Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 14 subscribers
  • Views 108205 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A AFCd

Bethany E

I'm having multiple UTMs reporting a C2/Generic-A from IP address: 45.33.9.234. I have scanned every server/PC that is reporting on and there is never anything there. I believe this is a false positive and I cannot get Sophos to help me out on this one. I've been hung up on twice and all the support reps can tell me is that the PCs are infected and that there's nothing they can do before hanging up.



This thread was automatically locked due to age.
Parents
  • 0

    I'm also receiving this on two completely separate UTM's at two completely separate companies.

    Here's an example from the ATP log. The internal source IP below is the DNS server at this client so I'm thinking it's technically not coming from there. Exact same logs from the other UTM - the source IP is the internal DNS.

    2017:08:18-13:44:38 utm afcd[13941]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.1.200" dstip="203.50.2.71" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="45.33.9.234" url="-" action="drop"

    One client runs Trend Micro AV and the other ESET. Neither are reporting anything at this stage and neither client has reported any locked files or other ransomware activity and it's now been several days.

    https://ransomwaretracker.abuse.ch/ip/45.33.9.234/

  • 0 in reply to TNT

    This is exactly what I'm seeing. Do you get repeated alerts or is it just one day and then it goes away?

  • 0 in reply to Bethany E

    Would you consider running Sysmon on one or two of these in order to confirm the process making the connection to the IP in question?


  • 0 in reply to jak

    Jak, 

    I can certainly try. I'm not sure if the alerts will come up again but I will try this and get back to this if the alerts reoccur. 

  • 0 in reply to Bethany E

    Hi everyone. 

    I'm having the same problems with this IP.

    I ran the TCPlogView from Nirsoft instead of the MS tool. But it doesn't show any connection to this ip address. It should show even if it's blocked?

    I will try with sysmon now. (Tried Hitman Pro and Symantec for Removal. Nothing found)

     

    I'm wondering if any "normal" software had used this IP for development and is now trying to reach it.

    The user who has this problem has:

    Cisco Anywhere Connect, Citrix Receiver, WebEx installed, Bonjour Service - everything else looks like Standard to me.

     

    Best regards

    Stephan

Reply
  • 0 in reply to Bethany E

    Hi everyone. 

    I'm having the same problems with this IP.

    I ran the TCPlogView from Nirsoft instead of the MS tool. But it doesn't show any connection to this ip address. It should show even if it's blocked?

    I will try with sysmon now. (Tried Hitman Pro and Symantec for Removal. Nothing found)

     

    I'm wondering if any "normal" software had used this IP for development and is now trying to reach it.

    The user who has this problem has:

    Cisco Anywhere Connect, Citrix Receiver, WebEx installed, Bonjour Service - everything else looks like Standard to me.

     

    Best regards

    Stephan

Children
No Data
Unfiltered HTML