.net IN AAAA +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 02:07:18.893 queries: info: client <utm-ip-in-same-dmz>  #27836 (tor-exit-52.for-privacy.net): query: tor-exit-52.for-privacy.net IN A +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 02:07:29.849 queries: info: client <utm-ip-in-same-dmz>  #41313 (tor-exit-39.for-privacy.net): query: tor-exit-39.for-privacy.net IN AAAA +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 02:07:29.865 queries: info: client <utm-ip-in-same-dmz>  #40659 (tor-exit-39.for-privacy.net): query: tor-exit-39.for-privacy.net IN A +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 04:50:44.560 queries: info: client <utm-ip-in-same-dmz>  #41455 (tor-exit-3.zbau.f3netze.de): query: tor-exit-3.zbau.f3netze.de IN A +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 04:50:48.579 queries: info: client <utm-ip-in-same-dmz>  #36116 (tor-exit-61.for-privacy.net): query: tor-exit-61.for-privacy.net IN AAAA +E(0)DV (<dns-resolverip-1>)  
    query.log:04-Nov-2021 04:50:48.594 queries: info: client <utm-ip-in-same-dmz>  #40565 (tor-exit-61.for-privacy.net): query: tor-exit-61.for-privacy.net IN A +E(0)DV (<dns-resolverip-1>)  

    Hope that helps.  

    Best,  

      Marius  

  • Thank you for your summary, your logfiles are completely the same as ours. I hope that someone can check that and give us a plausible answer for this case.

  • Interesting that you are all in Northern Europe.  Instead of a bad pattern, this feels more like you all have a PC that's infected with the same malware.  Can anyone identify a device creating these requests and run Malwarebytes, CureIT, etc. to see what's the cause?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It seems like you don't understand our problem: We can't find any infected clients in our networks.

    All logfiles just show the nameservers as the source of the traffic.

    Besides I'm absolutely sure that it is no malware.

    Check this link:

    https://www.abuseipdb.com/check/185.220.100.254

    It seems like a (worldwide) bruteforce attack.

    I just want to know why our internal dns servers are answering to those requests (=> thus creating the ATP alerts).

    The only possible reason I could think of is that out Sophos UTMs are relaying DNS requests to our internal nameservers (which doesn't cause any harm but would explain the ATP alerts).

  • Of course it seems like we all are coming from North Europe, mostly Germany, because the tor network is f3netze.de and this is a german domain. But that doesn't mean anything.

    Like HNNG said, we checked all our clients and server, we also have Sophos Intercept X with EDR on all hosts and there is no detection alert. The time stamp when the ATP is detected is not during our regular work time. It is sometime at night and sometimes during our work time.x

Reply
  • Of course it seems like we all are coming from North Europe, mostly Germany, because the tor network is f3netze.de and this is a german domain. But that doesn't mean anything.

    Like HNNG said, we checked all our clients and server, we also have Sophos Intercept X with EDR on all hosts and there is no detection alert. The time stamp when the ATP is detected is not during our regular work time. It is sometime at night and sometimes during our work time.x

Children
No Data