atp

Hallo everybody,

since about 1 Week we rececive following atp messages:

1 172.24.1.2 C2/Generic-A 94.130.165.87 1 AFCd
2 172.24.1.2 C2/Generic-A 94.130.165.87 1 AFCd
3 172.24.1.2 C2/Generic-A 94.130.165.87 1 AFCd

This seems to be wrong/bad DNS leading to:

2021:06:29-06:02:09 cerberus-1 named[9061]: rpz: client @0xa77bd38 172.24.1.2#57786 (static.87.165.130.94.clients.your-server.de): view default: rpz IP NXDOMAIN rewrite static.87.165.130.94.clients.your-server.de via 32.87.165.130.94.rpz-ip.rpz
2021:06:29-06:02:09 cerberus-1 afcd[19579]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.24.1.2" dstip="8.8.8.8" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="94.130.165.87" url="-" action="drop"
2021:06:29-06:02:12 cerberus-1 afcd[19579]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.24.1.2" dstip="8.8.4.4" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="94.130.165.87" url="-" action="drop"
2021:06:29-06:02:16 cerberus-1 afcd[19579]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="172.24.1.2" dstip="9.9.9.9" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="94.130.165.87" url="-" action="drop"

I`ve seen a relation between a crypto-miner and this ip or is the answer of the DNS Server the Problem that the ip asked is different form the one given back recursive?

Thanks for your efforts.

Greetings from the senseless UTM-User

Piddae