Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 8164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malicious?

Paolo Lat

Hi There,

 

Just saw this on our Web Protection > Top Users By Traffic

 

Any idea why is it showing a long string of lines or possibly a domain instead of an IP? 

Is this a compromised machine?

Is this a something that they're trying to access?

Is this the user being on a VPN? 

 



This thread was automatically locked due to age.
  • 0

    This seems just normal resolved domains. It looks like the other IPs are just internal IPs and there is no reverse lookup configured.

    Maybe tell us a little more regarding your infrastructure.

    Best

    Alex

    -

  • 0

    Hey Paolo,

    Also, show what you have in 'Allowed Networks' in your Web Filtering Profiles.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Well we a few internal vlan including the 172.16.0.0 network which as you can see on the first image. 

    We have internal corporate, IT, management, and four student vlan ( different courses )

    We have DNS/DHCP server for corporate and no for student. The DHCP for student is being handle by the firewall and no reverse lookup as you can see. 

     

    I was on the impression that it only shows internal IP address and if something like this shows is that the machine is compromised. 

     

     

  • 0 in reply to Paolo Lat

    I asked about 'Allowed Networks' because I wanted to confirm that you had nothing in there that would open you to an external client.  This would include the Default Profile and any other Web Filtering Profile(s) that you have defined.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Alexander Busch

    I'm thinking that if this are just resolved domains then that would mean we would have an internal domain like this right? but we don't 

  • 0 in reply to Paolo Lat

    Well, they do resolve to external IPs, so I would check your network and UTM configuration for holes. Somehow those hosts are using your web proxy, it appears. 

     

    p196235-ipngn200304sinnagasak.nagasaki.ocn.ne.jp. 86381 IN A 180.10.1.235

    p196233-ipngn200304sinnagasak.nagasaki.ocn.ne.jp. 86400 IN A 180.10.1.233

     

    Regards,

    Giovani

Unfiltered HTML