This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion protection alert for DNS Servers, Win.Ransomware.BadRabbit

Hello folks
I reveive the following error from several of our sites and IPSEC partners:
2017:11:13-11:04:04 sg330a-2 snort[32130]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop"
reason="MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt" group="500" srcip="" dstip=""
proto="6" srcport="53006" dstport="445" sid="44649" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
The dstip ist always a internal Windows 2016 DNS Server and the dstport ist always 445.
Why is this going to the DNS Servers?
We put an infpub.dat and a cscc.dat file in the Windows Root as explained here: None of the users has admin rights. I doubt that so many computer are infected. 

This thread was automatically locked due to age.
Parents Reply Children