Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 298882 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    Me too. I received one ATP email message last night. The source IP address is 218.60.112.226. As we already know, it is in China.

    I looked at the firewall log and it is a protocol 17 packet (UDP) sent from source port 53 (DNS) on the Chinese server to a random destination port 50296 on the external interface of our UTM. Packet length is 117 bytes. 

    I would like to know more about this.

    My worst case fear (highly unlikely) is that one of our systems sent an outbound packet to port 53 on a different IP address in China, one that is not known as a botnet server, in order to open the inbound port on the UTM, and this packet is the response with botnet C&C. Noting that several people are seeing the same APT email message, I consider it even more unlikely than before. 

    I hope others can chime in regarding what these packets are trying to do. Testing for vulnerability to participate in amplification attacks, perhaps?

Reply
  • 0

    Me too. I received one ATP email message last night. The source IP address is 218.60.112.226. As we already know, it is in China.

    I looked at the firewall log and it is a protocol 17 packet (UDP) sent from source port 53 (DNS) on the Chinese server to a random destination port 50296 on the external interface of our UTM. Packet length is 117 bytes. 

    I would like to know more about this.

    My worst case fear (highly unlikely) is that one of our systems sent an outbound packet to port 53 on a different IP address in China, one that is not known as a botnet server, in order to open the inbound port on the UTM, and this packet is the response with botnet C&C. Noting that several people are seeing the same APT email message, I consider it even more unlikely than before. 

    I hope others can chime in regarding what these packets are trying to do. Testing for vulnerability to participate in amplification attacks, perhaps?

Children
No Data
Unfiltered HTML