Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 14 subscribers
  • Views 108211 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A AFCd

Bethany E

I'm having multiple UTMs reporting a C2/Generic-A from IP address: 45.33.9.234. I have scanned every server/PC that is reporting on and there is never anything there. I believe this is a false positive and I cannot get Sophos to help me out on this one. I've been hung up on twice and all the support reps can tell me is that the PCs are infected and that there's nothing they can do before hanging up.



This thread was automatically locked due to age.
  • 0 in reply to MarcelLiechti

    How many alerts do you normally get? On the UTMs where I'm seeing this it will be maybe two alerts generated in the span of a minute and then I won't see it again for a week.

  • 0 in reply to Bethany E

    I always get two at a time. One from the client, and one from the internal DNS Server.

  • 0
    Hi, i see this ip on several firewalls of our customers. this ip is confirmed as an malicious ip assigned to an c&c server. The reason, that you dont see the ip in the logfile of your client is very simple. your client makes an dns lookup, wich is assigned to this ip. the utm or xg fw will then block this dns request and your backend client or server never gets an ip to his fqdn dns lookup which triggered the atp event. in /var/log/aptp.log you can see the fqdn host lookup assigned to the malicious ip. You can find more information to the ip and the assigned hostnames on virustotal. https://www.virustotal.com/#/ip-address/45.33.9.234 I think there is some big activity of an unknown malware assigned to this c&c server, like in the past with notpetya or wannacry. cheers Andy

    Cheers Andreas

     

    UTM SCE/SCA | Endpoint SCE

  • 0

    I have seen a research report about a large botnet that seemed to do nothing, yet.   What they may do in the future is unknown.  This is apparently the botnet, or a similar one.   You still need to pursue sanitation of the affected machines.  Kudos to UTM for blocking the traffic.

  • 0

    Hi, Bethany, and welcome to the UTM Community!

    It's interesting that this is on port 80.  Are you running Web Filtering in Transparent mode?  If so, then try the following experiment:

    1. Create a Web Filtering Profile in Standard mode for an IP being reported.
    2. Change the Proxy settings on that device to point at the UTM on port 8080.
    3. At the next block of that IP, check the Web Filtering log at that time to see if there's anything that corresponds.

    What did you see?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi all, 

    It has been a couple of weeks since I have seen any alerts for this IP. Can others that were reporting this IP confirm this on their end?

  • 0 in reply to Bethany E

    The same here. The alerts ended in the middle of August. There is no sign of them till now.
    The reported IPs were clean from viruses (scanned with Avira, Kaspersky, MSE, Malwarebytes).

  • 0 in reply to GolfBisho

    Nevertheless. I would deeply inspect this client:

    It may be not on any list now. But it was an url where you could download a virus ;)

Unfiltered HTML