ATP reporting source as external address since u2d-aptp-9.36793

Since the installation of u2d-aptp-9.36793 on 2020:09:09 our ATP module is showing almost daily attacks but from external IPs only.

ATP should only show internal IPs. The destination IP in all cases was a DNS Server of ours in the DMZ.

2020:09:09-07:31:43 firewall auisys[16268]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="9.36793" package="aptp" 

aptp-2020-09-09.log.gz:2020:09:09-07:59:52 firewall afcd[17201]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.96.124.168" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="1lppdbn13qu7fs1e40vx18vjqi7.biz" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-12:09:02 firewall afcd[27065]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="120.71.145.56" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="arilco.com" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-12:19:11 firewall afcd[27065]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="14.116.153.164" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="adventureify.com" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-13:05:31 firewall afcd[7506]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="42.101.44.81" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="biggggigig2017888.com" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-14:56:36 firewall afcd[7506]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="208.123.119.244" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="check-ip.online" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-19:50:27 firewall afcd[21089]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="128.14.236.245" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="form.myftp.org" url="-" action="drop"
aptp-2020-09-09.log.gz:2020:09:09-23:06:45 firewall afcd[13873]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="175.6.72.6" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="hostingnet.ru" url="-" action="drop"
aptp-2020-09-10.log.gz:2020:09:10-00:11:14 firewall afcd[13873]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="110.92.66.4" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="likrnine.net" url="-" action="drop"
aptp-2020-09-10.log.gz:2020:09:10-01:17:38 firewall afcd[21616]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="112.73.83.215" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="lacoste-discount.com" url="-" action="drop"
aptp-2020-09-10.log.gz:2020:09:10-02:46:06 firewall afcd[21616]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="110.92.66.4" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="olip.me" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-02:36:15 firewall afcd[18898]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="43.243.129.37" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-18:05:04 firewall afcd[9860]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="128.1.37.48" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-20:12:56 firewall afcd[14997]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="140.249.23.235" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="alljsscript.com" url="-" action="drop"
aptp-2020-09-11.log.gz:2020:09:11-23:44:50 firewall afcd[30544]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="114.118.18.218" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="arilco.com" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:16:54 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.96.124.168" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:16:56 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.96.124.168" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Virut-A" status="1" host="ahahny.com" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:20:08 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="49.64.220.49" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="akinvest.net" url="-" action="drop"
aptp-2020-09-12.log.gz:2020:09:12-23:20:11 firewall afcd[311]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="49.64.220.49" dstip="10.1.2.3" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="akinvest.net" url="-" action="drop"


Parents Reply
  • I checked three of those IPs and they were all from China.  Maybe Intrusion Prevention is doing its job protecting your name server...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data