Thread Info
  • State Not Answered
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 17564 views
  • Users 0 members are here
Options
Suggested

ATP activated from outside?

twister5800

During the night,ALL my 9.4 upgraded UTM's, showed theese (from china):

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2016-03-20 05:37:01
Traffic blocked: yes

Source IP address or host: 180.97.161.225
        
-- 
System Uptime      : 25 days 19 hours 13 minutes
System Load        : 2.07
System Version     : Sophos UTM 9.400-9

and this:

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2016-03-20 04:01:43
Traffic blocked: yes

Source IP address or host: 218.60.112.227
        
-- 
System Uptime      : 25 days 17 hours 37 minutes
System Load        : 2.10
System Version     : Sophos UTM 9.400-9

But ATP is normally working from inside to outside, how could this be happening?

Parents Reply Children
  • 0 in reply to matt_ss

    Same thing here, on 20/03/2016 many of our UTMs reported "C2/Generic-A" from 180.97.161.* and 218.60.112.* IP addresses.

  • 0 in reply to rsc

    rsc said:

    Same thing here, on 20/03/2016 many of our UTMs reported "C2/Generic-A" from 180.97.161.* and 218.60.112.* IP addresses.

    Hmm... same here 20/03/2016 from these IPs

    218.60.112.224

    218.60.112.225

    218.60.112.226

    218.60.112.227

    180.97.161.227

    The Traffic flow on the firewall log:

    2016:03:20-05:54:32 XXX ulogd[XXXX]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" srcmac="7c:69:f6:81:d5:80" dstmac="XX:XX:XX:XX:XX:XX" srcip="218.60.112.227" dstip="XX.XX.XX.XX" proto="17" length="127" tos="0x00" prec="0x00" ttl="221" srcport="53" dstport="14486" 

    As from the ATP Message it says from "inside" my network...

    Somewhat scarry now... Same IP's, same time!

Unfiltered HTML