Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 14 subscribers
  • Views 108229 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A AFCd

Bethany E

I'm having multiple UTMs reporting a C2/Generic-A from IP address: 45.33.9.234. I have scanned every server/PC that is reporting on and there is never anything there. I believe this is a false positive and I cannot get Sophos to help me out on this one. I've been hung up on twice and all the support reps can tell me is that the PCs are infected and that there's nothing they can do before hanging up.



This thread was automatically locked due to age.
Parents
  • 0
    Hi, i see this ip on several firewalls of our customers. this ip is confirmed as an malicious ip assigned to an c&c server. The reason, that you dont see the ip in the logfile of your client is very simple. your client makes an dns lookup, wich is assigned to this ip. the utm or xg fw will then block this dns request and your backend client or server never gets an ip to his fqdn dns lookup which triggered the atp event. in /var/log/aptp.log you can see the fqdn host lookup assigned to the malicious ip. You can find more information to the ip and the assigned hostnames on virustotal. https://www.virustotal.com/#/ip-address/45.33.9.234 I think there is some big activity of an unknown malware assigned to this c&c server, like in the past with notpetya or wannacry. cheers Andy

    Cheers Andreas

     

    UTM SCE/SCA | Endpoint SCE

Reply
  • 0
    Hi, i see this ip on several firewalls of our customers. this ip is confirmed as an malicious ip assigned to an c&c server. The reason, that you dont see the ip in the logfile of your client is very simple. your client makes an dns lookup, wich is assigned to this ip. the utm or xg fw will then block this dns request and your backend client or server never gets an ip to his fqdn dns lookup which triggered the atp event. in /var/log/aptp.log you can see the fqdn host lookup assigned to the malicious ip. You can find more information to the ip and the assigned hostnames on virustotal. https://www.virustotal.com/#/ip-address/45.33.9.234 I think there is some big activity of an unknown malware assigned to this c&c server, like in the past with notpetya or wannacry. cheers Andy

    Cheers Andreas

     

    UTM SCE/SCA | Endpoint SCE

Children
No Data
Unfiltered HTML