This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A AFCd

I'm having multiple UTMs reporting a C2/Generic-A from IP address: 45.33.9.234. I have scanned every server/PC that is reporting on and there is never anything there. I believe this is a false positive and I cannot get Sophos to help me out on this one. I've been hung up on twice and all the support reps can tell me is that the PCs are infected and that there's nothing they can do before hanging up.

This thread was automatically locked due to age.

Parents

0 Rafal P over 6 years ago

Hi,

I have the same problems with this IP on my UTM.

Somebody knows from where comes this problem?

I scanned the concerned computers and I found nothing...

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 StephanG over 6 years ago in reply to Rafal P

I found my problem. It was a hacked DNS entry or misconfiguration of a customer of us.

The Cisco VPN Client connects to this DNS entry and gets redirected to the malicious IP.

As this is a customer installation i will forward the notice to their IT.

Monitor the DNS servers to get the failed DNS entry. I used sysmon and got nothing because the DNS request got blocked in the first place.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 StephanG over 6 years ago in reply to Rafal P

I found my problem. It was a hacked DNS entry or misconfiguration of a customer of us.

The Cisco VPN Client connects to this DNS entry and gets redirected to the malicious IP.

As this is a customer installation i will forward the notice to their IT.

Monitor the DNS servers to get the failed DNS entry. I used sysmon and got nothing because the DNS request got blocked in the first place.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data