Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
During the night,ALL my 9.4 upgraded UTM's, showed theese (from china):
Advanced Threat ProtectionA threat has been detected in your networkThe source IP/host listed below was found to communicate with a potentially malicious site outside your company.Details about the alert:Threat name....: C2/Generic-ADetails........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspxTime...........: 2016-03-20 05:37:01Traffic blocked: yesSource IP address or host: 180.97.161.225 -- System Uptime : 25 days 19 hours 13 minutesSystem Load : 2.07System Version : Sophos UTM 9.400-9
and this:
Advanced Threat ProtectionA threat has been detected in your networkThe source IP/host listed below was found to communicate with a potentially malicious site outside your company.Details about the alert:Threat name....: C2/Generic-ADetails........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspxTime...........: 2016-03-20 04:01:43Traffic blocked: yesSource IP address or host: 218.60.112.227 -- System Uptime : 25 days 17 hours 37 minutesSystem Load : 2.10System Version : Sophos UTM 9.400-9
But ATP is normally working from inside to outside, how could this be happening?
Got the same on a bunch of 9.355-1 and 9.351-1.
My name is also Martin. Coincidence? I think not...
Cheers
I'd remember seeing this, when ATP was first introduced in UTM, but did'nt get any response on it then :-)
Unknown said: My name is also Martin. Coincidence? I think not...
He he he, in IT nothing is a coincidence :-D
Maybe China activated the "IP:*.*.*.*" parameter in the exploit program yesterday , by mistake OR coincidence :)
-----
Best regardsMartin
Sophos XGS 2100 @ Home | Sophos v19 Architect
One of my UTMs reported the same yesterday and another one about a month ago.
Ian,
home UTM 9.x running in ESXi 6 e3-1275v2
AP55c and AP10 (courtesy Astaro)
Three other UTMs, SUM and SFM in hibernation
XG 15.x MR3 in hibernation
Yup, saw the same thing last night from not all but most of our SG105, SG115, SG125 and SG135's. All from the same two Host IP address's as listed above
Same thing here, on 20/03/2016 many of our UTMs reported "C2/Generic-A" from 180.97.161.* and 218.60.112.* IP addresses.
rsc said: Same thing here, on 20/03/2016 many of our UTMs reported "C2/Generic-A" from 180.97.161.* and 218.60.112.* IP addresses.
Hmm... same here 20/03/2016 from these IPs
218.60.112.224
218.60.112.225
218.60.112.226
218.60.112.227
180.97.161.227
The Traffic flow on the firewall log:
As from the ATP Message it says from "inside" my network...
Somewhat scarry now... Same IP's, same time!