This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A Originating from AFCd?

Hi everyone, looks like I have a similar situation to a few people.

NO Windows machines on the network, just OSX and Linux (QNAP).   Woke up to over 1400 emails regarding ATP C2/Generic-A.   But the originiating seems to be from AFCd?  Any idea what this is?

Googling has given me no ideas.    Any ideas anyone?



This thread was automatically locked due to age.
Parents
  • I am having the same issue. It seems to be attempting to reach the domain <random>.app.anmorencai.com

    Some information I have found:

    Parent server gave glue for app.anmorencai.com to be app.anmorencai.com.qingcdn.com but we resolve that hostname to 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103

    Local NS list does not match Parent NS list
    140.205.228.52 was reported by the parent, but not locally
    140.205.228.51 was reported by the parent, but not locally
    183.61.63.103 was reported locally, but not by the parent


    Though I am unsure what the Origin AFCd is?

  • Is this a massive DNS cache poisoning attempt by the Chinese military?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Is this a massive DNS cache poisoning attempt by the Chinese military?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Well I would guess that it is more likely to be the Chinese mafia/criminal organisations. Though by seeing the amount of different IP trying to hit my DNS it seems like a large botnet farm.

    I did see the reply BSRIA got from Sophos Support, and advice about blocking the source IP's well 80,000 unique hits so far I would have just blocked the whole country but we have clients in China so that is not really an option, I don't have any interns at the moment either that I could put on to this thankless task of blocking each IP address.

    Open to any suggestions on this one, though thank fully I did turn off email notification of these events after the first 2000 odd emails...