We got a disturbing Suricata alert yesterday morning:
(#2404312) ET CNC Feodo Tracker Reported CnC Server group 13
Just a quick note about our environment - we have about a dozen Windows 10 Pro workstations. 1 Windows Server 2012 R2 server, which is our domain controller, SQL Database server and internal web server. The alert happened on our server IP:
Source: my.server.ip:80
Destination: 45.61.187.123:49786
I looked up the external/Destination IP on VirusTotal, and 15 security vendors flagged that IP as malicious. Then I did a āping -aā, and the host/url that came back for that IP was: smtp20.shbgura.xyz. That URL seems pretty fishy to me. Just for the heck of it I plugged that url into VirusTotal, and no security vendors flagged that as malicious. So my 1st question is what the heck? Why am I getting 2 different results for the same destination?
Then I looked up the IP and domain up on Ciscoās Talos Intelligence. āSender IP Reputationā is āNeutralā and āWeb Reputationā is āUntrustedā.
I tried a few other IP reputation type sites and they reported as being benign if I remember right.
No new software has been installed on our server in the last week or 2 at least. I wanted to figure out what program/process reached out to that IP. But to my knowledge Windows Server does not keep a record of all network connections and their associated processes. What I did in hopes that the connection would happen again is download a program called TCPLogView and ran it. Thankfully it happened again. The bad news is that the process that made the connection was āSystemā. So I have no idea what do next.
Now, Iām not new to IT, but Iām very new to the whole security world and Suricata so please keep that in mind. Maybe thereās an obvious thing I should do or check, but Iām not thinking of it at the moment.
Just for a quick summary:
We got the following alert from Suricata twice yesterday:
(#2404312) ET CNC Feodo Tracker Reported CnC Server group 13
The source/destination IP:
Source: my.server.ip:80
Destination: 45.61.187.123:49786
The source IP is the IP address of our single, Windows Server 2012 R2 box which serves as an internal web server, SQL server, domain controller, file server, and QuickBooks server.
Yesterday was the first time I recall seeing that alert. We have about a dozen Windows 10 Pro workstations connected to the network. And about a dozen VoIP phones. A couple network printers. But nothing new on the network that I know of. I donāt know if I should be worried or not. I donāt have a background in security
As of right now, we havenāt received the alert since yesterday.