Hi everyone, looks like I have a similar situation to a few people.
NO Windows machines on the network, just OSX and Linux (QNAP). Woke up to over 1400 emails regarding ATP C2/Generic-A. But the originiating seems to be from AFCd? Any idea what this is?
Googling has given me no ideas. Any ideas anyone?
I am having the same issue. It seems to be attempting to reach the domain <random>.app.anmorencai.com
Some information I have found:
Parent server gave glue for app.anmorencai.com to be app.anmorencai.com.qingcdn.com but we resolve that hostname to 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103
Local NS list does not match Parent NS list140.205.228.52 was reported by the parent, but not locally140.205.228.51 was reported by the parent, but not locally183.61.63.103 was reported locally, but not by the parent
Though I am unsure what the Origin AFCd is?
Is this a massive DNS cache poisoning attempt by the Chinese military?
Cheers - Bob
Reporting in that i've gotten the same traffic today (3/20/16)
2016:03:20-00:07:09 sophosedge afcd[14692]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="[my ip address]" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="pqyoebe38318.app.anmorencai.com" url="-" action="drop"
We have the same issue to all our public IP adresses:
2016:03:20-05:39:41 ghp-gw-01-1 afcd[13499]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="OUR-PUBLIC-IP-RANGE" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="XxcO2af85050.app.anmorencai.com" url="-" action="drop" 2016:03:20-05:55:16 ghp-gw-01-1 afcd[13499]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.226" dstip="OUR-PUBLIC-IP-RANGE" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="wfpA2ff85050.app.anmorencai.com" url="-" action="drop"
Does anyone have an idea what this is?
Yep, here too (Germany). Started Sunday morning, all chinese IPs:2016:03:20-03:46:53 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="62.225.50.101" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="YwTB6532e13e.app.anmorencai.com" url="-" action="drop" 2016:03:20-03:47:51 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="62.225.50.107" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="DnvS6b32e13e.app.anmorencai.com" url="-" action="drop" 2016:03:20-03:57:14 wall-1 afcd[31331]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="62.225.50.97" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="ILxQ6132e13e.app.anmorencai.com" url="-" action="drop" 2016:03:20-04:07:16 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.225" dstip="62.154.197.164" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="zQFna4c59a3e.app.anmorencai.com" url="-" action="drop" 2016:03:20-04:07:16 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="62.154.197.163" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="wQHMa3c59a3e.app.anmorencai.com" url="-" action="drop" 2016:03:20-04:17:28 wall-1 afcd[19366]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.227" dstip="62.154.197.162" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1"
Same here on 3/20/16, in Belgium
2016:03:20-04:41:11 fwutm61-2 afcd[27912]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="(OUR IP ADDRESS)" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="qFaY264ff651.app.anmorencai.com" url="-" action="drop"
Same here
Definitely Chinese IPs : attempting to get assistance from Support to diagnose
Hi all,
same thing here on Sunday Morning
2016:03:20-03:48:01 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.226" dstip="my public ip 2" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="aTic4b059350.app.anmorencai.com" url="-" action="drop"2016:03:20-04:30:17 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.227" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="MsVW95f9ed2e.app.anmorencai.com" url="-" action="drop"2016:03:20-05:28:02 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.225" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="rlSd95f9ed2e.app.anmorencai.com" url="-" action="drop"2016:03:20-06:26:19 asg01-2 afcd[5870]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="180.97.161.224" dstip="my public ip 1" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="RETV95f9ed2e.app.anmorencai.com" url="-" action="drop"
I am curious what this is. Seems to go to all our public interfaces.
Regards
Jan