This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Received message: Botnet/command-and-control traffic detected

Advanced Threat Protection:  The event's user/host describes an IP address that is not on my home network and not my public IP address: 218.60.112.226. The threat is C2/Generic-A and the Destination is DXUhb67bd048.app.anmorencai.com. The origin is AFCd. What is AFCd? And how could I have a public IP address inside my network? My network is 192.168.x.x/24. My public IP address is 72.208.x.x. So I'm pretty confused as to what the Sophos UTM is reporting to me.



This thread was automatically locked due to age.
Parents
  • Check Lferra's post.

    218.60.112.226 is in China.

    Normally you will see a PC on your network reaching out to an evil IP or domain. I looked up in my threat intel feed DXUhb67bd048.app.anmorencai.com and this is what I found (not much):

    No IP for the domain - probably taken down.

    Whois info:

    Domain Name: ANMORENCAI.COM
    Registry Domain ID: 1964562713_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.publicdomainregistry.com
    Registrar URL: www.publicdomainregistry.com
    Updated Date: 2015-11-29T02:19:04Z
    Creation Date: 2015-09-29T02:59:17Z
    Registrar Registration Expiration Date: 2016-09-29T02:59:17Z
    Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Registrar IANA ID: 303
    Domain Status: clientTransferProhibited icann.org/epp
    Registry Registrant ID: 
    Registrant Name: Zhang Hong
    Registrant Organization: Zhang Hong
    Registrant Street: Nanjing Lu 28 Hao   
    Registrant City: Shanghai
    Registrant State/Province: 
    Registrant Postal Code: 120000
    Registrant Country: CN
    Registrant Phone: +86.18950465456
    Registrant Phone Ext: 
    Registrant Fax: 
    Registrant Fax Ext: 
    Registrant Email: xuanzisi@163.com
    Registry Admin ID: 
    Admin Name: Zhang Hong
    Admin Organization: Zhang Hong
    Admin Street: Nanjing Lu 28 Hao  
    Admin City: Shanghai
    Admin State/Province: 
    Admin Postal Code: 120000
    Admin Country: CN
    Admin Phone: +86.18950465456
    Admin Phone Ext: 
    Admin Fax: 
    Admin Fax Ext: 
    Admin Email: xuanzisi@163.com
    Registry Tech ID: 
    Tech Name: Zhang Hong
    Tech Organization: Zhang Hong
    Tech Street: Nanjing Lu 28 Hao  
    Tech City: Shanghai
    Tech State/Province: 
    Tech Postal Code: 120000
    Tech Country: CN
    Tech Phone: +86.18950465456
    Tech Phone Ext: 
    Tech Fax: 
    Tech Fax Ext: 
    Tech Email: xuanzisi@163.com
    Name Server: ns1.alidns.com
    Name Server: ns2.alidns.com
    DNSSEC:Unsigned
    Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
    Registrar Abuse Contact Phone: +1-2013775952
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
    >>> Last update of WHOIS database: 2016-06-01T01:35:07Z <<<
    For more information on Whois status codes, please visit https://icann.org/epp
    Registration Service Provided By: 
    The data in this whois database is provided to you for information purposes 
    only, that is, to assist you in obtaining information about or related to a 
    domain name registration record. We make this information available "as is",
    and do not guarantee its accuracy. By submitting a whois query, you agree 
    that you will use this data only for lawful purposes and that, under no 
    circumstances will you use this data to: 
    (1) enable high volume, automated, electronic processes that stress or load 
    this whois database system providing you this information; or 
    (2) allow, enable, or otherwise support the transmission of mass unsolicited, 
    commercial advertising or solicitations via direct mail, electronic mail, or 
    by telephone. 
    The compilation, repackaging, dissemination or other use of this data is 
    expressly prohibited without prior written consent from us. The Registrar of 
    record is PDR Ltd. d/b/a PublicDomainRegistry.com. 
    We reserve the right to modify these terms at any time. 
    By submitting this query, you agree to abide by these terms.

    Links to that site:
    registrants email xuanzisi@163.com is associated with domains hosting malware (purple dots, with hash)




Reply
  • Check Lferra's post.

    218.60.112.226 is in China.

    Normally you will see a PC on your network reaching out to an evil IP or domain. I looked up in my threat intel feed DXUhb67bd048.app.anmorencai.com and this is what I found (not much):

    No IP for the domain - probably taken down.

    Whois info:

    Domain Name: ANMORENCAI.COM
    Registry Domain ID: 1964562713_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.publicdomainregistry.com
    Registrar URL: www.publicdomainregistry.com
    Updated Date: 2015-11-29T02:19:04Z
    Creation Date: 2015-09-29T02:59:17Z
    Registrar Registration Expiration Date: 2016-09-29T02:59:17Z
    Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Registrar IANA ID: 303
    Domain Status: clientTransferProhibited icann.org/epp
    Registry Registrant ID: 
    Registrant Name: Zhang Hong
    Registrant Organization: Zhang Hong
    Registrant Street: Nanjing Lu 28 Hao   
    Registrant City: Shanghai
    Registrant State/Province: 
    Registrant Postal Code: 120000
    Registrant Country: CN
    Registrant Phone: +86.18950465456
    Registrant Phone Ext: 
    Registrant Fax: 
    Registrant Fax Ext: 
    Registrant Email: xuanzisi@163.com
    Registry Admin ID: 
    Admin Name: Zhang Hong
    Admin Organization: Zhang Hong
    Admin Street: Nanjing Lu 28 Hao  
    Admin City: Shanghai
    Admin State/Province: 
    Admin Postal Code: 120000
    Admin Country: CN
    Admin Phone: +86.18950465456
    Admin Phone Ext: 
    Admin Fax: 
    Admin Fax Ext: 
    Admin Email: xuanzisi@163.com
    Registry Tech ID: 
    Tech Name: Zhang Hong
    Tech Organization: Zhang Hong
    Tech Street: Nanjing Lu 28 Hao  
    Tech City: Shanghai
    Tech State/Province: 
    Tech Postal Code: 120000
    Tech Country: CN
    Tech Phone: +86.18950465456
    Tech Phone Ext: 
    Tech Fax: 
    Tech Fax Ext: 
    Tech Email: xuanzisi@163.com
    Name Server: ns1.alidns.com
    Name Server: ns2.alidns.com
    DNSSEC:Unsigned
    Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
    Registrar Abuse Contact Phone: +1-2013775952
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
    >>> Last update of WHOIS database: 2016-06-01T01:35:07Z <<<
    For more information on Whois status codes, please visit https://icann.org/epp
    Registration Service Provided By: 
    The data in this whois database is provided to you for information purposes 
    only, that is, to assist you in obtaining information about or related to a 
    domain name registration record. We make this information available "as is",
    and do not guarantee its accuracy. By submitting a whois query, you agree 
    that you will use this data only for lawful purposes and that, under no 
    circumstances will you use this data to: 
    (1) enable high volume, automated, electronic processes that stress or load 
    this whois database system providing you this information; or 
    (2) allow, enable, or otherwise support the transmission of mass unsolicited, 
    commercial advertising or solicitations via direct mail, electronic mail, or 
    by telephone. 
    The compilation, repackaging, dissemination or other use of this data is 
    expressly prohibited without prior written consent from us. The Registrar of 
    record is PDR Ltd. d/b/a PublicDomainRegistry.com. 
    We reserve the right to modify these terms at any time. 
    By submitting this query, you agree to abide by these terms.

    Links to that site:
    registrants email xuanzisi@163.com is associated with domains hosting malware (purple dots, with hash)




Children
No Data