Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 1286 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP reporting source as external address since u2d-aptp-9.36793

LHerzog

Since the installation of u2d-aptp-9.36793 on 2020:09:09 our ATP module is showing almost daily attacks but from external IPs only.

ATP should only show internal IPs. The destination IP in all cases was a DNS Server of ours in the DMZ.

2020:09:09-07:31:43 firewall auisys[16268]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="9.36793" package="aptp" 

aptp-2020-09-09.log.gz:2020:09:09-07:59:52 firewall afcd[17201]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.96.124.168" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="1lppdbn13qu7fs1e40vx18vjqi7.biz" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-12:09:02 firewall afcd[27065]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="120.71.145.56" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="arilco.com" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-12:19:11 firewall afcd[27065]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="14.116.153.164" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="adventureify.com" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-13:05:31 firewall afcd[7506]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="42.101.44.81" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="biggggigig2017888.com" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-14:56:36 firewall afcd[7506]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="208.123.119.244" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="check-ip.online" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-19:50:27 firewall afcd[21089]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="128.14.236.245" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="form.myftp.org" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-23:06:45 firewall afcd[13873]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="175.6.72.6" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="hostingnet.ru" url="-" action="drop"
aptp-2020-09-10.log.gz:2020:09:10-00:11:14 firewall afcd[13873]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="110.92.66.4" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="likrnine.net" url="-" action="drop"
aptp-2020-09-10.log.gz:2020:09:10-01:17:38 firewall afcd[21616]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="112.73.83.215" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="lacoste-discount.com" url="-" action="drop"
aptp-2020-09-10.log.gz:2020:09:10-02:46:06 firewall afcd[21616]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="110.92.66.4" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="olip.me" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-02:36:15 firewall afcd[18898]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="43.243.129.37" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-18:05:04 firewall afcd[9860]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="128.1.37.48" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-20:12:56 firewall afcd[14997]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="140.249.23.235" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="alljsscript.com" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-23:44:50 firewall afcd[30544]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="114.118.18.218" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="arilco.com" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:16:54 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.96.124.168" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:16:56 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.96.124.168" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:20:08 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="49.64.220.49" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="akinvest.net" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:20:11 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="49.64.220.49" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="akinvest.net" url="-" action="drop"



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LHerzog

    I checked three of those IPs and they were all from China.  Maybe Intrusion Prevention is doing its job protecting your name server...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I would never expect any attack from china^^

    Yes, it would be OK, if it was IPS but the firewall showed it as ATP detection.

    btw: no further logs in the last 7 days - so something seems to have been fixed in the ATP patterns.

  • 0 in reply to LHerzog

    There it comes again... - after one month of silence! I'm quite sure this is due to faulty patterns.

    A threat has been detected in your network
    The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

    Details about the alert:

    Threat name....: C2/Nymaim-A
    Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Nymaim-A.aspx
    Time...........: 2020-11-01 09:03:05
    Traffic blocked: yes

    Source IP address or host: 173.208.176.26
           
    --
    HA Status          : HA MASTER (node id: 1)
    System Uptime      : 25 days 3 hours 1 minute
    System Load        : 0.32
    System Version     : Sophos UTM 9.705-3

    an other:

    A threat has been detected in your network
    The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

    Details about the alert:

    Threat name....: C2/Zbot-A
    Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Zbot-A.aspx
    Time...........: 2020-11-01 08:03:02
    Traffic blocked: yes

    Source IP address or host: 173.208.176.26
           
    --
    HA Status          : HA MASTER (node id: 1)
    System Uptime      : 25 days 2 hours 1 minute
    System Load        : 0.34
    System Version     : Sophos UTM 9.705-3

Unfiltered HTML